Threat Exceptions

Threat Exceptions apply block, or allow and bypass actions for traffic that matches specified Services and Threat Situations. Exceptions can be applied to specified traffic sources and destinations. Exceptions always override Threat Category blocking.

Exceptions can be used to block or allow specific types of traffic for users within your organization, overriding the defined Threat Category block level for that traffic. For example, if traffic from a particular application used in your organization is blocked as suspicious, you can create an exception that allows this traffic for specific source addresses and destinations, by matching the Service and/or Threat Situations that identify the traffic.

Exceptions always override Threat Category rules. Threat exceptions are applied in the order they appear in the list, with the highest priority rule applied first. The first matching rule is applied, and no further rules are used.

Threat Exceptions are matched before Threat Category block actions.

A threat exception rule consists of the following elements:

  • Source: defines where traffic must originate for the rule to apply. Source can include one or more Sites, or Source IP Address Lists. By default, the rule applies to traffic from any source to which the policy applies.
  • Destination: defines the destination addresses to which traffic must be directed for the rule to apply. Destinations can include one or more Destination IP Address Lists, or Domain Name Lists. By default, the rule applies to traffic to any destination.
  • Service: defines traffic traffic signatures, defined as Services, that must match traffic for the rule to apply. By default, the rule applies to any network service.
  • Threat Situation: defines the Threat Situation that the traffic matches in order for the rule to apply. By default, the rule applies to any situation.
  • Action: the action applied to matching traffic. Rule actions are:
    • Block: blocks matching traffic by terminating the session. No further policy processing is performed.
    • Allow and bypass: allows traffic and bypasses further inspection. Traffic is not decrypted, and no further policy processing stages are applied.