Adding or editing an exception

Use the Policy Management > Exceptions > Add Exception or Edit Exception page to create or update an exception that overrides standard policy enforcement to block or permit specific websites for specific clients.

Steps

  1. Enter or update the unique, descriptive Name for the exception. The name must be between 1 and 50 characters long, and cannot include any of the following characters:
    * < > ` ' { } ~ ! $ % & @ # " [ ] | \ ^ + = ? / ; : . ,
  2. In the URLs field, list the URLs or IP addresses to be permitted or blocked by the exception.
    • If you enter a URL in the format domain.com, both the domain and its subdomains (www.domain.com,subdomain.domain.com) are matched.
    • If you enter a URL in the format www.domain.com:
    • If access to the URLs listed is expected to be from an approved referer URL:
      • The list should include all sites linked on the referer page.
      • Enter the hostname of a URL if multiple links are to the same hostname.
      • Leave the URL list blank to permit access to all links on the referer site. When you click OK to save the exception, if both the URL list and regular expression list (see below) is empty, a message window will display to confirm that you want to permit access to all sites if accessed from the approved referer URLs list.
      • If a URL redirects to a second URL, include both in the list.

    Enter one URL or IP address per line.

  3. If you want to permit access to the list of URLs only from a specific set of sites:
    1. Check Permit only when accessed via a specific site.
    2. Under Approved Referer URLs, enter the sites from which access should be granted.

    Access to the sites in the URLs list will be permitted only if they are accessed from an approved referer URL.

    Note:

    If the security settings on the client’s browsers have referer headers turned off, this feature will not work as expected. Access to the URL can be permitted only if the referer can be confirmed.

    When Network Agent is being used (Forcepoint URL Filtering standalone) or if SSL decryption is not enabled (Forcepoint Web Security), sites may not be permitted when accessed by an HTTPS referer site.

    Note that access to the referer URLs must be permitted by an existing policy or exception. This exception does not imply permitted access to the referer URLs.

    HTTP and HTTPS are the only protocols supported for referer URLs.

  4. Specify which Clients are affected by this exception.

    Super Administrators can create:

    • Global exceptions that apply to all clients in all roles.

      If you select this option, also specify whether or not to Allow delegated administrators to create exceptions that override this exception (see Overriding an exception).

    • Exceptions that apply to All clients in a role.

      After selecting this option, select a role from the drop-down list.

    • Exceptions that apply to Specific clients in any role.

      After selecting this option, you are offered 2 lists. One (on the left) shows all clients that have been Defined: added as managed clients in a delegated administration role, added to the Clients page in any role, or added to an exception. The other (on the right) shows clients Selected for this exception.

      Search boxes appear above each list to help you quickly find clients to add or remove.

      To add a client to the exception that does not appear in the list on the left, click Add Other Clients, then add user, group, computer (IPv4 or v6 address), or network (IPv4 or v6 address range) clients.

    Important:

    If you select specific clients that belong to multiple roles, when the exception is created, it is automatically split so that a new exception is created for each affected role.

    For example, if you define an exception called “Permit Craigslist” that applies to clients in the Super Administrator, HR, and Facilities roles, when you click OK, 3 exceptions are created.

    • The exceptions for the HR role and Facilities role are marked with an icon. Move the mouse over the icon to see which role is affected by the exception.
    • The exception for the Super Administrator role is not annotated.
    • Delegated administrators can create exceptions that apply to All managed clients in this role or Specific clients in this role.

      If you select the latter option, you are offered 2 lists. One (on the left) shows all clients Defined in your Managed Clients list and Clients page. The other (on the right) shows the clients Selected for this exception.

      • Search boxes appear above each list to help you quickly find the clients that you want to add.
      • If a client does not appear in the Defined clients list, that individual is likely a member of a group, OU, or network (IP address range) defined as a managed client in your role. To add such a client, click Add Other Clients, then specify the user, group, or IPv4 or v6 address that you want to add.
  5. Specify the exception Type. This determines whether to Block or Permit the listed URLs for the specified clients.
    If Permit only when accessed via a specific site was selected, Type was automatically set to Permit and cannot be changed.
  6. Indicate when the exception Expires.
    • If you select Never, the exception is used until you delete it, or edit it to add an expiration date.
    • If you select After, enter an expiration date in the format mm/dd/yyyy, or click the calendar icon to select a date. The exception expires at midnight (based on the time set on the Filtering Service machine), when the selected day ends.
  7. Determine the exception State. By default, the exception is Active, and is immediately enforced after you cache and save your changes. If you do not want the exception to be used at this time, clear the check box.
  8. By default, if a URL is associated with a Security Risk category (like Malicious Web Sites or Spyware), any permitted exception is ignored, and the URL is filtered based on the active policy (see Prioritizing Security Risk categorization):
    • If a category filter blocks the category, the request is blocked.
    • If a category filter permits the category, the request is permitted.
    • If a limited access filter is being used, the request is blocked.

    To override this security feature, click Advanced, then clear the Block URLs that become a security risk, even if they are permitted by exception check box.

    Making this change is not recommended.

  9. To use regular expressions to define URLs that are permitted or blocked by exception, click Advanced, then enter one expression per line in the Regular expressions box.

    Regular expressions can be used with exceptions that have Permit only when accessed via a specific site enabled.

    To validate the expressions that you create, click Test Regular Expression. Expressions that are not supported cannot be used. See Using regular expressions for details.

    Note that using large numbers of regular expressions, or using poorly-formed or overly-broad expressions, can lead to a significant decrease in performance.

  10. When you are finished making changes, click OK to cache your changes and return to the Exceptions page. Changes are not implemented until you click Save and Deploy.