Skip to content


With exceptions, you can override protection settings for all web traffic that matches the specified criteria, regardless of any policies or rules in effect.

For example, you can create an exception to skip HTTPS decryption for sites that contain confidential data. The default set of exceptions allows software updates and other important functions for well-known websites without being affected by web filtering.

The behaviors that you can override include checking by Zero-day protection. Exceptions (including those created in previous releases) that skip malware scanning also skip Zero-day protection analysis.

In DPI mode, web exceptions only apply if one of the following is true:

  • A web policy is set.
  • Malware and content scanning is turned on.
  • ATP is turned on.


For an exception to be effective, it must be turned on.

  • To turn on or turn off an exception, select the switch.
  • To clone an exception, click Clone Clone button..
  • To edit an exception, click Edit Edit button..

You can use both web exceptions and SSL/TLS exclusion rules to stop connections from being decrypted. For details of how they differ in enforcing HTTPS decryption-related exceptions, see the table below:

SSL/TLS exclusion list Web exception
Processes you can exclude

HTTPS decryption

HTTPS certificate and protocol enforcement

HTTPS decryption

HTTPS certificate validation

Malware and content scanning

Zero-day protection

Web policy checks

Applies in this mode DPI mode

DPI mode

Proxy mode

Applies to this traffic SSL/TLS connections on any port.

DPI mode: SSL/TLS connections on any port.

Proxy mode: SSL/TLS connections on port 443.

Matching criteria URL group containing a list of websites (domain names) in plaintext. Includes the subdomains of these domains. URL pattern matches using regular expressions.
Matching criteria

Web categories

Source and destination zones, networks, and IP addresses


Users and groups

Web categories

Source and destination IP addresses and IP ranges

Where to add the exception

You can add domains and subdomains to the Local TLS exclusion list in the control center or log viewer.

Go to Web > URL groups and add websites to a URL group used by an exclusion rule.

Create or edit SSL/TLS inspection rules.

Add to Web > Exceptions.

More resources