topic Re: Exceptional Blockages in TP in Firewall and Security Management

Exceptional Blockages in TP

Matlu — Fri, 25 Jul 2025 20:13:07 GMT

Hi, Mates

I have an MDS environment in combination with VSX.

In some of my VSX Clusters, I have some VS that have AV/AB/IPS enabled.

I have the need to create a point block on some of the VS, for example for the Malware “Malware.TC.8502EJGJ”. The problem is that it does not allow me to do it when I am standing in the “Security Policies -> My Policy Package -> Threat Prevention -> Exceptions” section.

This configuration can only be done by the Global Domain of the MDS?

Can't it be done uniquely in the CMA I need?

I have traffic that is only being “Detected” when the TP profile I have, indicates that it should be “Prevented” but still, the traffic is going through, and I need to block it somehow.

Thanks for your comments.

Re: Exceptional Blockages in TP

the_rock — Fri, 25 Jul 2025 23:09:22 GMT

Hey bro,

Is that option not present when you are logged into CMA's smart console?

Andy

Re: Exceptional Blockages in TP

PhoneBoy — Fri, 25 Jul 2025 23:46:12 GMT

You should be able to create a specific rule in the Threat Prevention policy on the CMA that will basically do the same thing.

Re: Exceptional Blockages in TP

Matlu — Fri, 25 Jul 2025 23:46:18 GMT

Hey.

The option appears when you connect to the CMA, but you cannot configure anything.

The only way, is that you enter the MDS Global Domain, and from there it allows you to create what you need, but then, it only works in MDS environments with VSX?

Can't you just configure this, being “stopped” in the CMA you need?

Not all my CMAs need to have “Global Exceptions” configuration.

Re: Exceptional Blockages in TP

the_rock — Sat, 26 Jul 2025 00:42:45 GMT

I see, thats the screenshot you posted. Hm...what if you add new exceptions "package" on the top and not use global one? See if that lets you add a new rule.

Andy

Re: Exceptional Blockages in TP

Matlu — Sat, 26 Jul 2025 00:01:01 GMT

Hi,
Can I create a rule in Threat Prevention Policy, for a specific malware? For example for "Malware.TC.8502EJGJ" for a single segment of my internal network?
Cheers.

Re: Exceptional Blockages in TP

PhoneBoy — Mon, 28 Jul 2025 11:40:26 GMT

Generally, yes, though not sure on the generic ThreatCloud protections (which this is).

Re: Exceptional Blockages in TP

Matlu — Mon, 28 Jul 2025 14:06:29 GMT

What is the best alternative in scenarios where you need to block multiple domains discovered that have a bad reputation (malicious)?

Is it to use the URLF Blade for these cases? Maybe create a ‘Custom/Applications Site’?

Our AV/AB profile is ‘ignoring’ the blocking of domains that it should be blocking according to our profile (Traffic is being tagged as ‘Detect’)

We want a safe way to generate the blocking of these domains

This can be done only as URLF? Because I don't see the option in AV/AB to block based on Malware type.

Re: Exceptional Blockages in TP

ClausOCD — Mon, 28 Jul 2025 14:36:38 GMT

From your screenshot it looks like you are trying to configure the wrong 'Global Exceptions' policy.

The one with a 'G' in the icon are read-only and handled from the Global Policy.

Try to click on 'Global Exceptions' (without G in icon) and then try to 'Add exceptions'

Re: Exceptional Blockages in TP

ClausOCD — Mon, 28 Jul 2025 15:28:36 GMT

From the screenshot, it looks like you are trying to configure the 'Global Exceptions' handled by the Global Policy (G in icon). Thats only possible from the Global Policy.

Try to click on 'Global Exceptions' (without G in icon) and then 'Add Exception'

Re: Exceptional Blockages in TP

PhoneBoy — Mon, 28 Jul 2025 19:11:34 GMT

You can create a Custom Application/Site object with the relevant domains.
This object can be used in the Threat Prevention policy in addition to the Access Policy.

Re: Exceptional Blockages in TP

Matlu — Mon, 28 Jul 2025 22:53:04 GMT

The ‘Custom/Applications Site’ can be used without activating the URLF blade?

If I put it in an explicit rule in the TP layer, the GW is able to do the filtering if I only have active blades like AV/AB?

Re: Exceptional Blockages in TP

PhoneBoy — Tue, 29 Jul 2025 12:44:49 GMT

Custom Application/Site Objects require either App Control or URL Filtering to be usable in the Access Policy.
They can also be used in Threat Emulation without activating either of these blades.

Re: Exceptional Blockages in TP

the_rock — Tue, 29 Jul 2025 13:17:44 GMT

That sounds very logical, for sure.