About policies

A policy is a group of settings that define how ​SIA​ handles known or suspected threat events and access control events. You assign a policy to a location or sub-location. A location is a region or geographic area in your network such as a corporate field office. You can assign a different policy to each location or sub-location, or you can assign multiple locations to the same policy. You cannot assign more than one policy to a location or sub-location.

To configure a policy, you need to be an ​SIA​ administrator. If you are a delegated or strict delegated administrator, you can modify the policy you created or the policies that you are allowed to access.

When you configure a policy, you select from one of these policy types:

  • DNS. This option enables DNS protection only.
  • DNS + Proxy. This option enables ​SIA​ proxy, as well as DNS protection.

Based on the policy type, the settings that apply for the specific type are available. For example, if you select DNS + Proxy, the options that apply for the proxy are available for you to configure.

A policy is where you define the policy action and the response to users. You can also select whether alerts about threats are sent. The Threat tab allows you to select an action and response based on a threat category or type, while the Custom Lists tab allows you to set these settings for a custom, top-level domains, exception, and file hash list. In a custom list, you identify known and suspected domains and IP addresses. You can add or remove a list from a policy. For more information on threat categories, see Threat categories. For more information on lists, see About lists.

A policy is also where you configure access control settings, including application visibility and control (AVC) and data loss prevention (DLP). AVC allows you to control access to websites, web applications, and the specific operations that you can perform in a web application. You can design a policy that is based on risk level, categories, category operations, applications, application operations, and more. For more information, see Application visibility and control.

For DLP, you can associate a DLP dictionary to a policy to identify sensitive information that users upload. You can select to block or monitor this data. For more information, see Data loss prevention.

When creating or modifying a policy, an administrator can select a template to help define policy actions for threat categories in the Threat tab. You can use a security template as a starting point to your configuration. For more information, see Security templates.

An enterprise can create a maximum of 100 policies. If your organization requires more policies, contact your ​Akamai​ representative.

Policy settings

In the Settings tab, you configure settings for the proxy, payload analysis, ​ETP Client​, and more.

​SIA​ Proxy

For ​SIA​ Proxy, you can define these settings:

  • Policy Type. When you create a policy, you can select the DNS + Proxy as the Policy Type. The DNS + Proxy policy type enables ​SIA​ Proxy, a proxy that intercepts and inspects HTTP or HTTPS requests. For more information, see About ​SIA​ Proxy.

  • Proxy Authorization. Allows ​SIA​ Proxy to authorize connections from the on-premises proxy. ​SIA​ Proxy extracts the Proxy-Authorization header from the request. This header contains credentials that are used to authenticate the on-premises proxy to ​SIA​ Proxy. You configure proxy credentials both in ​SIA​ and in the on-premises proxy. For more information on proxy authorization, see Configure proxy authorization.

  • Origin ports. You can configure the origin ports or port ranges that you want to open for the full web proxy. By default, ​SIA​ allows connections to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.

  • Trust XFF Header. The X-Forwarded-For (XFF) header contains the client IP address. This setting prevents users from anonymizing their IP address or configuring their browser to inject a fake XFF with a fake IP address. You should select this setting option only if the on-premises proxy is configured to add this header and your firewall blocks direct access to outbound port 443 for users who attempt to bypass the proxy.

  • Proxy Logging Mode. Setting where you define the details that are logged in ​SIA​ for HTTP or HTTPS threat events. Different logging levels are available to report data such as the HTTP headers, hostname, URL path, and query string information. For more information, see Proxy logging mode.

  • Bypass Microsoft 365 traffic. Allows you to quickly resolve requests to Microsoft apps and services, such as Microsoft office apps, Outlook, cloud storage, and more. This setting securely retrieves the domains and IP addresses associated with these apps and services from Microsoft to bypass ​SIA​ Proxy scanning. This setting provides optimal routing to these websites. For more information, see Bypass Microsoft 365 traffic.

  • Block incompatible domains. You can block domains that are not compatible with the TLS MITM certificate you generated or uploaded to ​SIA​ for the proxy. For more information, see Allow or block domains incompatible with TLS MITM certificate.

  • Invalid Certificate Response. You can configure how ​SIA​ Proxy handles requests when it cannot verify the website's origin certificates. For more information, see Unverifiable origin certificates.

  • Local Breakout for Bypass Domains. Disable this option if your network does not have a direct route to the Internet and it cannot access domains that are configured in ​SIA​ for bypass. When disabled, ​SIA​ directs these domains to the origin. For more information, see Local breakout for bypass domains.

