USP Exceptions

Overview

The USP Exceptions Viewer lets you to create, view, modify and delete USP exceptions.

What is a USP Exception?

USP exceptions suppress violations of USPs (unified security policies) for specific rule properties, and traffic to sources, destinations and/or services. The exception can be restricted to specific USPs and to specific zones within each USP. Exceptions apply only to rule, traffic and flow violations; they do not apply to condition violations. Violations and exceptions are recalculated nightly and also when new policy revisions are received.

All of the actions on USP exceptions can be seen in the administrator audit trail under the category unified security policy, object type exception.

Traffic exceptions are conditioned on a combination of violation criteria including traffic source, destination and USP, and rule exceptions are conditioned on rule properties. Criteria that have no values specified will leave the exception to be conditioned on the other criteria alone - something that could cause a large number of violations to be suppressed.
If you are using the SecureTrack REST API to get USP exceptions, only rule exceptions created using the API will be returned. USP Traffic Exceptions created in USP Exceptions Viewer, or GraphQL will not be returned. Therefore, we recommend modifying your existing scripts to work directly with GraphQL.

What Can I Do Here?

  • Add a traffic exception - click +ADD TRAFFIC EXCEPTION and complete the Exception Properties

  • Edit an exception - select exception > Actions > Edit Exception and complete the  Exception Properties

  • Duplicate an exception - select exception > Actions > Duplicate Exception and complete the Exception Properties
  • Filter the displayed exceptions using TQL - see query fields

  • Delete exceptions - select one or more exceptions > ActionsDelete Exception

Add an Exception

  1. Click +ADD TRAFFIC EXCEPTION. The Create Traffic Exception screen is displayed.

  2. Enter the fields on the screen. See Exception Properties for more detail.
  3. Click Create.

Exception Properties

Field

Exception Type

Description

Status

Rules, Traffic

Enable / disable as required.

Exception Name

Rules, Traffic

Required. Must be unique. The Exception Name is not case-sensitive.

Domain:

Rules, Traffic

Enabled only for administrators working in the Multi-Domain Management Global Context. The available options depend on the user's domain permissions. The Domain field cannot be modified once created. Values:

All Domains - The USP applies to all existing domains at the time violations are calculated

Specific domain - The USP applies to the current selected domain only

Ticket ID

Rules, Traffic

Optional. The ticket ID that relates to this exception

Approver

Rules, Traffic

Optional. The person who approved the exception.

Time Frame 

Rules, Traffic

Optional. The time frame in which the USP exception is valid

Source

Traffic

Optional. One or more source IPs or network objects (such as host, subnet, IP range, and groups (including NSX security groups)) to condition the exception.

  • If left blank, traffic source will not be a factor in conditioning the exception i.e. the exception will be conditioned on other criteria alone.
  • If more than one value is entered for this field, a match on any one will condition the exception (source 1 or source 2 or..).
Destination

Traffic

Optional. One or more destination IP or network objects (such as host, subnet, IP range, and groups (including NSX security groups)) to condition the exception.

  • If left blank, traffic destination will not be a factor in conditioning the exception i.e. the exception will be conditioned on other criteria alone.
  • If more than one value is entered for this field, a match on any one will condition the exception (destination1 or destination 2 or..).
Service / Application

Traffic

Optional. One or more services or applications to condition the exception - for traffic type violations only.

  • If left blank, service or application will not be a factor in conditioning the exception i.e. the exception will be conditioned on other criteria alone.
  • If more than one value is entered for this field, a match on any one will condition the exception (service/application 1 or service/application 2 or..).
  • This field is ignored for flow violations.

Rules

Rules

The rules included in the exception. Rules can be added from the Rule Viewer.

USP

Rules, Traffic

Optional. One or more USPs to which the exception applies; option to specify one or more zone-to-zone pairs (USP zone matrix cells) for each USP.

  • If no USPs are specified, the exception will apply to all USPs.
  • If no zones are specified for a USP, the entire USP will condition the exception.

If you want to remove the selected value and restore it to blank, click on the X displayed when hovering over the field. The X can be seen only when hovering before clicking in the field i.e. before the list is displayed. Alternatively, you can click in the field to display the list and use the backspace key to delete the field value.

Description

Rules, Traffic

Optional. A description of the exception.

Traffic Exception Examples

Exception 1 - Source=1.1.1.1, Destination=2.2.2.2, Service=ftp, USP=not specified

  • Suppress all traffic violations from all USPs where source=1.1.1.1 and destination=2.2.2.2 and service=ftp, regardless of properties.
  • Suppress all flow violations from all USPs where source=1.1.1.1 and destination=2.2.2.2 regardless of service and properties.

Exception 2 - Source=blank, Destination=2.2.2.2, Service=ftp, USP=SOX, PCI (2 USPs)

  • Suppress all traffic violations from USPs SOX and PCI where destination=2.2.2.2 and service=ftp, regardless of source and properties.
  • Suppress all flow violations from USPs SOX and PCI where destination=2.2.2.2, regardless of source, service and properties.

How Do I Get Here?

From the menu, go to Browser > USP Exceptions Viewer.