Exclude List Screen - ZyXEL Communications ZyWALL 110 User Manual

Table 227 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued)
LABEL
Action
#
Status
SID
Log
Action
OK
Cancel

33.3 Exclude List Screen

There may be privacy and legality issues regarding inspecting a user's encrypted session. The legal
issues may vary by locale, so it's important to check with your legal department to make sure that
it's OK to intercept SSL traffic from your ZyWALL/USG users.
To ensure individual privacy and meet legal requirements, you can configure an exclusion list to
exclude matching sessions to destination servers. This traffic is not intercepted and is passed
through uninspected.
Click Configuration > UTM Profile > SSL Inspection > Exclude List to display the following
screen. Use Add to put a new item in the list or Edit to change an existing one or Remove to
delete an existing entry.
Chapter 33 SSL Inspection
DESCRIPTION
To edit what action the ZyWALL/USG takes when a packet matches a signature, select the
signature and use the Action icon.
none: Select this action on an individual signature or a complete service group to have the
ZyWALL/USG take no action when a packet matches the signature(s).
drop: Select this action on an individual signature or a complete service group to have the
ZyWALL/USG silently drop a packet that matches the signature(s). Neither sender nor
receiver are notified.
reject-sender: Select this action on an individual signature or a complete service group to
have the ZyWALL/USG send a reset to the sender when a packet matches the signature. If
it is a TCP attack packet, the ZyWALL/USG will send a packet with a 'RST' flag. If it is an
ICMP or UDP attack packet, the ZyWALL/USG will send an ICMP unreachable packet.
reject-receiver: Select this action on an individual signature or a complete service group
to have the ZyWALL/USG send a reset to the receiver when a packet matches the
signature. If it is a TCP attack packet, the ZyWALL/USG will send a packet with an a 'RST'
flag. If it is an ICMP or UDP attack packet, the ZyWALL/USG will do nothing.
reject-both: Select this action on an individual signature or a complete service group to
have the ZyWALL/USG send a reset to both the sender and receiver when a packet matches
the signature. If it is a TCP attack packet, the ZyWALL/USG will send a packet with a 'RST'
flag to the receiver and sender. If it is an ICMP or UDP attack packet, the ZyWALL/USG will
send an ICMP unreachable packet.
This is the entry's index number in the list.
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is
inactive.
Type the exact signature ID (identification) number that uniquely identifies a ZyWALL/USG
IDP signature.
These are the log options. To edit this, select an item and use the Log icon.
This is the action the ZyWALL/USG should take when a packet matches a signature here. To
edit this, select an item and use the Action icon.
Click OK to save your settings to the ZyWALL/USG, and return to the profile summary
page.
Click Cancel to return to the profile summary page without saving any changes.
ZyWALL/USG Series User's Guide
552