About policies

A policy is a group of settings that define how ETP handles known or suspected threat events and access control events. You assign a policy to a location or sub-location. A location is a region or geographic area in your network such as a corporate field office. You can assign a different policy to each location or sub-location, or you can assign multiple locations to the same policy. You cannot assign more than one policy to a location or sub-location.

To configure a policy, you need to be an ETP administrator. If you are a delegated or strict delegated administrator, you can modify the policy you created or the policies that you are allowed to access.

In a policy configuration, you define the policy action and the response to users. You can also select whether alerts about threats are sent. The Threat tab allows you to select an action and response based on a threat category or type, while the Custom Lists tab allows you to set these settings for a custom, top-level domains, exception, and file hash list. In a custom list, you identify known and suspected domains and IP addresses. You can add or remove a list from a policy. For more information on threat categories, see Threat categories. For more information on lists, see About lists.

A policy is also where you configure access control settings, including application visibility and control (AVC) and data loss prevention (DLP). AVC allows you to control access to websites, web applications, and the specific operations that you can perform in a web application. You can design a policy that is based on risk level, categories, category operations, applications, application operations, and more. For more information, see Application visibility and control.

For DLP, you can associate a DLP dictionary to a policy to identify sensitive information that users upload. You can select to block or monitor this data. For more information, see Data loss prevention.

When creating or modifying a policy, an administrator can select a template to help define policy actions for threat categories in the Threat tab. You can use a security template as a starting point to your configuration. For more information, see Security templates.

Policy settings

A policy is also where you enable these features:

  • SafeSearch. SafeSearch allows you to block or prohibit adult and explicit content from Google and Bing search results. For more information, see SafeSearch and YouTube Restricted Mode.

  • YouTube Restricted Mode. You can restrict access to YouTube video content. For more information, see SafeSearch and YouTube Restricted Mode.

  • ETP Proxy. You can enable ETP Proxy to direct traffic to an HTTP or HTTPS proxy that intercepts and inspects HTTP requests. For more information, see About ETP Proxy.

  • Proxy Authorization. Allows ETP Proxy to authorize connections from the on-premises proxy. ETP Proxy extracts the Proxy-Authorization header from the request. This header contains credentials that are used to authenticate the on-premises proxy to ETP Proxy. You configure proxy credentials both in ETP and in the on-premises proxy. For more information on proxy authorization, see Configure proxy authorization.

  • Origin ports. You can configure the origin ports or port ranges that you want to open for the full web proxy. By default, ETP allows connections to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.

  • Bypass Microsoft 365 traffic. Allows you to quickly resolve requests to Microsoft apps and services, such as Microsoft office apps, Outlook, cloud storage, and more. This setting securely retrieves the domains and IP addresses associated with these apps and services from Microsoft to bypass ETP Proxy scanning. This setting provides optimal routing to these websites. For more information, see Bypass Microsoft 365 traffic.

  • Unverifiable origin certificates. You can configure how ETP Proxy handles requests when it cannot verify the website's origin certificates. For more information, see Unverifiable origin certificates.

  • Disable Client. You can disable ETP Client in the locations that are associated with the policy.

  • Walled Garden Exceptions. You can enable this option to block all traffic when ETP Client is in an unprotected state. This setting blocks all traffic except for the domains and IP addresses that are configured as walled garden exceptions in the ETP network configuration. This setting also makes ETP Client the device web proxy. As a result, Yes is automatically selected for Overwrite Device Proxy Settings.

  • Overwrite Device Proxy Settings. You can select to modify the local web proxy settings on the user's machine and in turn, enable ETP Client as the local web proxy. You can choose to modify or not modify these settings, or you can only modify these settings when no web proxy is configured on the user's machine. If ETP Client acts as the local web proxy, it forwards all traffic to ETP Proxy. For more information, see ETP Client for web traffic.

