Exceptions

With exceptions, you can override protection settings for all web traffic that matches the specified criteria, regardless of any policies or rules in effect.

For example, you can create an exception to skip HTTPS decryption for sites that contain confidential data. The default set of exceptions allows software updates and other important functions for well-known websites without being affected by web filtering.

The behaviors that you can override include checking by Sandstorm. Exceptions (including those created in previous releases) that skip malware scanning also skip Sandstorm analysis.

Note For an exception to be effective, it must be turned on.
  • To turn on or turn off an exception, select the switch.
  • To clone an exception, click Clone Clone.
  • To edit an exception, click Edit Edit.

You can use both web exceptions and SSL/TLS exclusion rules to stop connections from being decrypted. For details of how they differ in enforcing HTTPS decryption-related exceptions, see the table below:

SSL/TLS exclusion list

Web exception

Processes you can exclude

HTTPS decryption

HTTPS certificate and protocol enforcement

HTTPS decryption

HTTPS certificate validation

Malware and content scanning

Sandstorm

Web policy checks

Applies in this mode

DPI mode

DPI mode

Proxy mode

Applies to this traffic

SSL/TLS connections on any port.

DPI mode: SSL/TLS connections on any port.

Proxy mode: SSL/TLS connections on port 443.

Matching criteria

URL group containing a list of websites (domain names) in plaintext. Includes the subdomains of these domains.

URL pattern matches using regular expressions.

Web categories

Source and destination zones, networks, and IP addresses

Services

Users and groups

Web categories

Source and destination IP addresses and IP ranges

Where to add the exception

Add domains and subdomains to the Local TLS exclusion list by troubleshooting in the Control center or Log viewer.

Go to Web > URL groups and add websites to a URL group being used by an exclusion rule.

Create or edit SSL/TLS inspection rules.

Add to Web > Exceptions.