Configure EVE Exception Rules

You can create an encrypted visibility engine (EVE) exception rule to ensure the continuity of trusted connections and services by bypassing the EVE’s block action. You can add attributes such as process names and destination IP address to the exception rule. For example, you may want to bypass EVE's block verdict for trusted networks. All the connections in the bypassed networks are exempted from EVE’s block verdict based on the threat confidence level.

Procedure

Step 1

Choose Policies > Access Control heading > Access Control.

Step 2

Click Edit (edit icon) next to the access control policy you want to edit.

Step 3

Choose Encrypted Visibility Engine from the More drop-down arrow at the end of the packet flow line.

Step 4

On the Encrypted Visibility Engine page, enable the Encrypted Visibility Engine (EVE) toggle button.

Step 5

Choose the Protect mode to monitor and block encrypted traffic based on the threat confidence level of the client processes. You can use this mode to monitor and block malicious connections at two threat confidence levels:

  • High: Use this level to block connections with threat confidence levels ranging from High to Very High.

  • Very High: Use this level to block connections with threat confidence levels that are categorized as Very High.

Step 6

Click Manage exceptions to view and add exception rules.

Step 7

On the Encrypted Visibility Engine (EVE) Exception List window, click +Add Exception Rules and add the required attributes.

  1. Under the Process Name tab, enter an EVE-identified process name, and click +Add on the right side of the window.

    You can add multiple process names to the same exception rule. EVE exception list based on process names works only with EVE-identified process names, which are case- and space-sensitive.

  2. Under the Network Objects tab, perform one of the following:

    • Choose one or more network objects from the Available Networks list and add the same to the Selected Source Network or Selected Destination Network list.

    • To create a new network object, click +Create Network Object.

      1. Enter a Name and an optional Description.

      2. Choose the required network type - Host, Range, Network, or FQDN. Enter the relevant IP address if you choose Host, Range, or Network. If you choose FQDN, enter the fully Qualified Domain Name(FQDN) and choose the required option from the Lookup drop-down list.

      3. If you want to allow configuration overrides, check the Allow overrides checkbox.

      4. Click Add.

  3. To create a new dynamic attribute, click +Create Dynamic Attribute.

    1. Enter a Name and an optional Description.

    2. Click Add. You can configure this object using Cisco Secure Dynamic Attribute Connector (CSDAC) or Management Center APIs.

  4. (Optional) In the Comment field available on all the tabs, you can enter a reason for adding the required network objects and dynamic attributes to the EVE exception rule.

Step 8

Click Save and then deploy the access control policy.

Note

When a connection matches an exception rule, it bypasses the EVE's block verdict. You can view EVE's action in the Connection Events or Unified Events page. The Reason column header displays EVE Exempted for identification of such EVE-bypassed traffic.