  • Disable Insecure Ciphers. Disables TLS 1.0, TLS 1.1, and non-Perfect Forward Secrecy (PFS) ciphers in all ​SIA​ Proxy communications with an origin server. If your organization needs to comply with the Payment Card Industry Data Security Standard (PCI DSS), make sure you enable this setting.

Payload Analysis

If ​SIA​ Proxy is enabled and your enterprise is licensed for ​SIA​ Advanced Threat, you can also choose to inspect the payload or content of a website or file sharing service. Multiple antivirus engines are used to scan content and identify threats. This option scans files up to 5 MB in size. For more information, see Inline payload analysis.

This feature also allows ​SIA​ to analyze requested webpages and determine if the page was built with a phishing toolkit. For more information, see Zero-day phishing detection.

When you enable Inline Payload Analysis, these settings are available:

  • Block Unscannable Files. As part of inline payload analysis, you can block files that ​SIA​ Proxy cannot scan such as encrypted or compressed files. By default, this option is disabled.

  • Block Uploads After Timeout. When using data loss protection or file blocking, enable this setting to block uploads that take longer than 15 seconds to scan.

  • Dynamic and static malware analysis. Configure ​SIA​ to scan files that are larger than 5 MB in size. You can configure ​SIA​ to perform static malware analysis offline or after a file that's 5 MB to 2 GB in size is downloaded to the user's browser. Static malware analysis scans content without executing or running it. If you enable dynamic malware analysis, files that are up to 64 MB in size are scanned in a secure sandbox environment. To enable dynamic malware analysis, your organization needs to be licensed for both Advanced Threat and the Advanced Sandbox module. For more information, see Static malware analysis of large files and Dynamic malware analysis.

Browsing Restrictions

These settings are available to restrict search results in browsers and YouTube.

Other Settings

  • Forward Public IP to Origin. This setting forwards the user's public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients.

  • IP Intelligence. Enable IP Intelligence to detect threats based on IP address. If a known or suspicious threat is detected, the threat is handled based on the actions you set in the policy. IP Intelligence is enabled by default in a policy.

  • Authentication Mode. You can require that users authenticate to access a website, web application, and more. For example, with AVC, you can configure authentication to access blocked websites in an AUP or custom list. You can also require that users authenticate to bypass DLP scanning for document or text uploads. If you require authentication or make authentication optional, you need to select an identity provider in the Identity Provider menu. For more information, see Authentication policy.

​SIA​ Client

  • Disable Client. You can disable ​SIA​ Client in the locations that are associated with the policy.

  • Walled Garden Exceptions. You can enable this option to block all traffic when ​SIA​ Client is in an unprotected state. This setting blocks all traffic except for the domains and IP addresses that are configured as walled garden exceptions in the Local Bypass Settings. This setting also makes ​SIA​ Client the device web proxy. As a result, Yes is automatically selected for Overwrite Device Proxy Settings.

  • Avoid Local DNS Resolver. When enabled, ​ETP Client​ queries the local DNS resolver only for domains that are configured on the Local Bypass Settings page. All other traffic is directed to ​SIA​ instead of the local resolver.

📘

Make sure you don’t enable the Avoid Local DNS Resolver setting when the client is on the network. When the client is on the network, local traffic should be directed to the local resolvers.

  • Overwrite Device Proxy Settings. You can select to modify the local web proxy settings on the user's machine and in turn, enable ​ETP Client​ as the local web proxy. You can choose to modify or not modify these settings, or you can only modify these settings when no web proxy is configured on the user's machine. If ​ETP Client​ acts as the local web proxy, it forwards all traffic to ​SIA​ Proxy. If you overwrite device proxy settings, you cannot restore them on the device. For more information, see ​ETP Client​ for web traffic.

  • Support multiple users per device. If this feature is enabled for your organization, you can show a login and logoff button on ​ETP Client​ 4.4.0 or later for Windows. This allows you to support Windows devices that are shared with multiple users.

    For example, you can use ​ETP Client​ on a device that’s set up as a kiosk. After a new user accesses the device, there may be a short period of time where ​ETP Client​ has not yet synchronized with the identity provider to identify the user and grant access. The login and logout buttons allow the previous user to log out and the new user to log in. A user enters Login Portal credentials to access the network resources you’ve permitted through the identity provider and the ​SIA​ policy configuration.

    To enable this feature, contact your ​​Akamai​​ representative.

  • DNS-over-TLS Mode. When enabled, ​ETP Client​ uses DNS over TLS (DoT) to protect DNS traffic it forwards to ​SIA​. You can select from one of these modes:

    • Attempt. Indicates ​ETP Client​ always attempts to use DoT. If DoT is not available, ​ETP Client​ falls back to plain DNS.

