Exceptions
On the Web Protection > Filtering Options > Exceptions tab you can define whitelist client networks, users/groups, and domains. All entries contained in these lists can be excluded from certain web protection services.
To create an exception, proceed as follows:
-
On the Exceptions tab, click New Exception List.
The Add Exception List dialog box opens.
-
Specify the following settings:
Name: Enter a descriptive name for this exception.
Comment (optional): Add a description or other information.
Skip These Checks: Select the security checks that should be skipped:
- Authentication: If the Web Filter runs in Authentication mode, you can skip authentication for the source hosts/networks or target domains.
- Caching: Select to disable caching for specific domains or source hosts/networks.
- Block by download size: Select to disable blocking content according to the size of the download.
- Antivirus: Select to disable virus scanning, which checks messages for unwanted content such as viruses, trojan horses and the like.
- Refer to Sandstorm: Select to disable sending files to the Sophos Sandstorm service for analysis.
- Extension blocking: Select to disable the file extension filter, which can be used to block content that contains certain types of files based on their extensions.
- MIME type blocking: Select to disable the MIME type filter, which can be used to block content that has a certain MIME type.
- URL filter: Select to disable the URL filter, which controls the access to certain kinds of websites.
- Content removal: Select to bypass the removal of special content in webpages such as embedded objects (e.g., multimedia files) or JavaScript.
- SSL scanning: Select to skip SSL scanning for the webpage in request. This is useful with online banking websites or with websites that do not play well with SSL interception. In standard mode, exceptions can only be made based on the destination host or IP address depending on what the client sends. With exceptions based on categories, instead of the whole URL, only the hostname will be classified.
- Certificate trust check: Select to skip the trust check of the HTTPS server certificate. Note that, when the Web Filter works in transparent mode with authentication, skipping the certificate trust check based on a users/groups match (For all requests Coming from these users/groups) is technically impossible.
- Certificate date check: Select to skip the check of whether the HTTPS certificate's date is valid.
The following two options are useful if there are persons whose activities must not be logged at all:
- Accessed pages: Select to not log pages that have been accessed. Those page requests will also be excluded from reporting.
- Blocked pages: Select to not log pages that have been blocked. Those page requests will also be excluded from reporting.
Some software updates, and similar types of downloads, can be interrupted if a progress page is displayed. If you are having problems with software updates, or if some downloads never finish, select the following option.
- Do not display Download/Scan progress page: Select to disable downloading and scanning progress pages.
For all requests: Select at least one condition for which the security checks are to be skipped. You can logically combine several conditions by selecting either And or Or from the drop-down list in front of a condition. The following conditions can be set:
- Coming from these source networks: Select to add source hosts/networks that should be exempt from the security checks of this exception rule. Enter the respective hosts or networks in the Hosts/Networks box that opens after selecting the condition.
- Coming from these source endpoint groups: Select to add computer groups (see Endpoint Protection > Computer Management > Manage Groups tab) that should be exempt from the security checks of this exception rule. Enter the respective groups in the Source Endpoint Groups box that opens after selecting the condition.
- Matching these URLs: Select to add target domains that should be exempt from the security checks of this exception rule. Add the respective domains to the Target Domains box that opens after selecting the condition. Regular expressions are allowed here. Example: ^https?://[^.]*\.domain.com matches HTTP(S) connections to all subdomains of the domain.
Cross Reference – For detailed information on using regular expressions for web filtering, see the Sophos Knowledge Base.
Note – When using Transparent mode with SSL scanning enabled, you need to enter the target domain(s) as IP addresses. Otherwise the exception will fail for technical reasons.
- Coming from these users/groups: Select to add users or user groups that should be exempt from the security checks of this exception rule. Enter the respective users or groups in the Users/Groups box that opens after selecting the condition. Also, in Standard mode, matching for certain users/groups does not work due to the missing authentication.
- Going to these categories of websites: Select to skip security checks for certain categories. Select then the categories from the list that opens after selecting the condition.
- Coming from these user agents: Select to skip security checks for requests by user agent strings. Regular expressions are allowed.
- Going to websites tagged as: Select to skip security checks for associated tags. Click on the Plus icon to create a new tag or click on the Folder icon to choose from existing tags.
-
Click Save.
The new exception appears on the Exceptions list.
To either edit or delete an exception, click the corresponding buttons.