  • Full Web Proxy. If your network includes an on-premises proxy or you've installed ETP Client on end user machines, you can forward all web traffic to ETP Proxy for analysis. Your organization need to be licensed for ETP Advanced Threat. For more information, see Full web proxy.

  • Block incompatible domains. You can block domains that are not compatible with the TLS MITM certificate you generated or uploaded to ETP for the proxy. For more information, see Allow or block domains incompatible with TLS MITM certificate.

  • Local Breakout for Bypass Domains. Disable this option if your network does not have a direct route to the Internet and it cannot access domains that are configured in ETP for bypass. When disabled, ETP directs these domains to the origin. For more information, see Local breakout for bypass domains.

  • Inline Payload Analysis. If ETP Proxy is enabled and your enterprise is enabled for ETP Advanced Threat, you can also choose to inspect the payload or content of a website or file sharing service. Multiple antivirus engines are used to scan content and identify threats. This option scans files up to 5 MB in size. For more information, see Inline payload analysis.

    This feature also allows ETP to analyze requested webpages and determine if the page was built with a phishing toolkit. For more information, see Zero-day phishing detection.

  • Block Unscannable Files. As part of inline payload analysis, you can block files that ETP Proxy cannot scan such as encrypted or compressed files. By default, this option is disabled.

  • Dynamic and static malware analysis. Configure ETP to scan files that are larger than 5 MB in size. You can configure ETP to perform static malware analysis offline or after a file that's 5 MB to 2 GB in size is downloaded to the user's browser. Static malware analysis scans content without executing or running it. If you enable dynamic malware analysis, files that are up to 64 MB in size are scanned in a secure sandbox box environment. To enable dynamic malware analysis, your organization need to be licensed for both Advanced Threat and the Advanced Sandbox module. For more information, see Static malware analysis of large files and Dynamic malware analysis.

  • Forward Public IP to Origin. This setting forwards the user's public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients.

  • Authentication Mode. You can require that users authenticate to access a website, web application, and more. For example, with AVC, you can configure authentication to access blocked websites in an AUP or custom list. You can also require that users authenticate to bypass DLP scanning for document or text uploads. If you require authentication or make authentication optional, you need to select an IdP. For more information, see Authentication policy.

  • User and group-based policy. While you can require that all users and groups in your AD or directory service authenticate to access a website or web application, you can also provide access to only specific users and groups. For more information, see Acceptable use policy.

📘

To encrypt DNS requests, Mozilla Firefox enables DNS over HTTPS (DoH). However, this feature causes traffic to bypass ETP. To avoid interfering with your network security solutions, Firefox checks to see whether a DNS filtering solution is already in place by requesting the canary domain use-application-dns.net. ​Enterprise Threat Protector​ responds with a NXDOMAIN to signal that this feature is not needed in your corporate network. For more information on Firefox and DoH, see this Mozilla knowledge base article.

An enterprise can create a maximum of 100 policies. If your organization requires more policies, contact your ​Akamai​ representative.

Threat categories

By default, each policy is configured with threat categories. Threat categories classify domains and IP addresses that ​Akamai​ confirmed or suspects are malicious or risky. The domains and IP addresses that are included in these categories are updated automatically as new threats are identified. If ETP determines that a suspected threat for a category is malicious, the threat is added to the list of known threats in that category.

Risky domains are newly registered, discovered, and used for potentially malicious activity.

For known and suspected threats, ETP includes these threat categories:

  • Malware. Domains and IP addresses used to host malicious software.

  • Phishing. Domains and IP addresses used to host phishing websites that gather user credential information.

  • C&C. Domains and IP addresses used by malicious C&C servers.

  • DNS Exfiltration. Domains that serve as a communication channel over DNS. This channel may be used to steal sensitive data or circumvent traditional access restrictions by allowing malware to communicate outside the network over the DNS protocol.

For risky domains, ETP includes these threat categories:

  • Adware. Domains that display malicious content in advertisements.

