Configuring a domain exclusion list

If a domain is in the list of exclusions, its traffic is not decrypted, even if the traffic matches a decryption rule. However, a record is made in the encrypted traffic scanning log.

Domains are excluded from decryption regardless of the presence of the "www" prefix. That is, the "example.com" exclusion behaves identically to the "www.example.com" exclusion.

Exclusions do not apply to subdomains.

Before configuring the list of domain exclusions, make sure that traffic decryption exclusions are enabled.

Adding a domain to exclusions

To add a domain to exclusions:

  1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.

    This opens the Policy tab.

  2. In the SSL Inspection section, select Exclusions.
  3. On Domains tab, enable the Use custom domain exclusion list toggle switch.
  4. If you want a security event to be sent the SIEM system whenever a domain from the list of exclusions is visited, enable logging using the Log if domains from exclusion list are accessed toggle switch.
  5. In the list of exclusions, click Add.
  6. In the Value column, enter the domain name or IP address of the web page for which you do not want Kaspersky NGFW to scan encrypted connections.

    Kaspersky NGFW supports the * character as a mask in the domain name.

    You can enter the domain name in the following formats:

    • Fully qualified domain name (FQDN)
    • Fully qualified domain name mask
    • IPv4 address

    Examples:

    • domain.com includes the following addresses: https://domain.com, https://www.domain.com, https://domain.com/page123. The entry does not include subdomains (for example, subdomain.domain.com).
    • subdomain.domain.com includes the following addresses: https://subdomain.domain.com, https://subdomain.domain.com/page123. The entry does not include the domain.com domain.
    • * .domain.com includes the following addresses: https://movies.domain.com, https://images.domain.com/page123. The entry does not include the domain.com domain.
  7. Apply the OSMP policy changes by clicking the Commit and push button.

The domain is added to the list of exclusions.

Removing a domain from the list of exclusions

To remove a domain from the list of exclusions:

  1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.

    This opens the Policy tab.

  2. Select SSL Inspection → Exclusions.
  3. Select check boxes next to the domains that you want to remove.
  4. In the upper workspace, click Delete.

The selected domains are removed from the list of exclusions.

Page top