Exception Rules

If necessary, you can add an exception directly to a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

An exception sets a different Action to an object in the Protected Scope from the Action specified Threat Prevention rule.

In general, exceptions are designed to give you the option to reduce the level of enforcement of a specific protection and not to increase it.

The Research and Development (R&D) network protections are included in a profile with the Prevent action.

You can define an exception which sets the specific R&D network to Detect.

For some Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). signatures only, you can define exceptions which are stricter than the profile action.

You can add one or more exceptions to a rule. The exception is added as a shaded row below the rule in the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

It is identified in the No column with the rule's number plus the letter E and a digit that represents the exception number.

For example, if you add two exceptions to rule number 1, two lines will be added and show in the Rule Base as E-1.1 and E-1.2.

You can use exception groups to group exceptions that you want to use in more than one rule. See the Exceptions Groups Pane.

You can expand or collapse the rule exceptions by clicking on the minus or plus sign next to the rule number in the No. column.

Step

Instructions

1

In the Policy pane, select the rule to which you want to add an exception.

2

Click Add Exception.

3

Select the Above, Below, or Bottom option according to where you want to place the exception.

4

Enter values for the columns. Including these:

  • Protected Scope - Change it to reflect the relevant objects.

  • Protection - Click the plus sign in the cell to open the Protections viewer. Select the protection(s). Click OK.

5

Install the Threat Prevention Policy.

Note - You cannot set an exception rule to an inactive protection or an inactive blade.

Disabling a Protection on One Server

Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers. How can I change this protection to detect for one server only?

In this example, create this Threat Prevention rule, and install the Threat Prevention policy:

Name

Protected Scope

Protection/Site

Action

Monitor BotClosed Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. Activity

* Any

- N/A

A profile based on the Optimized profile.

Edit this profile >

go to the General Policy pane>

in the Activation Mode section,

set every Confidence to Prevent.

Exclude

Server_1

Backdoor.Win32.Agent.AH

Detect

Step

Instructions

1

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Threat Prevention > Custom Policy.

2

Click the rule that contains the scope of Server_1.

4

Right-click the rule and select New Exception.

5

Configure these settings:

  • Name - Give the exception a name such as Exclude.

  • Protected Scope - Change it to Server_1 so that it applies to all detections on the server.

  • Protection/Site - Click + in the cell. From the drop-down menu, click the category and select one or more of the items to exclude.

    Note - To add EICAR files as exceptions, you must add them as Allow List files. When you add EICAR files through Exceptions in Policy rules, the gateway still blocks them, if archive scanning is enabled.

  • Action - Keep it as Detect.

  • Track - Keep it as Log.

  • Install On - Keep it as Policy Targets or select specified gateways, on which to install the rule.

6

Install the Threat Prevention Policy.

Creating an Exception for a Specific Protection, Site, File or Blade

Step

Instructions

1

In SmartConsole, select Security Policies > Threat Prevention.

2

From the navigation tree, select a Policy Layer.

3

Right-click the rule and select New Exception.

An exception sub-rule is added to the policy.

4

Right-click the Protection/Site/File/Blade cell and select Add new items.

5

From the drop-down list, select the relevant category (IPS Protections, Anti-Bot & Anti-Virus Protections, User Applications, Whitelist Files, Blades) and then select the required item.

The protections are added to the exception sub-rule.

Notes:

  • There are no DNS protections in this drop-down menu.

    To add an exception to a DNS protection, you must go to the relevant log and add it from there.

    See Creating Exceptions from Logs or Events.

  • To add an exception for an IPS protection, you can also go to Security Policies > Threat Prevention > Custom Policy > IPS Protections, right-click a protection and select Add Exception.

6

Install Policy.

You can create a rule or exception for a specific blade for a specific website/URL because the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. is always the destination in non-transparent proxy mode.

In a transparent proxy mode, or while the traffic is inspected by a Security Gateway, this setup is not a challenge because the destination is configured in the Destination column, and the excluded blade is configured in the Protection/Site/File/Blade column. This is not possible in non-transparent mode because the destination is always the Security Gateway itself.