  • Coin Mining. Domains that are used for mining cryptocurrency.

  • Newly Registered. Domains that were recently registered.

  • Newly Seen. Domains that were recently visited by users.

  • Potentially Harmful. Domains that appear to be harmful to an enterprise network.

  • DNS Tunneling. Domains that are used to hide and transmit malicious data in a DNS tunnel.

The default actions and alert settings that are assigned to these threat categories are recommended. For more information on policy actions, see Policy actions.

When defining policy actions for the DNS exfiltration category, consider this configuration:

  • Assign the monitor policy action to suspected DNS exfiltration threats. The monitor action allows ETP to analyze suspected domains and subdomains. If ETP determines that a domain or subdomain is a threat, it's added to the list associated with the known DNS exfiltration category.

  • Configure known DNS exfiltration threats with the block policy action to ensure these known threats are not accessible. By default, the strict policy template assigns this action to known DNS exfiltration threats.

If there are domains and IP addresses that you don't want ETP to analyze, add them to an exception list. After you add an exception list to a policy, the list is configured with the bypass policy action. For more information, see Exception lists.

Security templates

To implement policy best practices, an administrator can apply a security template to configure policy actions for threat categories.

You can use these templates as a starting point to a policy configuration. After you select one of these preset templates, you can then change any of the applied settings such as policy actions, response to user, and more to define settings that best fit your network and your company's security policy. When you do this, the policy indicates that you are using a custom template.

These templates only apply to the categories in the ​Akamai​ Security tab. They do not configure settings to other areas of the policy, such as custom lists.

You can select from these templates:

  • Strict. Includes strict policy actions to make sure that threats are blocked from your network. This template includes these settings:

    • All known threat categories are assigned the block policy action. Most of these block actions are assigned the Error page response to user.

    • For known and suspected DNS exfiltration threats, a refused response is configured as the response to the user.

    • A monitor action is assigned to suspected malware and phishing threats.

    • Alerts are enabled for C&C and DNS exfiltration categories.

  • Monitor-only. Assigns the monitor action to all known and suspected threat categories. Alerts are enabled for the C&C and DNS exfiltration categories. This template logs and reports threats but it does not block them. The Monitor-only template is ideal for testing or assessing policy impact before using the Strict template.

Policy actions

ETP performs actions on detected or suspected threats based on the policy configuration. As an ETP administrator, you can select policy actions for a threat category, list, DLP dictionary, and AVC configuration.

When designing your policy, you can select from actions that detect or prevent threats. Some organizations may use a phased approach to first configure the policy to detect threats before assigning the block action. Note:

  • Threat Detection. Occurs when the monitor action is assigned. This threat response does not stop traffic. Security events are detected, reported, and email notifications are sent to recipients as configured by an administrator.

  • Threat Prevention. Occurs when the block action is assigned. This action prevents requests that threaten your network. When the block action is selected, you can select the response to the user. For example, as part of the block action, you can select that users receive a custom error page or you can redirect the user's request to Enterprise Security Connector to identify the infected machine.

For each list, you can further select whether an ETP alert recipient receives an email alert notification when a security event is reported.

If domains and IP addresses are configured in multiple lists with conflicting actions, ETP selects the action based on this priority:

  1. Bypass
  2. Block
  3. Monitor
  4. Allow

For more information on policy action conflicts, see Policy conflicts.

Bypass

With this action, requests bypass ETP Proxy and resolve to the origin IP address. If the proxy is enabled, the request is not decrypted with the TLS MITM certificate. It is sent directly to the destination web server. While no event is logged in a report, bypassed traffic is logged in the DNS Activity report and in the Network Traffic report.

This action is automatically assigned to custom exception lists. It is also an action that’s available for the analysis of large files. You can select this action to ensure payloads bypass ETP Proxy.

Block

This policy action denies the request. When this action is selected in a policy, the administrator can select the response or the type of block that the user experiences.

