Exa Networks Ltd. Help

Understanding the SurfProtect Profile Options

Created: December 04, 2025
Author: Samia
Edited: February 27, 2026

Understanding the SurfProtect Profile Options

Filtering profiles

Filtering profiles are split into two types: Overriding profiles and the Default profile.

The Default profile defines the default filtering policy for a location.

Overriding profiles define exceptions to the Default profile. For Example you may want Teachers and Students to have different filtering policies applied to them.

When configuring a profile, either the default profile for a location or the overriding profiles, you will be presented with a number of distinct sections which define a profile.

Matching Rules

This section describes the rules for overriding profiles, which, when matched, will cause a request to be filtered using the rules defined by the profile it matched on.

 

Note: The ability to match Internal IP addresses, SSO usernames or SSO user groups requires certain SurfProtect setups to allow SurfProtect access to that data. Please contact our Support Team for more information

Policy settings

These settings make up the core of a filtering profile, and are broken up into a number of manageable sections.

 

Categoriescategories

SurfProtect treats websites differently depending on how we have classified them. When a site is classified, it will fall into a category, such as ‘Sports‘ or ‘Arts‘. A policy defining which categories are permitted or blocked on your connection is called a ‘list‘.

Underneath the icon, you will see which category list is currently assigned. By hovering over the icon, you can then choose an alternative list to apply (including an option to remove all category filtering), or edit the current list. 

To edit a category, please see the guide Editing Umberella Behaviours

Umbrella behavioursBehaviours

A feature of SurfProtect is the ability to apply a group of settings in one click. For example, you can apply all relevant settings for ‘The Prevent Duty’ by simply clicking the ‘Prevent’ Umbrella Behaviour. 

To edit umbrella behaviours, please see the guide Editing Category and scroll down to the section 

 

Allowed URLs Permitted_URLs

There may be a time when websites that would normally be blocked by your filtering policies are legitimately required. Here you can override your other filtering policies and explicitly permit access to a web page or domain.

Underneath the icon, you will see which Allowed List is currently assigned. Hovering over the icon lets you choose an alternative list (including an option to remove all category filtering), or edit the current list. 

Blocked URLs Blocked_URLs

 

Blocked URLs work in much the same way as Allowed URLs above – you may become aware of a website that you do not want to be accessed on your connection, regardless of any filtering policies in place. To see what list is in use or to change it, hover over and select the relevant one. 

To allow or block a URL, please follow this guide

 

Restricted search termsKeywords

 

One feature is the ability to block or allow specific keywords in search queries. By configuring keyword filtering, you can prevent users from performing searches that contain undesirable terms while ensuring that searches containing approved keywords are permitted. This targeted control allows you to maintain a secure and focused online environment, tailored to your network's needs.
 

This can be accessed via hovering over the ‘Restricted Search Terms’ section on the SurfProtect profile 

To allow or block a keyword, please follow this guide

Search engine settings Search

Here you can not only select your preferred search engine for your connection, but also decide whether to force your preferred search engine’s Safe Search feature.

Hover over the icon to access the search engine menu.

 

Video site settings Video

Hover over the icon to access the menu. From here, you can force SafeSearch to work seamlessly with YouTube videos and other known video-sites.

 

Content typesContent

Content types allow you to control elements of content from being downloaded from the Internet. Whilst this is a possibility, we believe that the default settings are ideal for most users. The top section refers to External Resource Compatibility and you are given the option to always allow:Style content types (CSS, icons and font files) – These are the building blocks of websites, the default status is inactive which means that the content will load if your other content-filtering settings permit that site to be displayed.

  • Style conttent types (CSS, icons and font files)- these are the building blocks of websites, the default status is inactive which means that the content will load if your other content-filtering settings permit that site to be displayed
  • JavaScript files – JavaScript is a commonly used Internet language, however can be used for malicious means. Again, the default status is set to inactive.
Note: By changing the status of either of these you are bypassing your current content-filtering policy and explicitly allowing this type of content to be downloaded regardless of their origin.

The lower section looks after the Security Safeguarding and allows you to always block the following, regardless of their origin:

  1. Archive files – such as Zip, RAR and Tar files
  2. Executable files – .exe and shell scripts
  3. Flash files
  4. Macro enabled documents – including macro enabled Word and Excel files
  5. Mobile Application Package files – Android, Apple and Blackberry applications

This can be particularly helpful to defend against harmful files that are disguised as legitimate programs and files.

 

HTTPS bypassesBypass_HTTPS

Further than the ability to allow websites, SurfProtect can also avoid decrypting traffic from HTTPS sites. HTTPS bypass is a list of websites that will not be decrypted when using HTTPS, which is used to allow trusted sites to be accessed. 

Underneath the icon, you will see which HTTPS Bypasses list is currently assigned. By hovering over the icon, you can then choose an alternative list to apply (including an option to remove all category filtering), or edit the current list. 

Note: Not decrypting requests from these URLs will result in certain features being disabled. Specifically, the query string will not be available if the request is bypassed.

To add or remove URLs from this, please follow this guide

 

Advanced policy settings

The advanced policy settings contain the more powerful, behaviour changing tools.

 

Decrypt HTTPS

This option allows you to toggle whether HTTPS decryption happens when using this profile.

When this option is enabled, HTTPS requests are decrypted, allowing SurfProtect access to the entire URL, along with the data for the request itself.

When this option is disabled, then HTTPS requests are not decrypted, greatly reducing the effectiveness of filtering. This limits SurfProtect to only being able to see the hostname for a URL and removes the ability to read the data for the request itself. For search engines, this disables the ability to filter keywords.

This feature also removes the requirement of having the SurfProtect certificate trusted on the devices, since it will not be used.

Categories
Related Posts
Open Ports - High Risk Ports 2026/02/23
Rein and Shine Interference 2025/07/14
How to access Draytek routers 2025/07/16