  1. Create a separate layer with a separate profile for each blade or a pair of blades (for example: Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and Anti-Bot & Advanced DNS, or Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX.):

  2. Create a separate profile for each layer and enable only the specific blade:

  3. Create a custom Application/Site for each layer. For instructions, refer to sk165094:

  4. Create a Rule Base for each layer, and a different exception rule with the created Custom Application/Site in Protection/Site/File/Blade:

  5. In the Action column, select Detect or Inactive to disable the applicable Threat Prevention Blade for the applicable websites/URLs.

Notes:

Creating Exceptions from Logs or Events

In some cases, after evaluating a log or an event in the Logs & Events view, it may be necessary to update a rule exception in the SmartConsole Rule Base.

You can do this directly from within the Logs & Events view.

You can apply the exception to a specified rule or apply the exception to all rules that appear below Global Exceptions.

Step

Instructions

1

Click Logs & Events > Logs tab.

2

Right-click the log and select Add Exception.

3

Configure the settings for the exception.

4

In the New Exception Rule window:

  • To show the exception in the policy, click Go to.

  • Otherwise, click Close.

5

Install the Threat Prevention Policy.

Exception Groups

An exception group is a container for one or more exceptions. You can attach an exception group to all rules or only to selected rules. Exception groups simplify exception management, by allowing you to reuse the same exception group across multiple rules, instead of defining exceptions manually for each individual rule.

The Exception Groups pane shows a list of existing exception groups, the rules that use them, and any related comments.

Option

Meaning

New

Creates a new exception group.

Edit

Modifies an existing exception group.

Delete

Deletes an exception group.

Search

Searches for an exception group.

Global Exceptions

The system includes a predefined group named Global Exceptions. The system automatically adds exceptions that you define in the Global Exceptions group to every rule in the Rule Base. When you create a new exception group, you select which rule to attach it to.

Exception Groups in the Rule Base

Global exceptions and other exception groups are added as shaded rows below the applicable rule in the Rule Base. Each exception group is labeled with a tab that shows its name. Exceptions within a group are identified in the No column using this syntax:
E - <rule number>.<exception number>, where E identifies the line as an exception.

In a Global Exceptions group that contains two exceptions, all rules show the exception rows in the Rule Base No column as E-1.1 and E-1.2.

Note - The numbering of exceptions varies when you move the exceptions within a rule.

To view exception groups in the Rule Base:

Click the plus or minus sign next to the rule number in the No. column to expand or collapse the rule exceptions and exception groups.

Creating Exception Groups

When you create an exception group, you create a container for one or more exceptions. After you create the group, add the exception rules to it. You can then attach the group to the applicable rules in the Threat Prevention Rule Base.

Step

Instructions

1

In SmartConsole, select Security Policies > Threat Prevention > Exceptions.

2

In the Exceptions section, click New.

3

In Apply On, configure how the exception group is used in the Threat Prevention policy.

  • Manually attach to a rule - This exception group applies only when you add it to Threat Prevention rules.

  • Automatically attached to each rule with profile - This exception group applies to all Threat Prevention rules in the specified profile.

  • Automatically attached to all rules - This exception group applies to all Threat Prevention rules.

4

Click OK.

5

Install the Threat Prevention policy.

Step

Instructions

1

In SmartConsole, go to Security Policies > Threat Prevention > Exceptions.

2

In the Exceptions section, select the exception group to which you want to add an exception.

3

In the bottom pane of this page, click Add Exception.

4

Configure the new exception rule.

5

Install the Threat Prevention policy.

You can add exception groups to Threat Prevention rules.

This only applies to exception groups with Manually attach to a rule selected.

Step

Instructions

1

Click Security Policies > Threat Prevention > Custom Policy.

2

Right-click the rule and select Add Exception Group.

3

Select the applicable exception group from the list.

4

Install the Threat Prevention policy.

 

Step

Instructions
1 In SmartConsole > go to Security Policies > Threat Prevention > Custom Policy > Custom Policy Tools > Profiles.

2

Click the icon to create a new profile.
3 In the Threat Emulation or Threat Extraction pages, select General > File Types > Process specific file type families > Configure.
4 Right-click the applicable file type and select Bypass.

5

Go to the Exceptions tab, and in the top pane, click the icon to create a new exception group.

6

In the Exception Group window that opens, select Automatically attached to each group with profile, and from the drop-down menu, select the newly created profile.

7

In the Security Policies view > Threat Prevention > Exceptions > select the newly created exception group.

8

At the bottom pane, create the required exception rule and define its Source and Destination.

9

Install the Threat Prevention policy.