Add Exceptions in WatchGuard Cloud

Applies To: Cloud-managed Fireboxes

When you enable security services to block sites, ports, and content, in some cases, you might not want the cloud-managed Firebox to block an IP address, URL, domain, or email address. You can add an exception to allow users access.

HTTPS policies do not perform TLS decryption for enabled domains in the Default HTTPS Decryption Exceptions list. You can disable an HTTPS decryption exception for a service that you do not want to use on your network. For more information, go to Manage HTTPS Decryption Exceptions.

You can now import exceptions from a locally-managed Firebox configuration file to a cloud-managed Firebox. For more information, go to Import Configuration Settings From a Locally-Managed Firebox.

To add an exception:

  1. Select Configure > Devices.
  2. Select a cloud-managed Firebox.
    Status and settings for the selected Firebox appear.
  3. Select Device Configuration.
    The Device Configuration page opens and shows the WatchGuard Cloud Security Services.
  4. Screen shot of WatchGuard Cloud Configure Security Services (cloud-managed)

  5. Click the Exceptions tile.
    The Exceptions page opens.

Screenshot of the WatchGuard Cloud  Exceptions page

  1. Click Add Exception.
    The Add Exception dialog box opens.

Screenshot of Add Exception dialog box

  1. From the Select Service menu, select the service you want to add an exception for. For information about how to use FQDN in exemptions and policies, go to About Policies by Domain Name (FQDN).
    • Blocked Sites — Add an exception for a host IPv4 address, network IPv4 address, host IPv4 address range, IPv6 address, network IPv6 address, or host IPv6 address range, or you can add an exception by FQDN.
    • Botnet Detection — Add an exception for a host IPv4 address, network IPv4 address, or host IPv4 address range, or you can add an exception by FQDN.
    • Gateway AntiVirus, IntelligentAV, APT Blocker — Add an exception for the File MD5 Hash and specify the action the service should take when the file is encountered (Allow or Deny).
    • Geolocation — Add an exception for a host IPv4 address, network IPv4 address, host IPv4 address range, IPv6 address, network IPv6 address, or host IPv6 address range, or you can add an exception by FQDN.
    • HTTPS Decryption — Add an exception for an HTTPS domain and specify the action the service should take when the domain is encountered (Allow or Deny).
    • IPS — Add an exception for a signature ID and specify the action the service should take when the signature ID is encountered (Allow, Drop, or Block). Select the Alarm check box to generate an alarm for the exception.
    • WebBlocker — Add an exception for a website and specify the action WebBlocker should take when the website is encountered (Allow or Deny). You can add a WebBlocker exception that is an exact match of a URL, a pattern match of a URL, or a regular expression. For more information on how to specify an exception, go to WebBlocker Exceptions. Select the Alarm check box to generate an alarm for the exception.
    • spamBlocker — Add an exception to bypass spamBlocker actions for emails sent to or from a specific sender or recipient address. Specify the protocol and email address the exception applies to, and the action to take for the exception (Allow, Deny, or Add Subject Tag). For more information about spamBlocker actions, go to Configure Content Scanning in WatchGuard Cloud.
  2. (Optional) In the Description text box, type a description of the exception.
  3. Click Save.
    To delete an exception, click in the row for the exception.

When you add an exception for an address the Firebox already automatically blocked, you must reboot the Firebox.

Related Topics

Add a Cloud-Managed Firebox to WatchGuard Cloud

Add Blocked Sites and Blocked Ports

Manage HTTPS Decryption Exceptions