CSA Rule Exception issue

Unanswered Question
Jul 19th, 2007

Is it possible when creating an exception with the Rule Wizard to not have it create a new rule module every time a rule is created.

I would like to just add rules to an Exceptions policy that is applied to the group with out it creating a new rule module every time.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Bradley Spencer Thu, 07/19/2007 - 09:36

It is not possible.

You have the choice of a new rule module (the exception module) or add it to the module containing the rule that triggered the event(not recommended).

You just have to go through the wizard, copy where you want it and delete the exception created by the wizard.

kerraj2004 Thu, 07/19/2007 - 09:43


I thought so and that is what i have been doing is copying the rule and deleting the other rule module.



tsteger1 Thu, 07/19/2007 - 12:35

I took a slightly different path with CSA 5.2 than I did with 4.0 and I feel it makes less work after creating exceptions with the wizard.

The wizard will create only one exception module per rule module and will put all subsequent wizard created exceptions in that module.

You may conceivably end up with double the number of rule modules if you create exceptions for every module (not very likely) but it keeps them in easily identifiable locations.

Just my two cents worth..


kerraj2004 Thu, 07/19/2007 - 12:40

So Tom,

Basically you are saying create a Network Access Control Rule Module one time and then all the exception that pertain to that module will fall underneath that Module automatically?



tsteger1 Fri, 07/20/2007 - 08:07

Hi Adam

Yes, it says that in the user guide and I experienced the same thing when doing it.

Part of the user guide seems a bit confusing to me though.

The 1st statement on page 10-22 in the CSA 5.2 User guide is correct:

You can create a new rule module (an "exception rule module") which

would contain the new exception rule. (This is the default and recommended choice.)

The 2nd statement is (I feel) incorrect:

"This new module would be attached to a new exception policy which is then

attached to the group(s) containing the host from which the event was received."

I've done this several times and have yet to see it create an separate exception policy

And the 3rd statement is correct:

"If you choose to create this exception module, all subsequent exception rules you

create through the wizard will be added to the same exception module and policy

if the group it is to be applied to is also the same. Therefore, a group could only

have one exception policy, but contain an exception rule module with any number

of exception allow rules created through the wizard."


jan.nielsen Sat, 07/21/2007 - 03:30

Like someone has suggested, the proper way to do this is to create your own rule module with execptions, maybe do several based on what policy they belong to or what application it is concerning, then just hit copy the text of the event, hit the rule number, choose the rule, copy to your own rule module and tune it with the info from the event text you just copied. This is how i work with csa, in my eyes the wizard is really just for learning purposes.


This Discussion