Threat Exceptions

On the Threat Exception stage page, you define threat exceptions that apply block, or allow and bypass actions to traffic that matches specified sources, destinations, or threat situations. Exceptions always override threat category rules.

Exceptions can be used to block or allow specific types of traffic for users within your organization by overriding the defined threat category block level for that traffic.

For example, if traffic from a particular application used in your organization is blocked as suspicious. You can create an exception that allows this traffic for specific source addresses and destinations, by matching threat situations that identify the traffic.
Note:
  1. Threat exceptions are applied in the order they appear in the list, with the highest priority rule applied first. The first matching rule is applied, and no further rules are used.
  2. Threat exceptions are matched before the threat category block action is processed.
A threat exception rule consists of the following elements:
  • Exception: Defines rule name and description for the threat exception.
  • Source: Defines where traffic must originate from for the rule to apply. Source can include one or more sites, or source IP address lists. By default, the rule applies to traffic from any source to which the policy applies.
  • Users: Defines the users (or user groups) from which the request must originate to match this rule. Rules can be applied to All Users in order to match any user whose identity is known. Users can be identified by the Web Security Endpoint or via SAML-based authentication.
  • Destination: Defines the destination addresses to which traffic must be directed for the rule to apply. Destinations can include one or more destination IP address lists, or domain name lists. By default, the rule applies to traffic to any destination.
  • Threat Situation: Defines the threat situation that the traffic matches in order for the rule to apply. By default, the rule applies to any situation.
  • Action: Defines the action that is applied to the matching traffic. The actions are:
    • Block: Blocks matching traffic by terminating the session. No further policy processing is performed.
    • Allow and Bypass: Allows traffic and bypasses further inspection. Traffic is not decrypted, and no further policy processing stages are applied.
  • Logging: Select the Logging checkbox to enable the record logging functionality.