About WebBlocker Exceptions

WebBlocker could deny connections to a website that is necessary for your business, based on the website category. To configure WebBlocker to always allow or deny a site, you can define a WebBlocker exception.

For example, suppose employees in your company frequently use websites that contain medical information. WebBlocker could deny connections to some of these websites because they fall into the sex education category. To configure WebBlocker to never deny connections to speific sites, specify the website domain name as an exception, with the allow action. You can also deny sites that WebBlocker usually allows.

WebBlocker exceptions apply only to HTTP and HTTPS traffic. WebBlocker denies connections to a site, the site is not automatically added to the Blocked Sites list.

To add WebBlocker exceptions, see Configure WebBlocker Exceptions.

Define the Action for Sites that do not Match Exceptions

In the WebBlocker exceptions list, below the list of exception rules, you can configure the action to occur if the URL does not match the exceptions you configure.

Use the WebBlocker category list to determine accessibility

Select this option to use the configured WebBlocker categories to determine accessibility.

Deny website access

Select this option to use exception rules to deny all sites that are not on the exception list. With this option selected, the exception list is an allowlist.

A more effective way to implement a URL allowlist is to configure HTTP Request URL Paths in the HTTP-Proxy action settings. For more information, see HTTP Request: URL Paths.

For each exception you can also enable these settings:


Select this option to send an alarm when the Firebox allows or denies a connection that matches a WebBlocker exception. To set parameters for the alarms, select the Alarm tab. For information on the Alarm tab options, see Set Logging and Notification Preferences.

Log this action

Select this option to send a message to the log file when the Firebox allows or denies a connection that matches a WebBlocker exception.

Many web sites include references to content located on other sites, or use a content delivery network (CDN) to host content. Users might not see a deny message in the web browser when WebBlocker denies access to referenced content. If you select the Deny website access option, select the Log this action check box so that you can see log messages about denied URLs in Traffic Monitor. If users report problems with missing content on an allowed website, you can look at the log messages to see if you need to add another exception to allow the referenced content.

Components of Exception Rules

Exception rules are based on IP addresses or a pattern based on IP addresses. You can have the Firebox allow or deny a URL with an exact match. Usually, it is more convenient to have the Firebox look for URL patterns. The URL patterns do not include the leading "http://". To match a URL path on all websites, the pattern must have a trailing “/*”.

The host in the URL can be the host name specified in the HTTP request, or the IP address of the server.

Network addresses are not supported, but you can use subnets in a pattern (for example, 10.0.0.*).

For servers on port 80, do not include the port. For servers on ports other than 80, add “ :port”, for example: You can also use a wildcard for the port—for example,*—but this does not apply to port 80.

Exceptions with Part of a URL

You can create WebBlocker exceptions with any part of a URL. You can set a port number, path name, or string that must be denied for a specific website. For example, if it is necessary to deny only www.sharedspace.com/~dave because it has inappropriate photographs, you type “www.sharedspace.com/~dave/*”. This gives the users the ability to browse to www.sharedspace.com/~julia, which could contain content you want your users to see.

To deny URLs that contain the word “sex” in the path, you can type “*/*sex*”. To deny URLs that contain “sex” in the path or the host name, type “*sex*”.

You can deny ports in an URL. For example, look at the URL
http://www.hackerz.com/warez/index.html:8080. This URL has the browser use the HTTP protocol on TCP port 8080 instead of the default method that uses TCP 80. You can deny the port by matching *8080.

See Also

Configure WebBlocker

Configure WebBlocker Exceptions

Import or Export WebBlocker Exceptions

Get Started with WebBlocker

Restrict Users to a Specific Set of Websites