Defining Exception rules in Inspection Policy elements
Exception rules in Inspection Policy elements allow you to make changes to the Inspection Policy that are not applied to all connections.
- You can make exceptions to the general Rules tree definitions based on Source, Destination, and Protocol information.
- You can set options for connection termination (including User Responses) in addition to the options that are available in the Rules tree. The Response options define an automatic client notification for any HTTP connection that is terminated.
- You can create Continue rules to set Action Options and general rule Options for other Exceptions and the Rules tree. The Rules tree contains specific definitions for logging, so the logging options set with Continue rules do not affect traffic that matches the Rules tree.
- You can create rules in Inspection Policy Template elements that cannot be changed in the inheriting policies.
- You can create rules that are applied only on certain days or times of day.
In addition to individual Situation elements, the Situation cell can contain Tag and Situation Type elements. These elements are shown as branches in the Situations tree and allow adding the whole branch of Situations at once to a rule. Most of the Situations you add to the Exceptions are those that you regard as false positives in your environment. An example might be Situations for exploit attempts against an operating system that is not used in your organization).
In the Exceptions, it is highly unusual to set the Situation cell to ANY. This is not useful in most cases because the patterns that Situations define range widely. There are Situations that detect something as benign as the use of particular applications and Situations that detect something as malicious as successful attacks on a server. The ANY setting also creates unnecessary load on the engines, as a high number of Situations is checked in each matching connection.