On Zyxel USG FLEX H / USG FLEX / ATP, the IP Exception feature allows specific IP addresses to bypass selected security services. When traffic matches an IP Exception rule, the device does not intercept or inspect those packets with the chosen services. This is useful for trusted LAN computers or trusted websites that you access frequently and consider safe.
Supported model list:
ATP series
USG FLEX H series
USG FLEX series
IP Exception can bypass the following security services:
Anti-Malware (including Sandboxing)
URL Threat Filter
IPS (Intrusion Prevention System)
IP Reputation
DNS Threat Filter
IP Exception overview
IP Exception works based on the source or destination IP address of incoming packets:
Source example – A trusted LAN computer with an IP address
192.168.100.100.
Add this IP address as the Source in the IP Exception so the USG FLEX 200H will not perform security checking on traffic coming from this computer.Destination example – A trusted website with an IP address
2.2.2.2.
Add this address as the Destination in the IP Exception so the device will not perform security checking when you access this website.
This helps reduce inspection overhead for well-known, trusted endpoints.
The Security Service > IP Exception screen
Go to: Security Services → IP Exception
Enable – Turn the rule on or off.
Name – Descriptive name (2–31 alphanumeric characters, underscores _ and dashes -; the first character cannot be a number; case-sensitive).
Source – any or an address object for the source IP address.
Destination – any or an address object for the destination IP address.
Log –
Yes: the device does not inspect packets with the selected service and also generates a log when the traffic is in the exception list.
No: the device skips inspection without creating a log.
Service To Bypass – Select the services that should not inspect packets that match the source/destination criteria. Non-selected services still inspect those packets.
Example – bypass security services for a trusted website (1.1.1.1)
This example shows how to configure an IP Exception entry for a trusted web site with IP address 1.1.1.1, so that packets from this site bypass all security services.
Step 1 – Create an address object
Go to Object → Address → Address and click Add.
Configure the address object as follows:
Name:
TrustedWebsiteAddress Type:
HostIP Address:
1.1.1.1
Click Apply to save the address object.
Step 2 – Create the IP Exception entry
Go to Security Service → IP Exception and click Add.
Configure the IP Exception settings:
Name:
ForTrustedWebsiteSource:
TrustedWebsiteDestination:
anyLog:
NoService To Bypass:
Anti-Malware (Including Sandboxing)
URL Threat Filter
IPS
IP Reputation
DNS Threat Filter
Click Apply to save your changes and ensure the entry is enabled.
The trusted web site 1.1.1.1 can now bypass the selected security services, which reduces resource usage and speeds up access while other traffic continues to be fully inspected.
Comments
0 commentsPlease sign in to leave a comment.