    • Required. Indicates that DoT is required. If DoT is not available, DNS traffic is directed from ​ETP Client​ to the local DNS resolver.

    • Disabled. Indicates that DoT is not used to secure DNS traffic from ​ETP Client​.

      For more information on DoT, see Encrypt DNS queries with DoT or DoH.

  • DNS-over-TLS Port. If you enable DoT, you can specify the port that’s used for DoT connections.

📘

To encrypt DNS requests, Mozilla Firefox enables DNS over HTTPS (DoH). However, this feature causes traffic to bypass ​SIA​. To avoid interfering with your network security solutions, Firefox checks to see whether a DNS filtering solution is already in place by requesting the canary domain use-application-dns.net. ​Secure Internet Access Enterprise​ responds with a NXDOMAIN to signal that this feature is not needed in your corporate network. For more information on Firefox and DoH, see this Mozilla knowledge base article.

Threat categories

By default, each policy is configured with threat categories. Threat categories classify domains and IP addresses that ​Akamai​ has confirmed or suspects are malicious or risky. The domains and IP addresses that are included in these categories are updated automatically as new threats are identified. If ​SIA​ determines that a suspected threat for a category is malicious, the threat is added to the list of known threats in that category.

Risky domains are newly registered, discovered, and used for potentially malicious activity.

For known and suspected threats, ​SIA​ includes these threat categories:

  • Malware. Domains and IP addresses used to host malicious software.

  • Phishing. Domains and IP addresses used to host phishing websites that gather user credential information.

  • C&C. Domains and IP addresses used by malicious command-and-control (C&C) servers.

  • DNS Exfiltration. Domains that serve as a communication channel over DNS. This channel may be used to steal sensitive data or circumvent traditional access restrictions by allowing malware to communicate outside the network over the DNS protocol.

For risky domains, ​SIA​ includes these threat categories:

  • Adware. Domains that display malicious content in advertisements.

  • Coin Mining. Domains that are used for mining cryptocurrency.

  • Newly Registered. Domains that were recently registered.

  • Newly Seen. Domains that were recently visited by users.

  • Potentially Harmful. Domains that appear to be harmful to an enterprise network.

  • DNS Tunneling. Domains that are used to hide and transmit malicious data in a DNS tunnel.

The default actions and alert settings that are assigned to these threat categories are recommended. For more information on policy actions, see Policy actions.

When defining policy actions for the DNS exfiltration category, consider this configuration:

  • Assign the monitor policy action to suspected DNS exfiltration threats. The monitor action allows ​SIA​ to analyze suspected domains and subdomains. If ​SIA​ determines that a domain or subdomain is a threat, it's added to the list associated with the known DNS exfiltration category.

  • Configure known DNS exfiltration threats with the block policy action to ensure these known threats are not accessible. By default, the strict policy template assigns this action to known DNS exfiltration threats.

If there are domains and IP addresses that you don't want ​SIA​ to analyze, add them to an exception list. After you add an exception list to a policy, the list is configured with the bypass policy action. For more information, see Exception lists.

Security templates

To implement policy best practices, an administrator can apply a security template to configure policy actions for threat categories.

You can use these templates as a starting point to a policy configuration. After you select one of these preset templates, you can then change any of the applied settings such as policy actions, response to user, and more to define settings that best fit your network and your company's security policy. When you do this, the policy indicates that you are using a custom template.

These templates only apply to the categories in the ​Akamai​ Security tab. They do not configure settings to other areas of the policy, such as custom lists.

You can select from these templates:

  • Strict. Includes strict policy actions to make sure that threats are blocked from your network. This template includes these settings:

    • All known threat categories are assigned the block policy action. Most of these block actions are assigned the Error page response to user.

    • For known and suspected DNS exfiltration threats, a refused response is configured as the response to the user.

    • A monitor action is assigned to suspected malware and phishing threats.

    • Alerts are enabled for C&C and DNS exfiltration categories.

  • Monitor-only. Assigns the monitor action to all known and suspected threat categories. Alerts are enabled for the C&C and DNS exfiltration categories. This template logs and reports threats but it does not block them. The Monitor-only template is ideal for testing or assessing policy impact before using the Strict template.

Policy actions

​SIA​ performs actions on detected or suspected threats based on the policy configuration. As an ​SIA​ administrator, you can select policy actions for a threat category, list, DLP dictionary, and AVC configuration.

