Related Topics

About WebBlocker Exceptions

WebBlocker could deny a website that is necessary for your business. You can override WebBlocker when you define a website usually denied by WebBlocker as an exception to allow users to get access to it. For example, suppose employees in your company frequently use websites that contain medical information. Some of these websites are forbidden by WebBlocker because they fall into the sex education category. To override WebBlocker, you specify the website domain name. You can also deny sites that WebBlocker usually allows

WebBlocker exceptions apply only to HTTP and HTTPS traffic. If you deny a site with WebBlocker, the site is not automatically added to the Blocked Sites list.

To add WebBlocker exceptions, see Add WebBlocker Exceptions.

Define the Action for Sites that do not Match Exceptions

In the Use category list section below the list of exception rules, you can configure the action to occur if the URL does not match the exceptions you configure. By default the Use the WebBlocker category list to determine accessibility radio button is selected, and WebBlocker compares sites against the categories you selected on the Categories tab to determine accessibility.

To use exception rules to restrict website access instead of the categories, select Deny website access.


Select to send an alarm when the Firebox denies a WebBlocker exception. To set parameters for the alarms, select the Alarm tab. For information on the Alarm tab options, see Set Logging and Notification Preferences.

Log this action

Select to send a message to the log file when the Firebox denies a WebBlocker exception.

Many web sites include references to content located at other sites, or use a content delivery network (CDN) to host content. Users might not see a deny message in the web browser when WebBlocker denies access to referenced content. If you select the Deny website access option, select the Log this Action check box so that you can see log messages about denied URLs in Traffic Monitor. If users report problems with missing content on an allowed website, you can look at the log messages to see if you need to add another exception to allow the referenced content.

Components of Exception Rules

Exception rules are based on IP addresses or a pattern based on IP addresses. You can have the Firebox block or allow a URL with an exact match. Usually, it is more convenient to have the Firebox look for URL patterns. The URL patterns do not include the leading "http://". To match a URL path on all websites, the pattern must have a trailing “/*”.

The host in the URL can be the host name specified in the HTTP request, or the IP address of the server.

Network addresses are not supported, however you can use subnets in a pattern (for example, 10.0.0.*).

For servers on port 80, do not include the port. For servers on ports other than 80, add “ :port”, for example: You can also use a wildcard for the port—for example,*—but this does not apply to port 80.

Exceptions with Part of a URL

You can create WebBlocker exceptions with the use of any part of a URL. You can set a port number, path name, or string that must be blocked for a special website. For example, if it is necessary to block only because it has inappropriate photographs, you type “*”. This gives the users the ability to browse to, which could contain content you want your users to see.

To block URLs that contain the word “sex” in the path, you can type “*/*sex*”. To block URLs that contain “sex” in the path or the host name, type “*sex*”.

You can block ports in an URL. For example, look at the URL This URL has the browser use the HTTP protocol on TCP port 8080 instead of the default method that uses TCP 80. You can block the port by matching *8080.

See Also

Configure WebBlocker

Change the Order of WebBlocker Exception Rules

Import or Export WebBlocker Exception Rules

Get Started with WebBlocker (Web)

Restrict Users to a Specific Set of Websites

Give Us Feedback     Get Support     All Product Documentation     Technical Search