Override Security Intelligence Blocking

Optionally, you can use Do Not Block lists to exempt specific domains, URLs, or IP addresses from being blocked by Security Intelligence lists or feeds.

For example, you can:

  • Override the occasional false-positive block in a reputable Security Intelligence feed

  • Inspect specific traffic in depth instead of blocking it early based on reputation

  • Exempt otherwise-restricted transactions based on zone from Security Intelligence blocking

    For example, you can add an improperly classified URL to a Do Not Block list, but then restrict the Do Not Block list object using a security zone used by those in your organization who need to access those URLs. That way, only those with a business need can access the URLs on the Do Not Block list.

Note

Entries on a Do Not Block list are simply exemptions from the block list. Any connection that passes the Security Intelligence policy is subject to the access control rules. Thus, an entry in the Do Not Block list can subsequently be blocked by an access control rule or intrusion policy. Your Do Not Block entries should always be exemptions from your block lists.

Procedure


Step 1

Option 1: Add an IP address, URL, or domain from an event to the Global Do Not Block List. See Global and Domain Security Intelligence Lists.

Step 2

Option 2: Use a custom Security Intelligence list or feed.

  1. Create the custom Security Intelligence list or feed. See Custom Security Intelligence Lists or Creating Security Intelligence Feeds.

  2. For IP addresses (Networks) and URLs: Edit your access control policy, click the Security Intelligence tab, then click the custom list or feed in the Networks or URLs sub-tab, then click Add to Do Not Block List.

  3. Save your changes.

  4. For domains (DNS): See the "DNS Policy" section in the Security Intelligence Options topic.

  5. Deploy your changes.