On This Page
USP Exceptions
Overview
The USP Exceptions Viewer lets you to create, view, modify and delete USP exceptions.
What is a USP Exception?
USP exceptions suppress violations of USPs (unified security policies) for specific rule properties, and traffic to sources, destinations and/or services. The exception can be restricted to specific USPs and to specific zones within each USP. Exceptions apply only to rule, traffic and flow violations; they do not apply to condition violations. Violations and exceptions are recalculated nightly and also when new policy revisions are received.
All of the actions on USP exceptions can be seen in the administrator audit trail under the category unified security policy, object type exception.
What Can I Do Here?
-
Add a traffic exception - click +ADD TRAFFIC EXCEPTION and complete the Exception Properties
-
Edit an exception - select exception > Actions > Edit Exception and complete the Exception Properties
- Duplicate an exception - select exception > Actions > Duplicate Exception and complete the Exception Properties
-
Filter the displayed exceptions using TQL - see query fields
-
Delete exceptions - select one or more exceptions > Actions > Delete Exception
Add an Exception
-
Click +ADD TRAFFIC EXCEPTION. The Create Traffic Exception screen is displayed.
- Enter the fields on the screen. See Exception Properties for more detail.
- Click Create.
Exception Properties
Field |
Exception Type |
Description |
---|---|---|
Status |
Rules, Traffic |
Enable / disable as required. |
Exception Name |
Rules, Traffic |
Required. Must be unique. The Exception Name is not case-sensitive. |
Domain: |
Rules, Traffic |
Enabled only for administrators working in the Multi-Domain Management Global Context. The available options depend on the user's domain permissions. The Domain field cannot be modified once created. Values: All Domains - The USP applies to all existing domains at the time violations are calculated Specific domain - The USP applies to the current selected domain only |
Ticket ID |
Rules, Traffic |
Optional. The ticket ID that relates to this exception |
Approver |
Rules, Traffic |
Optional. The person who approved the exception. |
Time Frame |
Rules, Traffic |
Optional. The time frame in which the USP exception is valid |
Source |
Traffic |
Optional. One or more source IPs or network objects (such as host, subnet, IP range, and groups (including NSX security groups)) to condition the exception.
|
Destination |
Traffic |
Optional. One or more destination IP or network objects (such as host, subnet, IP range, and groups (including NSX security groups)) to condition the exception.
|
Service / Application |
Traffic |
Optional. One or more services or applications to condition the exception - for traffic type violations only.
|
Rules |
Rules |
The rules included in the exception. Rules can be added from the Rule Viewer. |
USP |
Rules, Traffic |
Optional. One or more USPs to which the exception applies; option to specify one or more zone-to-zone pairs (USP zone matrix cells) for each USP.
If you want to remove the selected value and restore it to blank, click on the X displayed when hovering over the field. The X can be seen only when hovering before clicking in the field i.e. before the list is displayed. Alternatively, you can click in the field to display the list and use the backspace key to delete the field value. |
Description |
Rules, Traffic |
Optional. A description of the exception. |
Traffic Exception Examples
Exception 1 - Source=1.1.1.1, Destination=2.2.2.2, Service=ftp, USP=not specified
- Suppress all traffic violations from all USPs where source=1.1.1.1 and destination=2.2.2.2 and service=ftp, regardless of properties.
- Suppress all flow violations from all USPs where source=1.1.1.1 and destination=2.2.2.2 regardless of service and properties.
Exception 2 - Source=blank, Destination=2.2.2.2, Service=ftp, USP=SOX, PCI (2 USPs)
- Suppress all traffic violations from USPs SOX and PCI where destination=2.2.2.2 and service=ftp, regardless of source and properties.
- Suppress all flow violations from USPs SOX and PCI where destination=2.2.2.2, regardless of source, service and properties.
How Do I Get Here?
From the menu, go to Browser > USP Exceptions Viewer.