Add or edit a threat exception rule

You can use the Threat Exceptions stage page to create exceptions to override the default action configured for threat categories for specific threat situations.

To create a threat exception rules:

Steps

  1. On the Navigation pane, click Policy. The All Policies page opens.
  2. Click the New button to add a policy, or click the Edit button against the policy rule in the table to edit a policy. The Policy panel is displayed.
  3. Enter a name for the policy in the Name field. You can skip this step if this field is populated or if no change is required.
  4. Enter a description for the policy in the Description field. This is an optional step.
  5. Type or click to select a source site in the Source Sites field. You can skip this step if this field is populated or if no change is required.
    Note:
    1. When you type or click in the Source Sites field, you are displayed with the appropriate options to select from in a pop-up dialog box. Also, you can click Set to ANY to use any sites as the option.
    2. If you do not add a source site, the default entry of ANY is used.
    3. Click x on the source site element under the Source Sites field to remove it.
    4. If Set to ANY is selected, then the policy will match all traffic processed by the policy and no further policies are checked.
  6. From the Default TLS Inspection Setting drop-down menu, select one of the following:
    • Decrypt: The secure traffic is decrypted for inspection and then re-encrypted before it is sent to the destination. You must have the Forcepoint root certificate installed on the end user workstations.
    • Do not decrypt: The secure traffic is not decrypted, and the traffic cannot be fully inspected. Also, this option is selected by default.
    Note: You can skip this step if this field is populated or if no change is required.
  7. Under Policy Summary, click the Threat Exceptions link. The Threat Exceptions stage page opens.
  8. Click a cell within an existing rule in the table to edit it, or click New to create a new rule.
  9. Enter a name, and optionally a description in the Exception cell of the rule in the table.
  10. To define the source to which the rule applies, do the following:
    1. Click the Source cell of the rule in the table.
      Note: If you do not add a source, the default entry of ANY is used, and the rule will apply to traffic from any source to which the policy applies.
    2. Click the Type or click to select field and begin typing to search for an available object, or click an object type to select available objects from a list. Repeat the process to add all required sources for the rule.
      Note:
      1. If required, click the New Source IP Address List button to create a new source IP address list. For more details, refer to the Creating a source IP address list topic in the Forcepoint ONE | Firewall Application Online help documentation.
      2. You can click the Set to ANY button to use any source IP address list as the option. If this is selected, then the policy will match all traffic processed by the policy and no further policies are checked.
  11. Click the Users cell of the rule in the table to define the users or user groups from which the request must originate to match this rule. Rules can be applied to all users in order to match any user whose identity is known. Users can be identified by the Web Security Endpoint or via SAML-based authentication.
  12. To define the traffic destinations to which the rule applies, do the following:
    1. Click the Destination cell of the rule in the table.
      Note: If you do not add a destination, the default entry of ANY is used, and the rule will apply to traffic to any destination.
    2. Click the Type or click to select field and begin typing to search for an available object, or click a object type to select available object from a list. Repeat the process to add all required destinations for the rule.
      Note:
      1. If required, you can create a new domain name list or destination IP address list. To create a domain name list or destination IP address list, click the New menu and select Domain Name List or Destination IP Address List to create a new source IP address list. For more details, refer to the Creating a domain name list or Creating a destination IP address list topic in the Forcepoint ONE | Firewall Application Online help documentation.
      2. You can click the Set to ANY button to use any destination IP address list as the option. If this selected, then the policy will match all traffic processed by the policy and no further policies are checked.
  13. To define the threat situations to which the rule applies, do the following:
    1. Click the Threat Situation cell of the rule in the table.
      Note: If you do not add a situation, the default entry of ANY is used: the rule will apply to traffic to any threat situation.
    2. Click the Type or click to select field and begin typing to search for an available threat situation, or click a threat category to select available sub-categories and then select a situations from a list. To add the entire category or sub-category, click Select beside the category or sub-category name. Repeat the process to add all required threat situations for the rule.
  14. Click the Action cell of the rule in the table to select an action option to apply to the traffic that matches this rule. Available actions are:
    • Allow and Bypass: Allows the matching traffic and bypasses further policy processing stages. Traffic is not decrypted.
    • Block: Blocks the matching traffic.
  15. Click the Logging cell of the rule in the table to define whether an entry is added to traffic logs when traffic matches this exception.
    Note: By default, logging is enabled, and a log entry is created for any traffic that match the exception. Clear the checkbox to disable logging for this exception.
  16. In the list of rules, use the ::: Drag to move icon to define the priority order of your rule.
  17. When you are done, click Save.