IP Exception

Overview

IP Exception allows incoming IP packets to bypass specific security services based on the packet’s source or destination address. Bypassing a security service means the security service does not intercept nor inspect the packet.

For example, 192.168.100.100 is a trusted LAN computer. Add the IP address of the LAN computer to Source in IP Exception so the Zyxel Device will not perform security checking on traffic coming from this computer.

You can also add a trusted destination to bypass security checking. For example, 2.2.2.2 is a trusted web site. Add the IP address of the trusted web site to Destination in IP Exception so the Zyxel Device will not perform security checking when you access the web site to save resources.

IP Exception supports bypassing the following security services:

• Anti-Malware

• URL Threat Filter

• IPS (Intrusion Prevention System)

• IP Reputation.

• DNS Threat Filter

The IP Exception Screen

Use this screen to view the IP exception list for the specified services. The Zyxel Device will not inspect incoming packets that match the listed source and destination IP address(es) with the specified services.

Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry.

The following table describes the fields in this screen.

Security Service > IP Exception
LABEL	Description
Configuration
Add	Click this to create a new entry.
Edit	Select an entry and click this to be able to modify it.
Remove	Select an entry and click this to delete it.
Active	To turn off an entry, select it and click Active. The Status light changes accordingly.
Inactive	To turn off an entry, select it and click Inactive. The Status light changes accordingly.
Status	This icon is lit when the entry is active and dimmed when the entry is inactive.
Name	This field displays the descriptive name of this entry.
IPv4 Source	This field displays the source IP address (or address object) of incoming traffic. It displays any if there is no restriction on the source IP address.
IPv4 Destination	This field displays the destination IP address (or address object) of incoming traffic. It displays any if there is no restriction on the destination IP address.
Service to Bypass	This field displays which services will not inspect matched packets.
Log	This field displays if the Zyxel Device will generate a log when the incoming traffic is in the exception list.
Cancel	Click Cancel to return the screen to its last-saved settings.
Apply	Click Apply to save your changes back to the Zyxel Device.

The IP Exception Add/Edit Screen

Use this screen to add or edit entries of IPv4 address in the IP exception list.

The following table describes the fields in this screen.

Security Service > IP Exception > Add/Edit
LABEL	Description
Enable	Click this to the right to enable the rule on the Zyxel Device.
Name	Enter a descriptive name of this entry. You may use 2-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Source	Select any or an address object of the source IP address for this entry. Select any so there’s no restriction on the source IP address.
Destination	Select any or an address object of the destination IP address for this entry. Select any so there’s no restriction on the destination IP address.
Log	The Zyxel Device does not inspect packets with the selected service if you select Yes. The Zyxel Device will also generate a log when the incoming traffic is in th exception list. Otherwise, select No.
Service to Bypass	Selected services do not inspect packets that match source/destination criteria above. Non-selected services do inspect packets that match source/destination criteria above.
Apply	Click Apply to save your customized settings and exit this screen.
Cancel	Click Cancel to return the screen to its last-saved settings.

Example: Bypass a Website

You often access a website 1.1.1.1 that you are sure is safe. Every time you access the website, the packets sent by the website will be inspected by the Zyxel Device security services, such as anti-malware, content filter, reputation filter and app patrol.

This not only causes your web browser to take more time to load the website, but also takes up more Zyxel Device resources than necessary.

For example, you create an IP Exception profile for the website 1.1.1.1. IP exception allows incoming IP packets from the website 1.1.1.1 (A) to bypass specific security services. Bypassing a security service means the security service does not intercept nor inspect the packet.

This example uses the parameters given below.

Address Object Configuration Example
name	address type	ip address
TrustedWebsite	Host	1.1.1.1

IP Exception Configuration Example
name	source	destination	log	services to bypass
ForTrustedWebsite	TrustedWebsite	Any	No	Anti-Malware URL Threat filter IPS IP Reputation DNS Threat Filter

1 Go to Object > Address > Address and click Add.

2 Configure the settings using the parameters given in Address Object Configuration Example. Click Apply to save your changes.

3 Go to Security Service > IP Exception and click Add.

4 Configure the settings using the parameters given in IP Exception Configuration Example. Click Apply to save your changes.