Zyxel Firewall USG FLEX H - How to Configure IP Exception to Bypass Security Services via Local Web GUI

Created - Updated
Serhii Boiarynov
Idea generator
Great answers
Master (Platinum)
Print Friendly and PDF
Have more questions? Submit a request

On Zyxel USG FLEX H / USG FLEX / ATP, the IP Exception feature allows specific IP addresses to bypass selected security services. When traffic matches an IP Exception rule, the device does not intercept or inspect those packets with the chosen services. This is useful for trusted LAN computers or trusted websites that you access frequently and consider safe.

Supported model list:

  • ATP series

  • USG FLEX H series

  • USG FLEX series

IP Exception can bypass the following security services:

  • Anti-Malware (including Sandboxing)

  • URL Threat Filter

  • IPS (Intrusion Prevention System)

  • IP Reputation

  • DNS Threat Filter

IP Exception overview

IP Exception works based on the source or destination IP address of incoming packets:

  • Source example – A trusted LAN computer with an IP address 192.168.100.100.
    Add this IP address as the Source in the IP Exception so the USG FLEX 200H will not perform security checking on traffic coming from this computer.

  • Destination example – A trusted website with an IP address 2.2.2.2.
    Add this address as the Destination in the IP Exception so the device will not perform security checking when you access this website.

This helps reduce inspection overhead for well-known, trusted endpoints.

The Security Service > IP Exception screen

Go to: Security Services → IP Exception

Enable – Turn the rule on or off.

Name – Descriptive name (2–31 alphanumeric characters, underscores _ and dashes -; the first character cannot be a number; case-sensitive).

Sourceany or an address object for the source IP address.

Destinationany or an address object for the destination IP address.

Log

  • Yes: the device does not inspect packets with the selected service and also generates a log when the traffic is in the exception list.

  • No: the device skips inspection without creating a log.

Service To Bypass – Select the services that should not inspect packets that match the source/destination criteria. Non-selected services still inspect those packets.

Example – bypass security services for a trusted website (1.1.1.1)

This example shows how to configure an IP Exception entry for a trusted web site with IP address 1.1.1.1, so that packets from this site bypass all security services.

Step 1 – Create an address object

  1. Go to Object → Address → Address and click Add.

  2. Configure the address object as follows:

    • Name: TrustedWebsite

    • Address Type: Host

    • IP Address: 1.1.1.1

  3. Click Apply to save the address object.

Step 2 – Create the IP Exception entry

  1. Go to Security Service → IP Exception and click Add.

  2. Configure the IP Exception settings:

    • Name: ForTrustedWebsite

    • Source: TrustedWebsite

    • Destination: any

    • Log: No

    • Service To Bypass:

      • Anti-Malware (Including Sandboxing)

      • URL Threat Filter

      • IPS

      • IP Reputation

      • DNS Threat Filter

  3. Click Apply to save your changes and ensure the entry is enabled.

The trusted web site 1.1.1.1 can now bypass the selected security services, which reduces resource usage and speeds up access while other traffic continues to be fully inspected.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.