Configuring Threat Prevention Policy Exceptions

In the Threat Prevention > Threat Prevention Exceptions page you can configure exception rules for traffic which the IPS engine and malware engine for Anti-Virus and Anti-Bot do not inspect.

Threat Prevention Exceptions

To add a new Threat Prevention exception rule:

  1. In the IPS Exceptions section, click New > Add.

  2. Configure these fields:

    • Scope – For Threat Prevention blades only. Threat Prevention inspects traffic to and/or from all objects specified in the Scope, even when the specified object did not open the connection. Can include network object, network object groups, IP address ranges and local users.

      Select either Any or a specific scope from the list. If necessary, you can create a New network object, network object group, or local user.

      If it is necessary to negate a specified scope, select the scope and select the Any Scope except checkbox.

      For example, if the scope of the exception should include all scopes except for the DMZ network, select DMZ network and select the Any Scope except checkbox.

    • Source – Network object that initiates the connection.

    • Destination - Network object that is the target of the connection.

    • Protection – In the Blades tab, select Any for all or for a specific blade. In the IPS protections tab, select a specific IPS protection from the list.

    • Service/Port - Type of network service. If you make an exception for a specified protection on a specific service/port, you might cause the protection to be ineffective.

    • Action - Select the applicable action to enforce on the matching traffic: Ask, Prevent, Detect or Inactive. See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.

    • Log - Select the tracking option: None, Log, or Alert. Logs are shown on the Logs & Monitoring > Security Logs page. An alert is a flag on a log. You can use it to filter logs.

  3. Optional - Add a comment in the Write a comment field.

  4. Click Apply.

Whitelists

You can set specified files and URLs that the Anti-Virus, Anti-Bot and Threat Emulation blades do not scan or analyze. For example, if there are files that you know are safe but can create a false positive when analyzed, add them to the Files Whitelist.

Threat Emulation only: You can set specified email addresses that the blade does not scan and add them to the Email Addresses Whitelist.

To add a file or URL to the whitelist:

  1. Select Files Whitelist or URLs Whitelist.

  2. Click New.

    The Add File or Add URL window opens.

  3. For a file, enter the MD5 checksum that gives the digital signature for a specified file.

  4. For a URL, enter the URL.

  5. Click Apply.

To add an email address to the whitelist:

  1. Select Email Addresses Whitelist.

  2. Click New.

    The Add Email Address window opens.

  3. Enter the email address.

  4. For Type, select Sender or Recipient.

  5. Click Apply.

To edit or delete an exception rule:

  1. Select the relevant rule.

  2. Click Edit or Delete.