Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 29 subscribers
  • Views 1527 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

In addition to Web Exceptions, do you need a corresponding Firewall Rule with Web malware and content scanning disabled?

MrMojoRisin76

Greetings, I've been finding that when setting up web exceptions that they do not work. I then have to go create a FQDN Host Group with FQDN hosts that match my Web Exceptions rule, then create a Firewall policy above my existing policy that bypasses Web malware and content scanning. Lastly, I have to add the FQDN Host Group to the Sandstorm (ATP) Network / Host Exception area as well.  Why would this be?  Should the web exception be enough? Am I doing something wrong? All the syntax is correct in the web exception.



This thread was automatically locked due to age.
Parents
  • 0

    Hi, it should not be necessary to create additional firewall rules or FQDN Host Groups for the web exception to work. Can you post a screenshot of the web exception and firewall rule?

    Below are two examples of web exception I'm using to skip HTTPS decryption.

     

  • 0 in reply to AndersK

    The point is: XG uses the Proxy (HTTP/s) only, if there is a matching Firewall Policy.

    For example: PC to WAN using HTTPs. 

    You have a Firewall rule with HTTP Scanning called LAN to WAN with Any Service. The web exception will work.

    But if you have a Server for example, which has no Firewall rule (because you only have LAN to WAN with any service), the Proxy will not match this traffic, and so for the exception will not match. 

Reply
  • 0 in reply to AndersK

    The point is: XG uses the Proxy (HTTP/s) only, if there is a matching Firewall Policy.

    For example: PC to WAN using HTTPs. 

    You have a Firewall rule with HTTP Scanning called LAN to WAN with Any Service. The web exception will work.

    But if you have a Server for example, which has no Firewall rule (because you only have LAN to WAN with any service), the Proxy will not match this traffic, and so for the exception will not match. 

Children
No Data