Create Blocked Sites Exceptions

When you add a site to the Blocked Sites Exceptions list, traffic from that site is not blocked, even if it is included in the Blocked Sites list. Traffic from sites on the Blocked Sites Exceptions list is also not blocked automatically based on thresholds configured in Default Threat Protection and by block actions configured in a proxy policy. If Reputation Enabled Defense is enabled, sites on the Blocked Sites Exceptions list are not blocked based on reputation, and the reputation score is set to -1.

The Firebox continues to drop spoofing attacks and IP source route attacks from sites on the Blocked Sites Exception list.

Default Blocked Sites Exceptions

The Blocked Sites Exceptions list includes default exceptions for servers that WatchGuard products and subscription services must connect to. For more information, go to About Blocked Sites.

Add a Blocked Sites Exception

You can add an exception for an IPv4 or IPv6 host IP address, network IP address or host IP address range, host name (one time DNS lookup), or you can add an exception by FQDN (includes wildcard domains). For more information about how to use FQDN in blocked sites exemptions and policies, go to About Policies by Domain Name (FQDN).

To import or export a list of Blocked Sites Exceptions, go to Import a List of Blocked Sites or Blocked Sites Exceptions.

If a site you add to the Blocked Sites Exceptions list is on the Auto-Blocked list, the site remains blocked until the Auto-Blocked timeout expires for that site.

For information on how to remove a temporarily blocked site from the Blocked Sites list go to:

When you add a site to any one of the Botnet Detection Exceptions, Geolocation Exceptions, or Blocked Sites Exceptions lists, the site is not blocked by any of these services or Default Packet Handling.

For example, if you add www.example.com to the Geolocation Exceptions list, then Botnet Detection, Blocked Sites, and Default Packet Handling also do not block the site. If you already added a site to one exception list, you might see an error if you try to add the site to an exception list for another service.

When you add a site to the Botnet Detection, Geolocation, or Blocked Sites Exceptions lists, the site is not blocked by any of those services or by Default Packet Handling.

  1. Select Firewall > Blocked Sites.
  2. Select the Blocked Sites Exceptions tab.

Screen shot of the Blocked Sites page - Blocked Site Exceptions tab

  1. Click Add.
    The Add Sites dialog box appears.
  2. From the Choose Type drop-down list, select a method to identify the blocked site exception.
    You can add an exception for an IPv4 or IPv6 host IP address, network IP address or host IP address range, host name (one time DNS lookup), or you can add an exception by FQDN.
  3. In the adjacent text box, type the IP address, network IP address, host range, host name, or FQDN. If the exception is for a host range, type the start and end IP addresses for the range of IP addresses in the exception.
    For FQDN, you can use a specific domain name, such as example.com, or use a wildcard to indicate the domain and all subdomains, such as *.example.com.
  4. (Optional) In the Description text box, type a description of the blocked site exception.
  5. Click OK.
  6. Click Save.
  1. Select Setup > Default Threat Protection > Blocked Sites.
  2. Select the Blocked Sites Exceptions tab.

Screen shot of the Blocked Sites Configuration dialog box - Blocked Sites Exceptions tab

  1. Click Add.
    The Add Site dialog box appears.
  2. From the Choose Type drop-down list, select a method to identify the blocked site exception. You can add an exception for an IPv4 or IPv6 host IP address, network IP address or host IP address range, host name (one time DNS lookup), or you can add an exception by FQDN.
  3. In the Value text box, type the IP address, network IP address, host range, host name, or FQDN. If the exception is for a host range, type the start and end IP addresses for the range of IP addresses in the exception.
    For FQDN, you can use a specific domain name, such as example.com, or use a wildcard to indicate the domain and all subdomains, such as *.example.com.
  4. Click OK.

You cannot remove an internal IP address or network address from the Blocked Sites Exceptions list if the internal IP address is on the Blocked Sites list. Before you can remove an internal IP address from the Blocked Sites Exceptions list, you must remove the address range that includes the internal IP address from the Blocked Sites list.

Related Topics

About Blocked Sites