Re: Exceptional Blockages in TP

Matlu · ‎2025-07-25

Hi, Mates

I have an MDS environment in combination with VSX.

In some of my VSX Clusters, I have some VS that have AV/AB/IPS enabled.

I have the need to create a point block on some of the VS, for example for the Malware “Malware.TC.8502EJGJ”. The problem is that it does not allow me to do it when I am standing in the “Security Policies -> My Policy Package -> Threat Prevention -> Exceptions” section.

This configuration can only be done by the Global Domain of the MDS?

Can't it be done uniquely in the CMA I need?

I have traffic that is only being “Detected” when the TP profile I have, indicates that it should be “Prevented” but still, the traffic is going through, and I need to block it somehow.

Thanks for your comments.

the_rock · ‎2025-07-25

Hey bro,

Is that option not present when you are logged into CMA's smart console?

Andy

Best,
Andy

Matlu · ‎2025-07-25

Hey.

The option appears when you connect to the CMA, but you cannot configure anything.

The only way, is that you enter the MDS Global Domain, and from there it allows you to create what you need, but then, it only works in MDS environments with VSX?

Can't you just configure this, being “stopped” in the CMA you need?

Not all my CMAs need to have “Global Exceptions” configuration.

the_rock · ‎2025-07-25

I see, thats the screenshot you posted. Hm...what if you add new exceptions "package" on the top and not use global one? See if that lets you add a new rule.

Andy

Best,
Andy

PhoneBoy · ‎2025-07-25

You should be able to create a specific rule in the Threat Prevention policy on the CMA that will basically do the same thing.

Matlu · ‎2025-07-25

Hi,
Can I create a rule in Threat Prevention Policy, for a specific malware? For example for "Malware.TC.8502EJGJ" for a single segment of my internal network?
Cheers.

PhoneBoy · ‎2025-07-28

Generally, yes, though not sure on the generic ThreatCloud protections (which this is).

Matlu · ‎2025-07-28

What is the best alternative in scenarios where you need to block multiple domains discovered that have a bad reputation (malicious)?

Is it to use the URLF Blade for these cases? Maybe create a ‘Custom/Applications Site’?

Our AV/AB profile is ‘ignoring’ the blocking of domains that it should be blocking according to our profile (Traffic is being tagged as ‘Detect’)

We want a safe way to generate the blocking of these domains

This can be done only as URLF? Because I don't see the option in AV/AB to block based on Malware type.

PhoneBoy · ‎2025-07-28

You can create a Custom Application/Site object with the relevant domains.
This object can be used in the Threat Prevention policy in addition to the Access Policy.

Matlu · ‎2025-07-28

Hi

The ‘Custom/Applications Site’ can be used without activating the URLF blade?

If I put it in an explicit rule in the TP layer, the GW is able to do the filtering if I only have active blades like AV/AB?

PhoneBoy · ‎2025-07-29

Custom Application/Site Objects require either App Control or URL Filtering to be usable in the Access Policy.
They can also be used in Threat Emulation without activating either of these blades.

ClausOCD · ‎2025-07-28

From your screenshot it looks like you are trying to configure the wrong 'Global Exceptions' policy.

The one with a 'G' in the icon are read-only and handled from the Global Policy.

Try to click on 'Global Exceptions' (without G in icon) and then try to 'Add exceptions'

ClausOCD · ‎2025-07-28

From the screenshot, it looks like you are trying to configure the 'Global Exceptions' handled by the Global Policy (G in icon). Thats only possible from the Global Policy.

Try to click on 'Global Exceptions' (without G in icon) and then 'Add Exception'

the_rock · ‎2025-07-29

That sounds very logical, for sure.

Best,
Andy

Are you a member of CheckMates?

Exceptional Blockages in TP