Creating an exclusion rule

You can create up to 7000 exclusion rules.

To create an exclusion rule:

  1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.
  2. Select the Objects tab, then select Security profiles → IDPS.

    This opens a list of IDPS profiles.

  3. Open the profile editing window in one of the following ways:
    • Click the name of the profile.
    • Select the check box next to the profile that you want to edit and click Edit.
  4. Go to the Exclusion rules section.
  5. Click Create.

    This opens the exclusion rule creation window.

  6. In the Name field, enter a name for the new exclusion rule.

    The name of the rule must be unique among the exclusion rules in this IDPS profile.

    The maximum length is 128 characters.

  7. Select an action to be applied to traffic when a signature is detected:
    • Allow to allow traffic when a signature is detected.
    • Block to block traffic when a signature is detected (packets of the established session are dropped).

      The action specified in the exclusion rule overrides the action specified in the IDPS profile.

  8. If you want to send security events to the SIEM system when a signature is triggered, enable logging.
  9. You must fill in at least one field under Rule settings.

    The values correspond to the values specified in the security events sent to your SIEM system. To set an action for a signature that is different from the action in the main profile, for example, when a false positive occurs, copy the relevant security event parameters from the SIEM system:

    • ID is the unique ID of the signature.
    • Vulnerability type is the type of vulnerability or threat.
    • Priority is the importance assigned to the rule. Can be Low, Medium, or High.
    • MITRE tactic is the triggered MITRE tactic. You can specify one MITRE tactic.
    • MITRE technique is the triggered MITRE technique. You can specify one MITRE technique.

    If multiple values are specified at the same time, they are combined with a logical "AND".

  10. Click Create to save the changes to the exclusion rule.
  11. Click Save to save the changes to the custom IDPS profile.
  12. Apply the OSMP policy changes by clicking the Commit and push button.

The exclusion rule is added to the rule table. The exclusion rule comes into effect when the current session ends and a new session begins.

Page top