These responses are available for a block action:

  • Error Page. User is shown a custom error message based on the threat violation. For more information on error pages, see Customize error pages.

    If Error Page is selected as the threat response, administrators can select to redirect malicious traffic to a security connector that is deployed in the network. A security connector records the internal IP address of the infected machine that made the request. For more information on Security Connector, see Security Connector as a DNS sinkhole.

    This behavior applies to Security Connector version 2.5.0:

    • If the proxy is disabled, the user is shown an error message to indicate that website access is prohibited.

    • If the proxy is enabled, the user is shown the error message that corresponds to the threat type.

    You should assign a security connector to the C&C and malware threat categories because it allows an enterprise to discover the IP address and computer name of an infected machine in the network.

    With this action, a threat event is logged in the threat events report. If Security Connector is enabled, a security connector event is also logged.

  • Custom Response. Request is redirected to the IP address of the custom response. However, if the proxy is enabled and the request matches a URL in a request, the request is redirected to a custom error page instead.

    For DNS and HTTP or HTTPS events, events are logged in the Threat Events report.

  • Refused Response. User is shown a browser-specific error message. If ETP Proxy is enabled, a refused response is available to assign to custom lists only.

Monitor

Administrators can assign the monitor action to a threat category, list, and access control feature. This action is also available when configuring risk, categories, operations, and applications for an AVC configuration. For more information about DLP or AVC, see Data loss prevention and Application visibility and control.

With this policy action, requests generally resolve to the origin and a user is able to access the website they requested. This action generates a threat or access control event in ETP.

If ETP Proxy is enabled as a selective or full web proxy, traffic is forwarded to ETP Proxy where it's scanned by multiple anti-malware engines. In this situation, if a threat is detected, then the user is unable to access the URL or website they requested.

📘

Select the Monitor action for lists in the default policy. The default policy is associated with the Unidentified IPs location, a location open to the Internet. If you select another action, a malicious user may suspect that your organization blocks specific domains.

Allow

Depending on whether the proxy is enabled, the following applies:

  • If the proxy is enabled, this action directs traffic to ETP Proxy for analysis.
  • If the proxy is disabled, this action resolves requests to the origin.

The proxy examines the full URL of a request. If a threat is discovered, a corresponding threat category is assigned to the URL. When inline payload analysis is enabled, this action sends traffic to the destination web server and the downloaded response is scanned for malware and other threats. If a threat is detected, ETP applies the action according to the malware, phishing, or C&C threat type.

This action is available for the Risky threat categories, block lists, and for application visibility and control settings.

Policy conflicts

Policy conflicts may occur if multiple lists are assigned to a policy and those lists contain matching or overlapping domain names, IP addresses, or URLs. When conflicts exist, ETP uses this logic to determine the policy action:

Based on List Type

All lists that are created by administrators (block and exceptions lists) are prioritized over other lists in ETP. This means that the action associated to domains or URLs in custom block list or exception list prevail over the action associated to the same domain or URL in any of these lists:

  • ​Akamai​ Security lists. This includes the domains, IP addresses, and URLs associated with ​Akamai​ threat categories, such as malware, phishing, command & control, and more.

  • Microsoft 365. Domains and IP addresses associated with Microsoft apps and services, such as Microsoft office apps, Outlook, cloud storage, and more.

  • Acceptable use policy and AVC. Domains, IP addresses, and URLs for websites and applications. These websites and applications correspond to the AUP and AVC configuration in a policy.

Based on Longest Domain/URL Match

If the same domain is specified in multiple custom lists or ETP lists using different suffix lengths, ETP enforces the policy action assigned to the longest matching address.

📘

If the same domain or URL is found in a custom block or exception list and in an ETP list, the policy action of the custom list takes priority.

For example, if these lists are assigned to the same policy and a user goes to foo.bar.com, the Monitor action prevails, because it satisfies the longest matching address.

  • List 1 is set to Block bar.com.

