Zyxel Firewall - How to Configure IP Exception to Bypass Security Services on Nebula

Created - Updated
Serhii Boiarynov
Idea generator
Great answers
Master (Platinum)
Print Friendly and PDF
Have more questions? Submit a request

Nebula Control Center provides an IP Exception feature that allows specific hosts to bypass security services. This is useful when you have trusted clients or servers that should not be inspected by Content Filter, Anti-Malware, or other security features every time they access the internet. You create IP Exception profiles under the Security Service page in Nebula and apply them to the firewall configuration.

Supported model list (Nebula-managed):

  • ATP series

  • USG FLEX series

  • USG FLEX H series

How IP Exception Works

When traffic matches a configured IP Exception entry (based on Source IP and Destination IP), the firewall skips the selected security services for that traffic. The firewall rules still decide whether the session is allowed or denied, but security inspection for the matched traffic is bypassed, improving performance for known-good hosts.

Typical uses:

  • Allowing a trusted internal host to access the internet without Content Filter inspection.

  • Allowing traffic to a specific external server to bypass selected security services.

Configuration Steps on Nebula

  1. Log in to Nebula Control Center and select your site.

  2. Navigate to Configure → Firewall → Security Service.

  3. In the IP Exception section, click +Add to create a new profile. 

  4. Fill in the fields:

    • Source IP – the client IP address or range that should bypass security services.

    • Destination IP – the server IP address or range that should be exempt (or any, if you want to bypass for all destinations).

    • Description – a clear description, for example: Bypass for 192.168.8.33.

      Click Save / Apply so the profile is pushed to the Nebula-managed firewall.

Allow One LAN Host to Bypass Content Filter

This example shows how IP Exception works in a real scenario. 

Scenario

  • A security policy with Content Filter is configured to block the subnet 192.168.8.0/24 from visiting search engines such as www.google.com.

  • A specific host in that subnet with IP address 192.168.8.33 should be allowed to access these sites without being blocked.

Step 1 – Content Filter policy

A firewall policy is already configured so that users in 192.168.8.0/24 cannot browse search engine sites. If any host in this range tries to visit www.google.com, the connection is blocked by Content Filter

Step 2 – Create the IP Exception profile

  1. In Nebula, go to Configure → Firewall → Security Service → IP Exception.

  2. Click +Add and configure:

    • Source IP: 192.168.8.33

    • Destination IP: the IP/range used by the blocked sites (or any, depending on your design).

    • Description: Host 192.168.8.33 bypass Content Filter.

  3. Save and apply the profile so it is pushed to the firewall.

Result

  • The host 192.168.8.33 is now allowed to bypass security services such as Content Filter.

  • This host can browse www.google.com normally, while other clients in 192.168.8.0/24 are still blocked by the existing Content Filter policy.

Best Practices

  • Use IP Exception only for trusted hosts or destinations (for example, internal servers or administrators’ PCs).

  • Keep descriptions clear (include IP and purpose) so it is easy to audit exceptions later.

  • Review IP Exception entries regularly to ensure they are still needed.

By configuring IP Exception in Nebula as shown above, you can fine-tune the balance between security and performance on your ATP / USG FLEX / USG FLEX H firewalls.

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.