USP Exceptions

Overview
What Can I Do Here?
How Do I Get Here?

Overview

The USP Exceptions Viewer lets you to create, view, modify and delete USP exceptions.

What is a USP Exception?

USP exceptions suppress violations of USPs (unified security policies) for specific rule properties, and traffic to sources, destinations and/or services. The exception can be restricted to specific USPs and to specific zones within each USP. Exceptions apply only to rule, traffic and flow violations; they do not apply to condition violations. Violations and exceptions are recalculated nightly and also when new policy revisions are received.

All of the actions on USP exceptions can be seen in the administrator audit trail under the category unified security policy, object type exception.

Traffic exceptions are conditioned on a combination of violation criteria including traffic source, destination and USP, and rule exceptions are conditioned on rule properties. Criteria that have no values specified will leave the exception to be conditioned on the other criteria alone - something that could cause a large number of violations to be suppressed.

If you are using the SecureTrack REST API to get USP exceptions, only rule exceptions created using the API will be returned. USP Traffic Exceptions created in USP Exceptions Viewer, or GraphQL will not be returned. Therefore, we recommend modifying your existing scripts to work directly with GraphQL.

What Can I Do Here?

Add a traffic exception - click +ADD TRAFFIC EXCEPTION and complete the Exception Properties
Edit an exception - select exception > Actions > Edit Exception and complete the Exception Properties
Duplicate an exception - select exception > Actions > Duplicate Exception and complete the Exception Properties
Filter the displayed exceptions using TQL - see query fields
Delete exceptions - select one or more exceptions > Actions > Delete Exception

Add an Exception

Click +ADD TRAFFIC EXCEPTION. The Create Traffic Exception screen is displayed.
Enter the fields on the screen. See Exception Properties for more detail.
Click Create.

Exception Properties

Field	Exception Type	Description
Status	Rules, Traffic	Enable / disable as required.
Exception Name	Rules, Traffic	Required. Must be unique. The Exception Name is not case-sensitive.
Domain:	Rules, Traffic	Enabled only for administrators working in the Multi-Domain Management Global Context. The available options depend on the user's domain permissions. The Domain field cannot be modified once created. Values: All Domains - The USP applies to all existing domains at the time violations are calculated Specific domain - The USP applies to the current selected domain only
Ticket ID	Rules, Traffic	Optional. The ticket ID that relates to this exception
Approver	Rules, Traffic	Optional. The person who approved the exception.
Time Frame	Rules, Traffic	Optional. The time frame in which the USP exception is valid
Source	Traffic	Optional. One or more source IPs or network objects (such as host, subnet, IP range, and groups (including NSX security groups)) to condition the exception. If left blank, traffic source will not be a factor in conditioning the exception i.e. the exception will be conditioned on other criteria alone. If more than one value is entered for this field, a match on any one will condition the exception (source 1 or source 2 or..).
Destination	Traffic	Optional. One or more destination IP or network objects (such as host, subnet, IP range, and groups (including NSX security groups)) to condition the exception. If left blank, traffic destination will not be a factor in conditioning the exception i.e. the exception will be conditioned on other criteria alone. If more than one value is entered for this field, a match on any one will condition the exception (destination1 or destination 2 or..).
Service / Application	Traffic	Optional. One or more services or applications to condition the exception - for traffic type violations only. If left blank, service or application will not be a factor in conditioning the exception i.e. the exception will be conditioned on other criteria alone. If more than one value is entered for this field, a match on any one will condition the exception (service/application 1 or service/application 2 or..). This field is ignored for flow violations.
Rules	Rules	The rules included in the exception. Rules can be added from the Rule Viewer.
USP	Rules, Traffic	Optional. One or more USPs to which the exception applies; option to specify one or more zone-to-zone pairs (USP zone matrix cells) for each USP. If no USPs are specified, the exception will apply to all USPs. If no zones are specified for a USP, the entire USP will condition the exception. If you want to remove the selected value and restore it to blank, click on the X displayed when hovering over the field. The X can be seen only when hovering before clicking in the field i.e. before the list is displayed. Alternatively, you can click in the field to display the list and use the backspace key to delete the field value.
Description	Rules, Traffic	Optional. A description of the exception.

Traffic Exception Examples

Exception 1 - Source=1.1.1.1, Destination=2.2.2.2, Service=ftp, USP=not specified

Suppress all traffic violations from all USPs where source=1.1.1.1 and destination=2.2.2.2 and service=ftp, regardless of properties.
Suppress all flow violations from all USPs where source=1.1.1.1 and destination=2.2.2.2 regardless of service and properties.

Exception 2 - Source=blank, Destination=2.2.2.2, Service=ftp, USP=SOX, PCI (2 USPs)

Suppress all traffic violations from USPs SOX and PCI where destination=2.2.2.2 and service=ftp, regardless of source and properties.
Suppress all flow violations from USPs SOX and PCI where destination=2.2.2.2, regardless of source, service and properties.

How Do I Get Here?

From the menu, go to Browser > USP Exceptions Viewer.