  • List 2 is set to Monitor foo.bar.com.

Based on Priority of Action

If the same domains, IP addresses, and URLs are configured in multiple custom lists or in multiple ​Akamai​ lists with conflicting actions, ETP selects the action based on this priority:

  1. Bypass
  2. Block
  3. Monitor
  4. Allow

For example, if these lists are assigned to the same policy and a user goes to bar.com, the Bypass action prevails, because it has higher priority.

  • List 1 is set to Block bar.com.

  • List 2 is set to Bypass bar.com.

SafeSearch and YouTube restricted mode

An ETP administrator can enable SafeSearch in a policy to block and prohibit adult or explicit content from search results that are completed with Google and Bing search engines. When end users in locations assigned to this policy complete searches with Google or Bing, this feature creates a canonical name (CNAME) record.

These conditions apply:

  • For www.google.com, ETP creates a CNAME to forcesafesearch.google.com.

  • For www.bing.com, ETP creates a CNAME to strict.bing.com.

This means end users are routed to forcesafesearch.google.com and strict.bing.com when performing searches with these search engines.

Similarly, in a policy configuration, you can also enable YouTube restricted mode. This feature prevents users from accessing video content that contains mature content, language, situations, and more. You can select from these modes:

  • Strict. Provides access to a limited collection of video content. This is the most restricted mode.

  • Moderate. Provides some restricted access but is less strict than Strict mode. Moderate mode allows users to access a larger collection of video content.

  • Unrestricted. Provides access to all YouTube content. This option is selected by default.

ETP creates a CNAME for these hostnames:

  • www.youtube.com

  • m.youtube.com

  • youtubei.googleapis.com

  • youtube.googleapis.com

  • www.youtube-nocookie.com

For Strict YouTube Restricted mode, these domains are a CNAME for restrict.youtube.com. For Moderate YouTube Restricted mode, these domains are a CNAME for restrictmoderate.youtube.com.

Proxy logging mode

In a policy configuration, you define the details that are logged in ETP for HTTP or HTTPS threat events. Different logging levels are available to report data such as the HTTP headers, hostname, URL path, and query string information.

📘

The Proxy Logging Mode setting is available in a policy only when you enable ETP Proxy.

To make sure that your enterprise can investigate security incidents and determine why traffic is blocked, do not change the default logging mode. Level 1 provides details that are best for troubleshooting and investigating events.

You can select from these levels:

Logging Mode

Description

Level 1 (Recommended)

Logs the HTTP headers in the request and response as well as the hostname, path, and query string in the URL.

Level 2

Logs the hostname, path, and query string in the URL.

Level 3

Logs the hostname and path in the URL.

Level 4

Logs the hostname.

By default, Level 1 is selected. This data is reported in the Threat Events report.

Clicking to view more information about an event opens the Event Details window where you can view general and specific traffic information. The Traffic General subtab contains the hostname and path of a URL, while the Traffic Details subtab contains the query string, request and response information. If you select a logging method that does not record some of this information, this data is not shown. For example, if you select level 4, the Traffic Details subtab is disabled. While the hostname is reported in the associated field, the URI field does not show any information.

If you change the logging mode of a policy, the new mode affects all future events. It does not modify logged data in existing events.

🚧

Use Level 1 logging mode to ensure that detailed data is logged for threat events.

Local breakout for bypass

The Local Breakout for Bypass Domains setting is enabled by default in a policy to ensure that domains configured in ETP for bypass are directed to the origin from the branch or enterprise network. These domains bypass ETP Proxy. For this configuration, your network need to have a direct route to the Internet. If your network does not have a direct route to the Internet and as a result, it cannot access these origins, make sure you disable this option. When disabled, the traffic is directed to ETP. ETP directs this traffic to the origin without scanning it.

