Exceptions
With exceptions, you can override protection settings for all web traffic that matches the specified criteria, regardless of any policies or rules in effect.
For example, you can create an exception to skip HTTPS decryption for sites that contain confidential data. The default set of exceptions allows software updates and other important functions for well-known websites without being affected by web filtering.
The behaviors that you can override include checking by Zero-day protection. Exceptions (including those created in previous releases) that skip malware scanning also skip Zero-day protection analysis.
Note
For an exception to be effective, it must be turned on.
- To turn on or turn off an exception, select the switch.
- To clone an exception, click Clone .
- To edit an exception, click Edit .
Exceptions in DPI mode
In DPI mode, web exceptions only apply if you've specified one of the following settings:
- A web policy is set.
- Malware and content scanning is turned on.
- ATP is turned on.
You can use both web exceptions and SSL/TLS exclusion rules to stop connections from being decrypted. For details of how they differ in enforcing HTTPS decryption-related exceptions, see the table below:
SSL/TLS exclusion list | Web exception | |
---|---|---|
Processes you can exclude | HTTPS decryption HTTPS certificate and protocol enforcement | HTTPS decryption HTTPS certificate validation Malware and content scanning Zero-day protection Web policy checks |
Applies in this mode | DPI mode | DPI mode Proxy mode |
Applies to this traffic | SSL/TLS connections on any port. | DPI mode: SSL/TLS connections on any port. Proxy mode: SSL/TLS connections on port 443. |
Matching criteria | URL group containing a list of websites (domain names) in plaintext. Includes the subdomains of these domains. | URL pattern matches using regular expressions. |
Matching criteria | Web categories Source and destination zones, networks, and IP addresses Services Users and groups | Web categories Source and destination IP addresses and IP ranges |
Where to add the exception | You can add domains and subdomains to the Local TLS exclusion list in the control center or log viewer. Go to Web > URL groups and add websites to a URL group used by an exclusion rule. Create or edit SSL/TLS inspection rules. | Add to Web > Exceptions. |
Exceptions for Sophos Central products
You must create port and domain exceptions when you configure some products. For more information, see the following documentation:
- Wireless - Domain requirements
- ZTNA - Required websites
- Switches - SSL / TLS exclusions required for registration with Sophos Central
- Sophos Central, Endpoint, XDR, and MDR - Domains and ports
- Sophos NDR and integration appliances - Port and domain exclusions
More resources