Skip to main content

Add or delete Web Filter Exceptions

Updated
This article applies only to the Smoothwall On-Premise Appliance, not to our Cloud products.

When using a Web Proxy, you may need to exempt applications from web filtering so they can function correctly. This article outlines three reasons applications can’t be accessed and explains how to exempt them from web filtering.

Reason 1: The application can’t respond to authentication requests

Some applications can only identify the device and not the user. You can’t authenticate the user, so you can’t target them with Web Filter policies for specific User Groups.

  1. Go to the Realtime Web Filter log.
  2. Filter by Source IP for the IP address of the client. 
  3. If the Code column shows 407, note the target Domain.
  4. Create an Authentication Exception for the domain.

Reason 2: Web Filter and HTTPS Inspection policies block access

  1. Go to the Web Filter log.
  2. Identify denied applications: they’ll show a red background and/or ‘denied’ in the Category column when the application traffic is blocked. 
  3. Create Web Filter policies to Allow access.

If the application still does not work, add a HTTPS Inspection policy. Set the fields as follows:

  • What: Either the Category shown as denied in the Web Filter logs or a Custom Category to exclude specific domains. 

      Important

    • In most cases, don’t select Everything as this means Smoothwall can only filter using URL and domain filtering and can’t do Real-time content filtering. Only do this for devices that are not interactive (for example, a vending machine) or not used by students (for example, a server).
    • Ensure the domains are suitable to be excluded from HTTPS Inspection. For example, don’t exclude google.com, as Smoothwall won’t be able to filter Google search results..
  • Where: A location containing your device IP addresses.
  • Action: Do not inspect.

Reason 3: The application traffic doesn’t work through a proxy

Check for the presence of a PAC file on the physical client device or in your Mobile Device Management (MDM) platform.

  • If you use Smoothwall Appliance as a Transparent proxy, exempt specific devices from web filtering based on the source or destination IP address (shown below).
  • If you use Smoothwall Appliance as a Non-transparent proxy, add the target domains and/or IP Addresses to proxy bypass settings on the client using PAC or WPAD scripts and files.
  • If you use proxy settings on the client with a transparent proxy as a backup, use both methods.

Add Web Filter Exceptions

  Warning

Adding Web Filter Exceptions to completely bypass the Smoothwall Web Proxy should be a last resort, because:

  • The more exceptions that are added, the less protected your network becomes.
  • HTTP and HTTPS traffic won’t be directed to Smoothwall Filter, so it won’t be filtered or logged.

Before you begin

When the proxy is bypassed, the firewall rules apply to outgoing web traffic. Ensure your Firewall rules allow access on Port 801 only from the right sources and to the right destinations. 

Add an exception

  1. Go to Guardian > Web filter > Exceptions.

  2. To exempt devices from being filtered by Smoothwall Appliance, enter IP addresses, IP ranges or IP addresses with CIDR notation into the:

    • Destination exception IP addresses field
    • Source exception IP addresses field if many destination IP addresses make it impossible to identify traffic by destination.

      Note

    If your Web proxy authentication policy is Non-transparent, you also need to manage the proxy settings on the client device to use a different proxy.

  3. Press your enter key to add the exception.
  4. Select Save.

Remove Web Filter Exceptions

  1. Go to Guardian > Web filter > Exceptions.
  2. Select the item, or use the Select All option.
  3. Select Remove selected.