Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add an exception

  1. Go to Web > Exceptions and click Add an exception.
  2. Enter a name.
  3. Specify web traffic criteria.

    • Select the URL pattern matches check box, type a pattern in the Search/Add text box and click Add Add button..
      Regular expressions are allowed. For example, ^([A-Za-z0-9.-]*\.)?example\.com/ matches all subdomains of example.com. Specify pattern matches using ASCII characters. For information about converting non-ASCII characters, see RFC 3490.
    • Select the Web site categories check box, click Add new item, and select categories.
    • Select the Source IP addresses check box, type an end-user address and click Add Add button..
    • Select the Destination IP addresses check box, type a website address and click Add Add button..

    Note

    The firewall evaluates all types of criteria using “AND”. For example, if you specify URL patterns and website categories, both types must match for the exception to apply. However, within each category, the firewall evaluates criteria using “OR”.

  4. Specify the checks or actions to skip when the firewall encounters traffic that matches the criteria.

    Name Description
    HTTPS decryption Select to skip decryption for HTTPS traffic that meets the specified criteria.

    If you turn off HTTPS decryption, Sophos Firewall doesn't perform any other check that relies on decryption, such as malware scanning. It also allows traffic with invalid certificates if the traffic matches the exclusion criteria for HTTPS decryption.
    HTTPS certificate validation Select to skip checks for certificate validity. If you select HTTPS decryption, Sophos Firewall automatically skips checks for certificate validity. Even when Sophos Firewall skips validity checks, it continues to decrypt traffic if it's configured to do so.

    Use this if you want to allow specific websites that have invalid certificates.

    To apply a certificate validation check to all HTTPS traffic, go to Web > General settings.
    Malware and content scanning Select to skip scanning of traffic that meets the specified criteria for malware or for content that's specified in a content filter.

    If you select malware and content scanning, Sophos Firewall automatically skips Zero-day protection analysis. If you skip Zero-day protection scanning, analysis reports won’t be available for matching files even if malware scanning returns a positive result.
    Zero-day protection Select to skip Zero-day protection analysis of files downloaded using the specified criteria.

    If you skip Zero-day protection scanning, analysis reports won’t be available for matching files even if malware scanning returns a positive result.
    Policy checks Select to skip policy checks for traffic that meets the specified criteria.

    Note

    Exceptions for HTTPS decryption and HTTPS certificate validation only work for criteria patterns that match the hostname in the URL, for example, www.company.com. Patterns that match the URL path only work for HTTP and HTTPS traffic that’s being decrypted.

  5. Click Save.

To turn on the exception, select the switch.