Exceptions
With exceptions, you can override protection settings for all web traffic that matches the specified criteria, regardless of any policies or rules in effect.
For example, you can create an exception to skip HTTPS decryption for sites that contain confidential data. The default set of exceptions allows software updates and other important functions for well-known websites without being affected by web filtering.
The behaviors that you can override include checking by Zero-day protection. Exceptions (including those created in previous releases) that skip malware scanning also skip Zero-day protection analysis.
In DPI mode, web exceptions only apply if one of the following is true:
- A web policy is set.
- Malware and content scanning is turned on.
- ATP is turned on.
Note
For an exception to be effective, it must be turned on.
- To turn on or turn off an exception, select the switch.
- To clone an exception, click Clone .
- To edit an exception, click Edit .
You can use both web exceptions and SSL/TLS exclusion rules to stop connections from being decrypted. For details of how they differ in enforcing HTTPS decryption-related exceptions, see the table below:
SSL/TLS exclusion list | Web exception | |
---|---|---|
Processes you can exclude | HTTPS decryption HTTPS certificate and protocol enforcement | HTTPS decryption HTTPS certificate validation Malware and content scanning Zero-day protection Web policy checks |
Applies in this mode | DPI mode | DPI mode Proxy mode |
Applies to this traffic | SSL/TLS connections on any port. | DPI mode: SSL/TLS connections on any port. Proxy mode: SSL/TLS connections on port 443. |
Matching criteria | URL group containing a list of websites (domain names) in plaintext. Includes the subdomains of these domains. | URL pattern matches using regular expressions. |
Matching criteria | Web categories Source and destination zones, networks, and IP addresses Services Users and groups | Web categories Source and destination IP addresses and IP ranges |
Where to add the exception | You can add domains and subdomains to the Local TLS exclusion list in the control center or log viewer. Go to Web > URL groups and add websites to a URL group used by an exclusion rule. Create or edit SSL/TLS inspection rules. | Add to Web > Exceptions. |
More resources