When designing your policy, you can select from actions that detect or prevent threats. Some organizations may use a phased approach to first configure the policy to detect threats before assigning the block action. Note:

  • Threat Detection. Occurs when the monitor action is assigned. This threat response does not stop traffic. Security events are detected, reported, and email notifications are sent to recipients as configured by an administrator.

  • Threat Prevention. Occurs when the block action is assigned. This action prevents requests that threaten your network. When the block action is selected, you can select the response to the user. For example, as part of the block action, you can select that users receive a custom error page or you can redirect the user's request to Enterprise Security Connector to identify the infected machine.

For each list, you can further select whether an ​SIA​ alert recipient receives an email alert notification when a security event is reported.

If domains and IP addresses are configured in multiple lists with conflicting actions, ​SIA​ selects the action based on this priority:

  1. Bypass
  2. Block
  3. Monitor
  4. Allow

For more information on policy action conflicts, see Policy conflicts.

Bypass

With this action, requests bypass ​SIA​ Proxy and resolve to the origin IP address. If the proxy is enabled, the request is not decrypted with the TLS MITM certificate. It is sent directly to the destination web server. While no event is logged in a report, bypassed traffic is logged in the DNS Activity report and in the Network Traffic report.

This action is automatically assigned to custom exception lists. It is also an action that’s available for the analysis of large files. You can select this action to ensure payloads bypass ​SIA​ Proxy.

Block

This policy action denies the request. When this action is selected in a policy, the administrator can select the response or the type of block that the user experiences.

These responses are available for a block action:

  • Error Page. User is shown a custom error message based on the threat violation. For more information on error pages, see Customize error pages.

    If Error Page is selected as the threat response, administrators can select to redirect malicious traffic to a security connector that is deployed in the network. A security connector records the internal IP address of the infected machine that made the request. For more information on Security Connector, see Security Connector as a DNS sinkhole.

    This behavior applies to Security Connector version 2.5.0:

    • If the proxy is disabled, the user is shown an error message to indicate that website access is prohibited.

    • If the proxy is enabled, the user is shown the error message that corresponds to the threat type.

    You should assign a security connector to the C&C and malware threat categories because it allows an enterprise to discover the IP address and computer name of an infected machine in the network.

    With this action, a threat event is logged in the threat events report. If Security Connector is enabled, a security connector event is also logged.

  • Custom Response. Request is redirected to the IP address of the custom response. However, if the proxy is enabled and the request matches a URL in a request, the request is redirected to a custom error page instead.

    For DNS and HTTP or HTTPS events, events are logged in the Threat Events report.

  • Refused Response. User is shown a browser-specific error message. If ​SIA​ Proxy is enabled, a refused response is available to assign to custom lists only.

Monitor

Administrators can assign the monitor action to a threat category, list, and access control feature. This action is also available when configuring risk, categories, operations, and applications for an AVC configuration. For more information about DLP or AVC, see Data loss prevention and Application visibility and control.

With this policy action, requests generally resolve to the origin and a user is able to access the website they requested. This action generates a threat or access control event in ​SIA​.

If ​SIA​ Proxy is enabled as a selective or full web proxy, traffic is forwarded to ​SIA​ Proxy where it's scanned by multiple anti-malware engines. In this situation, if a threat is detected, then the user is unable to access the URL or website they requested.

📘

Select the Monitor action for lists in the default policy. The default policy is associated with the Unidentified IPs location, a location open to the Internet. If you select another action, a malicious user may suspect that your organization blocks specific domains.

Allow

Depending on whether the proxy is enabled, the following applies:

  • If the proxy is enabled, this action directs traffic to ​SIA​ Proxy for analysis.
  • If the proxy is disabled, this action resolves requests to the origin.

The proxy examines the full URL of a request. If a threat is discovered, a corresponding threat category is assigned to the URL. When inline payload analysis is enabled, this action sends traffic to the destination web server and the downloaded response is scanned for malware and other threats. If a threat is detected, ​SIA​ applies the action according to the malware, phishing, or C&C threat type.

This action is available for the Risky threat categories, block lists, and for application visibility and control settings.

Policy conflicts

Policy conflicts may occur if multiple lists are assigned to a policy and those lists contain matching or overlapping domain names, IP addresses, or URLs. When conflicts exist, ​SIA​ uses this logic to determine the policy action:

Based on List Type

All lists that are created by administrators (block and exceptions lists) are prioritized over other lists in ​SIA​. This means that the action associated to domains or URLs in custom block list or exception list prevail over the action associated to the same domain or URL in any of these lists:

  • ​Akamai​ Security lists. This includes the domains, IP addresses, and URLs associated with ​Akamai​ threat categories, such as malware, phishing, command & control, and more.

