Configure EVE Exception Rules

You can create an encrypted visibility engine (EVE) exception rule to ensure the continuity of trusted connections and services by bypassing the EVE’s block action. You can add attributes such as process names and destination IP address to the exception rule. For example, you may want to bypass EVE's block verdict for trusted networks. All the connections in the bypassed networks are exempted from EVE’s block verdict based on the threat confidence level.

Procedure


Step 1

Choose Policies > Access Control.

Step 2

Click Edit (edit icon) next to the access control policy you want to edit.

Step 3

From the More drop-down arrow at the end of the packet flow line, choose Advanced Settings.

Step 4

Next to Encrypted Visibility Engine (EVE), click Edit (edit icon).

Step 5

On the Encrypted Visibility Engine page, click the Encrypted Visibility Engine (EVE) toggle button to enable EVE.

Step 6

Enable the Block Traffic Based on EVE Score toggle button to block traffic based on EVE's threat confidence level.

Step 7

Click Add Exception Rule and add one or more of the following attributes.

  1. Under the Process Name tab, enter an EVE-identified process name, and click Add to Process on the right side of the window.

    You can add multiple process names to the same exception rule. EVE exception list based on process names works only with EVE-identified process names, which are case- and space-sensitive.

  2. Under the Network Objects tab, perform one of the following:

    • Choose one or more IP addresses from the list and add to the Selected Networks list.

    • Under Selected Networks, manually enter the IP address and click the + icon to add it to the list of selected networks.

  3. (Optional) In the Comment field available on all the tabs, you can enter a reason for adding the required attributes to the EVE exception rule.

Step 8

Click Save to save the EVE exception rule.

Step 9

Save and deploy the access control policy on the devices.


Note

When a connection matches an exception rule, it bypasses the EVE's block verdict. You can view EVE's action in the Connection Events or Unified Events page. The Reason column header displays EVE Exempted for identification of such EVE-bypassed traffic.