This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

In addition to Web Exceptions, do you need a corresponding Firewall Rule with Web malware and content scanning disabled?

Greetings, I've been finding that when setting up web exceptions that they do not work. I then have to go create a FQDN Host Group with FQDN hosts that match my Web Exceptions rule, then create a Firewall policy above my existing policy that bypasses Web malware and content scanning. Lastly, I have to add the FQDN Host Group to the Sandstorm (ATP) Network / Host Exception area as well. Why would this be? Should the web exception be enough? Am I doing something wrong? All the syntax is correct in the web exception.

This thread was automatically locked due to age.

0 AndersK over 6 years ago

Hi, it should not be necessary to create additional firewall rules or FQDN Host Groups for the web exception to work. Can you post a screenshot of the web exception and firewall rule?

Below are two examples of web exception I'm using to skip HTTPS decryption.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to AndersK

The point is: XG uses the Proxy (HTTP/s) only, if there is a matching Firewall Policy.

For example: PC to WAN using HTTPs.

You have a Firewall rule with HTTP Scanning called LAN to WAN with Any Service. The web exception will work.

But if you have a Server for example, which has no Firewall rule (because you only have LAN to WAN with any service), the Proxy will not match this traffic, and so for the exception will not match.
Cancel
Vote Up 0 Vote Down

Cancel
0 MrMojoRisin76 over 6 years ago in reply to AndersK

So with the Firewall rule below, the Exception I've created should work and the sites in the exception list will bypass the firewall web policy settings?
Cancel
Vote Up 0 Vote Down

Cancel
0 AndersK over 6 years ago in reply to MrMojoRisin76

Your web exceptions should work. I tried "Skip HTTPS decryption" with ^([A-Za-z0-9.-]*\.)?ct\.gov/? on https://portal.ct.gov site and that worked. What is the issue on the client?
Cancel
Vote Up 0 Vote Down

Cancel