Limits and exceptions change the way filters are applied based on IP address. For example, you can specify a limit setting so that filters only apply to specific source and destination IP addresses or address ranges. If a filter has both global and filter-level exception settings, the Threat Suppression Engine (TSE) uses the filter-level settings to determine how to apply the filter. You can configure the following limit and exceptions from the LSM:
Filter Exceptions (specific): Allows traffic that would normally trigger a filter to pass between specific addresses or address ranges without triggering the filter. Configured from the Filter Edit page, these exceptions apply only to the filter where they were configured.
Limit Filter to IP Addresses (global): Only apply filters to traffic between specified source and destination IP address pairs. You can configure IP address limits that apply to all the following filter types: Application Protection, Traffic Normalization, and Network Equipment Protection filters. You can configure separate limits that apply only to Performance Protection filters.
Exceptions (global): Exclude traffic between specified source and destination IP address pairs. You can configure exceptions for the following filter types: Application Protection, Traffic Normalization, Network Equipment Protection, and Performance Protection filters. These exceptions are global for all specified filters.
How To: Configure Global IP Address Limits and Exceptions
- From the LSM menu, click Policy > Profiles > IPS.
- On the IPS Profiles section, double-click on the name of the security profile that you want to edit.
- In the Limits/Exceptions section, add IP addresses to Application Protection Filter Exclusives, Application Protection Filter Exceptions, and Performance Protection Filter Exclusives:
- Enter the Source Address. Source and Destination IP Addresses can be entered in CIDR format, as "any", or as *.
- Enter the Destination Address.
- Click Add to table below.
- Repeat this process for each IP address exception required.
- Click Apply.
How To: Delete a Global Limit/Exception Setting
- From the LSM menu, click Policy > Profiles > IPS.
- On the IPS Profiles section, double-click on the name of the security profile that you want to edit.
- In the Limits/Exceptions section, review the global limit and exception address entries.
- Click Delete to delete an entry.
- Click Apply.
Reference: Local Security Manager User's Guide