Note these conditions with this option:

  • Bypass is supported on TLS and HTTP/1 traffic. The bypass action is not supported on traffic that uses other protocols such as user datagram protocol (UDP), HTTP/2, or Quick UDP Internet Connection (QUIC).

  • If ETP Client is active on client devices, this setting ignores traffic from clients that are off the corporate network.

  • This setting applies to domains that are configured in the policy with the bypass action. It does not apply to internal IP addresses or DNS suffixes that are configured in the ETP Network Configuration.

  • If you disable this setting, make sure the domains that are required for ETP are allowed by your organization's firewall and can access the Internet. For a list of domains, see Configure your firewall.

  • If your enterprise sets up ETP Proxy as a selective proxy only and your organization does not use ETP Client, Security Connector as a DNS Forwarder, or proxy chaining, make sure the Local Breakout for Bypass Domains setting is enabled. If this setting is disabled, domains that are configured for bypass are directed to ETP for resolution and then dropped.

Summary of policy actions

This table describes the behavior of policy actions based on whether the ETP proxy is enabled or disabled. For more detailed information, see Policy actions.

📘

When ETP Proxy is enabled in a policy configuration, an organization need to set up a TLS MITM certificate. For more information, see Create an ETP Proxy MITM certificate.

Action

Response to user (set in Policy)

ETP Proxy is disabled

ETP Proxy is enabled

Impact to reporting

Bypass

N/A

Request bypasses ETP protection and resolves to the IP address of the origin (destination web server).

Traffic is not directed to ETP Proxy. Therefore, the request is not decrypted with the TLS MITM certificate. The request is sent directly to the origin.

However, if ETP detects that this traffic is risky, it's directed to ETP Proxy for analysis.

No event is logged.

Like all network activity, this action is logged on the Network Traffic activity report.

Block

Refused Response

Request is denied and a browser-specific error message appears to end users.

Request is denied and a browser-specific error message appears to end users.

When the proxy is enabled, a refused response is only available for custom lists.

An event is logged in the threat events or access control reports.

Block

Error Page

Request is redirected to a custom error page that indicates website access is prohibited.

You can select to redirect traffic to Enterprise Security Connector.

For HTTPS requests, users receive a certificate browser error because there is a certificate mismatch.

Request is redirected to a custom error page. ETP Proxy can intercept and inspect HTTPS requests with a MITM CA TLS certificate to show the corresponding error page.

You can select to redirect traffic to Enterprise Security Connector.

An event is logged in the threat events or access control reports.

Block

Custom Response

Request is redirected to the IP address of a custom response.

If the request matches a domain in a list, the request is redirected to the IP address of a custom response.

If the request matches a URL in a list, the request is redirected to a custom error page and is not forwarded to a custom response.

For a DNS request, an event is logged in the threat event or access control reports.

For an HTTP or HTTPS request, an event is logged in the threat event or access control report.

Block

N/A

Request is blocked. User is shown a custom error page.

Requests resolve to the origin unless ETP Proxy is set up as a full web proxy. In this situation, requests and responses are first scanned by ETP Proxy. If a threat is detected, the request is blocked.

If the proxy is enabled, but it’s not set up as a full web proxy, then the request resolves to the origin.

An event is logged in the threat event or access control report.

Monitor

N/A

Request resolves as expected.

Traffic is directed to the proxy where it’s inspected for threats. This occurs regardless if the proxy is configured as a full or selective proxy.

An event is logged in reports.

Allow

N/A

Traffic is directed to the origin.

If the full web proxy is set as the operating mode, this action examines the full URL of a request. Similarly, for a selective proxy, the proxy examines only risky domains and URLs. If a URL is a known threat, a corresponding threat category is assigned.

If inline payload analysis is enabled, this action also scans HTTP responses for threats. If a threat is found, this action assigns a corresponding threat category to it.

ETP then applies the action assigned to that threat category (for example, malware, phishing, or C&C).

If malicious content is discovered, an event is logged in the threat event or access control report.


Did this page help you?