Hello Günther,

Thanks for your reply. I understand IPS exceptions in the way that you have some kind of exclusion (differences) regarding the standard profile settings for specific traffic/signatures. Not in the way, that this automatically means you want to exclude such traffic completely from the IPS point of view.

That being said, I think it makes sense to detect something in this case as we are performing a restructure of the network (for some parts) and therefore need the detect just for specific sources, destinations & signatures. As these aren't that many hosts a new profile does not make much sense (which could have been another option).

You seem to understand IPS exceptions in a wrong way 😞 this is used for traffic that shall not be inspected at all by IPS (only very basic testing, e.g. Anti-Spoofing is performed in fw chain). If you need to detect traffic, use a special profile for this kind of traffic to make it work and log in detect mode.

Hm, I am wondering why there is the possibility for R80.x gateways to have the options of "inactive", "detect", "prevent" and "ask" within the exception action settings then. Nevertheless, thanks for the information regarding the impact on the fw chain and what is still done after specifying an exception - was not aware of that.

The options of "inactive", "detect", "prevent" and "ask" within the exception action settings - I can not see that here:

I am talking about the exception policy settings right below the actual threat prevention policies within the SmartConsole. [The hosts and rule shown in the screenshot are based on a cloud demo session]

Edit: Am I missing something? If yes, what exactly?

This exception does not apply for pre-R80 gateways.

The exceptions you configure in the threat prevention exceptions tab are for excluding traffic from IPS entirely, not applying a different action to the traffic. 

R80.x gateways have significantly more flexibility with regards to IPS profiles, exceptions, and so on.