Configuring exclusions from Network Threat Protection
In a policy, you can configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic. You can define exclusion rules for traffic from specific IP addresses or for traffic from all IP addresses in an IP subnet. When generating the scope of rules, the application takes into account whether or not the traffic is from a virtual LAN (VLAN).
If a group of ports for virtual machines is configured to work in a specific VLAN and exclusion rules are applied to traffic of virtual machines associated with this group of ports, the application does not take into account whether or not the traffic belongs to a VLAN.
To configure a network threat protection exclusion rule:
Open the Administration Console of Kaspersky Security Center.
In the console tree, perform one of the following actions:
If you want to configure the operating settings of SVMs of one KSC cluster, in the Managed devices folder of the console tree select the administration group containing the KSC cluster.
If you want to configure the operating settings of SVMs of all KSC clusters, select the Managed devices folder.
In the workspace, select the Policies tab.
Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
In the policy properties window, in the Network threat protection section, select the Exclusions from protection subsection.
Click Add or press INSERT and specify the scope of the exclusion rule in the Scope column.
The scope of a network threat protection exclusion rule describes the traffic that Kaspersky Security excludes from scanning or the special actions that Kaspersky Security applies when processing such traffic.
The column can contain one of the following values:
<IP address or subnet mask in IPv4 or IPv6 format> novlan
The exclusion rule is applied to traffic from the specified IP addresses not marked with a tag of a specific VLAN.
<IP address or subnet mask in IPv4 or IPv6 format> vlan <ID>, where <ID> is the virtual local network ID, which can be in the range of 1-4094.
The exclusion rule is applied to traffic from the specified IP addresses marked with a tag of the VLAN with the specified ID.
<IP address or subnet mask in IPv4 or IPv6 format> vlan 4095
The exclusion rule is applied to traffic from the specified IP addresses marked with a tag of a VLAN with any ID in the range of 1–4095.
<IP address or subnet mask in IPv4 or IPv6 format> vlan *
The exclusion rule is applied to traffic from the specified IP addresses, regardless of whether such traffic is marked with a VLAN tag.
This drop-down list lets you select a rule that Kaspersky Security will apply when processing traffic from IP addresses that are included in the exclusion rule scope:
Default. When processing traffic from IP addresses that are included in the rule scope, Kaspersky Security applies the action configured in the Intrusion Prevention settings and/or in the web addresses scan settings. This option lets you flexibly configure exclusions for IP subnets. For example, you can define an exclusion rule for traffic of an IP subnet as a whole, while not applying the rule for traffic from specific IP addresses from this IP subnet.
Do not scan. Kaspersky Security does not scan traffic from IP addresses that are included in the rule scope. Kaspersky Security does not detect network attacks and suspicious network activity in the traffic of these IP addresses. Kaspersky Security does not scan web addresses requested from these IP addresses against the databases of malicious and phishing web addresses.
Do not block. Kaspersky Security does not block traffic from IP addresses that are included in the rule scope. If activity typical of network attacks and/or suspicious network activity is detected in the traffic of these IP addresses, Kaspersky Security does not block trafficfrom these IP addresses, regardless of the configured actions on threat detection. This exclusion rule may be applied if the Terminate connection and block traffic from sender’s IP address action is defined in the Intrusion Prevention settings.
If traffic of IP addresses included in the rule scope had been previously blocked, Kaspersky Security unblocks it after it is excluded from blocking.
Ignore. Kaspersky Security detects network attacks and/or suspicious network activity in traffic from IP addresses that are included in the rule scope, but does not take any action on traffic from these IP addresses. Kaspersky Security does not block access to malicious and phishing web addresses requested from these IP addresses, regardless of the configured web addresses scan settings. This exclusion rule may be applied if the Terminate connection or Terminate connection and block traffic from sender's IP address action is defined in the Intrusion Prevention settings.
If necessary, use the arrows above the list to change the position of the created exclusion rule in the list. The rule priority is determined by its position in the list. If you set multiple rules for the same scope, the rule positioned higher in the list is applied first.
In the Properties: <Policy name> window, click OK.