Skip to content
Last update: 2021-11-04

Exceptions

With exceptions, you can override protection settings for all web traffic that matches the specified criteria, regardless of any policies or rules in effect.

For example, you can create an exception to skip HTTPS decryption for sites that contain confidential data. The default set of exceptions allows software updates and other important functions for well-known websites without being affected by web filtering.

The behaviors that you can override include checking by Zero-day protection. Exceptions (including those created in previous releases) that skip malware scanning also skip Zero-day protection analysis.

Note

For an exception to be effective, it must be turned on.

  • To turn on or turn off an exception, select the switch.
  • To clone an exception, click Clone Clone button.
  • To edit an exception, click Edit Edit button.

You can use both web exceptions and SSL/TLS exclusion rules to stop connections from being decrypted. For details of how they differ in enforcing HTTPS decryption-related exceptions, see the table below:

  SSL/TLS exclusion list Web exception
Processes you can exclude HTTPS decryption

HTTPS certificate and protocol enforcement
HTTPS decryption

HTTPS certificate validation

Malware and content scanning

Zero-day protection

Web policy checks
Applies in this mode DPI mode DPI mode

Proxy mode
Applies to this traffic SSL/TLS connections on any port. DPI mode: SSL/TLS connections on any port.

Proxy mode: SSL/TLS connections on port 443.
Matching criteria URL group containing a list of websites (domain names) in plaintext. Includes the subdomains of these domains. URL pattern matches using regular expressions.
Matching criteria Web categories

Source and destination zones, networks, and IP addresses

Services

Users and groups
Web categories

Source and destination IP addresses and IP ranges
Where to add the exception You can add domains and subdomains to the Local TLS exclusion list in the control center or log viewer.

Go to Web > URL groups and add websites to a URL group used by an exclusion rule.

Create or edit SSL/TLS inspection rules.
Add to Web > Exceptions.

More resources

Back to top