About WebBlocker Exceptions

WebBlocker could deny a web site that is necessary for your business. You can override WebBlocker when you define a web site usually denied by WebBlocker as an exception to allow users to get access to it. For example, suppose employees in your company frequently use web sites that contain medical information. Some of these web sites are forbidden by WebBlocker because they fall into the sex education category. To override WebBlocker, you specify the web site domain name. You can also deny sites that WebBlocker usually allows

WebBlocker exceptions apply only to HTTP and HTTPS traffic. If you deny a site with WebBlocker, the site is not automatically added to the Blocked Sites list.

To add WebBlocker exceptions, see Add WebBlocker Exceptions.

Define the Action for Sites that do not Match Exceptions

In the Use category list section below the list of exception rules, you can configure the action to occur if the URL does not match the exceptions you configure. By default the Use the WebBlocker category list to determine accessibility radio button is selected, and WebBlocker compares sites against the categories you selected on the Categories tab to determine accessibility.

You can also choose not to use the categories at all and instead use the exception rules to restrict web site access. To do this, click the Deny website access radio button.


Select to send an alarm when the XTM device denies a WebBlocker exception. To set parameters for the alarms, click the Alarm tab. For information on the Alarm tab fields, see Set Logging and Notification Preferences.

Log this action

Select to send a message to the log file when the XTM device denies a WebBlocker exception.

Components of Exception Rules

Exception rules are based on IP addresses or a pattern based on IP addresses. You can have the XTM device block or allow a URL with an exact match. Usually, it is more convenient to have the XTM device look for URL patterns. The URL patterns do not include the leading "http://". To match a URL path on all web sites, the pattern must have a trailing “/*”.

The host in the URL can be the host name specified in the HTTP request, or the IP address of the server.

Network addresses are not supported, however you can use subnets in a pattern (for example, 10.0.0.*).

For servers on port 80, do not include the port. For servers on ports other than 80, add “ :port”, for example: You can also use a wildcard for the port—for example,*—but this does not apply to port 80.

Exceptions with Part of a URL

You can create WebBlocker exceptions with the use of any part of a URL. You can set a port number, path name, or string that must be blocked for a special web site. For example, if it is necessary to block only www.sharedspace.com/~dave because it has inappropriate photographs, you type “www.sharedspace.com/~dave/*”. This gives the users the ability to browse to www.sharedspace.com/~julia, which could contain content you want your users to see.

To block URLs that contain the word “sex” in the path, you can type “*/*sex*”. To block URLs that contain “sex” in the path or the host name, type “*sex*”.

You can block ports in an URL. For example, look at the URL
http://www.hackerz.com/warez/index.html:8080. This URL has the browser use the HTTP protocol on TCP port 8080 instead of the default method that uses TCP 80. You can block the port by matching *8080.

See Also

Get Started with WebBlocker

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base