topic Re: IP Reputation exception is not working in Firewall and Security Management

IP Reputation exception is not working

cyberluke365 — Wed, 29 Apr 2026 22:52:36 GMT

Hello Mates!!!

I'm trying to bypass an Anti-Bot IP Reputation Prevent on a specific IP address, but no exception I configure seems to take effect. Hoping someone has seen this behavior before.

Environment: R81.20

Problem
In SmartConsole logs I see Prevent entries from blade Anti-Bot, Protection Type IP Reputation, against destination 13.107.138.10 - a Microsoft IP belonging to subnet 13.107.136.0/22, which is part of the Office 365 Services Updatable Object (verified by checking the office365.C file on the gateway).

The matched rule is IPS.TO Internet (corresponding to Threat Prevention policy).

Since this IP is in a Microsoft-published range I want to also exclude it from Anti-Bot IP Reputation enforcement.

What I tried
I configured a Global Exception below:

Protected Scope: Any
Source: Any
Destination: 13.107.138.10
Protection/Site/File/Blade: Anti-Virus, IPS, Anti-Bot
Action: Inactive
Track: Log

The log still shows Prevent. The Matched Rules tab in the log details shows only the parent rule IPS.TO Internet - no reference to the exception.
I then tried this additional configuration, with the same result (no match): Action set to Detect instead of Inactive (based on the suggestion in this thread: IPS exception not working
The policy was properly installed via Install Policy -> Threat Prevention.

My Questions

Is there something specific about how Anti-Bot IP Reputation handles exceptions that I'm missing? Does IP Reputation enforcement happen at a different level than the standard Threat Prevention policy evaluation, bypassing exceptions altogether?
Has anyone successfully bypassed an Anti-Bot IP Reputation Prevent on a specific destination via Threat Prevention exceptions in R81.20? If so, what was the working configuration?

Any guidance is much appreciated. Screenshots attached.

Thank you

Re: IP Reputation exception is not working

cRealix — Thu, 30 Apr 2026 08:00:58 GMT

We are experiencing the same issue when trying to bypass Anti-Bot IP Reputation for part of a non-Microsoft website. Unfortunately, we have not been able to exclude the IP address in any way.

On our gateway, Threat Prevention is configured in Autonomous Policy mode.

Thank you.

Re: IP Reputation exception is not working

emmap — Thu, 30 Apr 2026 08:56:35 GMT

Is the IP part of an IOC feed you have configured? Is there more information in the log card that might help here?

Re: IP Reputation exception is not working

cyberluke365 — Thu, 30 Apr 2026 08:59:53 GMT

Hello,
considering the operating logic of the Threat Prevention component, I could assume bypassing the issue by creating a new Profile, excluding the IP Reputation protection for it
(https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/CP_R81.20_ThreatPrevention_AdminGuide.pdf).

After that, I could create a custom rule for the affected traffic and apply the previously created profile to that rule.

Maybe it would work but I'd like to have your thoughts about this topic.

Re: IP Reputation exception is not working

cyberluke365 — Thu, 30 Apr 2026 09:29:57 GMT

Hello @emmap,

no, it doesn’t appear that an IoC is involved here:

When IoC is involved, it is reported in log (Indicator Name)

Re: IP Reputation exception is not working

cRealix — Thu, 30 Apr 2026 09:59:08 GMT

Hello, Thank you for the idea.

but in Threat Prevention, Autonomous Policy mode you cannot change the profile of the gateway.

Re: IP Reputation exception is not working

Chris_Atkinson — Thu, 30 Apr 2026 10:23:38 GMT

Did you already try the exception option from the log card itself?

Re: IP Reputation exception is not working

cyberluke365 — Thu, 30 Apr 2026 11:40:25 GMT

Yep, but I get the error: “Failed to add exception.”

Where would the exception be added when it is performed from the card?

Re: IP Reputation exception is not working

emmap — Fri, 01 May 2026 01:52:51 GMT

OK. The reason I asked is that the IOC blocks are done in SecureXL and as such are not processed in the policy so exceptions don't match. This might be the case for the basic IP Reputation as well but I can't say for sure. Might be one for TAC to get to the bottom of.