On the Network Protection > Intrusion Prevention > Exceptions tab you can define source and destination networks that should be excluded from intrusion prevention.
Note – A new IPS exception only applies to new connections. To apply a new IPS exception to an existing connection, you can for example disconnect or restart the respective device.
To create an exception, proceed as follows:
On the Exceptions tab, click New Exception List.
The Add Exception List dialog box opens.
Make the following settings:
Name: Enter a descriptive name for this exception.
Skip these checks: Select the security checks that should be skipped:
- Intrusion Prevention: When you select this option, the IPS Intrusion Prevention System of Sophos UTM will be disabled.
- Portscan Protection: Selecting this option disables the protection from attacks aimed at searching your network hosts for open ports.
- TCP SYN Flood Protection: Once selected, the protection from TCP Transmission Control Protocol SYN Synchronous flooding attacks will be disabled.
- UDP Flood Protection: Once selected, the protection from UDP User Datagram Protocol flooding attacks will be disabled.
- ICMP Flood Protection: Once selected, the protection from ICMP Internet Control Message Protocol flooding attacks will be disabled.
For all requests: Select at least one condition for which the security checks are to be skipped. You can logically combine several conditions by selecting either And or Or from the drop-down list in front of a condition. The following conditions can be set:
- Coming from these source networks: Select to add source hosts/networks that should be exempt from the security checks of this exception rule. Enter the respective hosts or networks in the Networks box that opens after selecting the condition.
- Using these services: Select to add services that should be exempt from the security checks of this exception rule. Add the respective services to the Services box that opens after selecting the condition.
- Going to these destinations: Select to add hosts/networks that should be exempt from the security checks of this exception rule. Enter the respective hosts or networks in the Destinations box that opens after selecting the condition.
Tip – How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Comment (optional): Add a description or other information.
The new exception appears on the Exceptions list.
Enable the exception.
The new exception is disabled by default (toggle switch is gray). Click the toggle switch to enable the exception.
The exception is now enabled (toggle switch is green).
To either edit or delete an exception, click the corresponding buttons.
Note – If you want to make an intrusion prevention exception for packets with the destination address of the gateway, selecting Any in the Destinations box will not succeed. You must instead select a definition that contains the gateway's IP address, for example the Internal (Address) or the external WAN address.
Note – If you use a Sophos UTM proxy, an intrusion prevention exception has to reflect this: A proxy replaces the original source address of a packet with its own address. Thus, to except intrusion prevention for proxied packets, you need to add the appropriate interface address definition of Sophos UTM to the source Networks box.