  • Microsoft 365. Domains and IP addresses associated with Microsoft apps and services, such as Microsoft office apps, Outlook, cloud storage, and more.

  • Acceptable use policy and AVC. Domains, IP addresses, and URLs for websites and applications. These websites and applications correspond to the AUP and AVC configuration in a policy.

Based on Longest Domain/URL Match

If the same domain is specified in multiple custom lists or ​SIA​ lists using different suffix lengths, ​SIA​ enforces the policy action assigned to the longest matching address.

📘

If the same domain or URL is found in a custom block or exception list and in an ​SIA​ list, the policy action of the custom list takes priority.

For example, if these lists are assigned to the same policy and a user goes to foo.bar.com, the Monitor action prevails, because it satisfies the longest matching address.

  • List 1 is set to Block bar.com.

  • List 2 is set to Monitor foo.bar.com.

Based on Priority of Action

If the same domains, IP addresses, and URLs are configured in multiple custom lists or in multiple ​Akamai​ lists with conflicting actions, ​SIA​ selects the action based on this priority:

  1. Bypass
  2. Block
  3. Monitor
  4. Allow

For example, if these lists are assigned to the same policy and a user goes to bar.com, the Bypass action prevails, because it has higher priority.

  • List 1 is set to Block bar.com.

  • List 2 is set to Bypass bar.com.

SafeSearch and YouTube restricted mode

An ​SIA​ administrator can enable SafeSearch in a policy to block and prohibit adult or explicit content from search results that are completed with Google and Bing search engines. When end users in locations assigned to this policy complete searches with Google or Bing, this feature creates a canonical name (CNAME) record.

These conditions apply:

  • For www.google.com, ​SIA​ creates a CNAME to forcesafesearch.google.com.

  • For www.bing.com, ​SIA​ creates a CNAME to strict.bing.com.

This means end users are routed to forcesafesearch.google.com and strict.bing.com when performing searches with these search engines.

Similarly, in a policy configuration, you can also enable YouTube restricted mode. This feature prevents users from accessing video content that contains mature content, language, situations, and more. You can select from these modes:

  • Strict. Provides access to a limited collection of video content. This is the most restricted mode.

  • Moderate. Provides some restricted access but is less strict than Strict mode. Moderate mode allows users to access a larger collection of video content.

  • Unrestricted. Provides access to all YouTube content. This option is selected by default.

​SIA​ creates a CNAME for these hostnames:

  • www.youtube.com

  • m.youtube.com

  • youtubei.googleapis.com

  • youtube.googleapis.com

  • www.youtube-nocookie.com

For Strict YouTube Restricted mode, these domains are a CNAME for restrict.youtube.com. For Moderate YouTube Restricted mode, these domains are a CNAME for restrictmoderate.youtube.com.

Proxy logging mode

In a policy configuration, you define the details that are logged in ​SIA​ for HTTP or HTTPS threat events. Different logging levels are available to report data such as the HTTP headers, hostname, URL path, and query string information.

📘

The Proxy Logging Mode setting is available in a policy only when you enable ​SIA​ Proxy.

To make sure that your enterprise can investigate security incidents and determine why traffic is blocked, do not change the default logging mode. Level 1 provides details that are best for troubleshooting and investigating events.

You can select from these levels:

Logging ModeDescription
Level 1 (Recommended)Logs the HTTP headers in the request and response as well as the hostname, path, and query string in the URL.
Level 2Logs the hostname, path, and query string in the URL.
Level 3Logs the hostname and path in the URL.
Level 4Logs the hostname.

By default, Level 1 is selected. This data is reported in the Threat Events report.

Clicking to view more information about an event opens the Event Details window where you can view general and specific traffic information. The Traffic General subtab contains the hostname and path of a URL, while the Traffic Details subtab contains the query string, request and response information. If you select a logging method that does not record some of this information, this data is not shown. For example, if you select level 4, the Traffic Details subtab is disabled. While the hostname is reported in the associated field, the URI field does not show any information.

If you change the logging mode of a policy, the new mode affects all future events. It does not modify logged data in existing events.

🚧

Use Level 1 logging mode to ensure that detailed data is logged for threat events.

Local breakout for bypass

The Local Breakout for Bypass Domains setting is enabled by default in a policy to ensure that domains configured in ​SIA​ for bypass are directed to the origin from the branch or enterprise network. These domains bypass ​SIA​ Proxy. For this configuration, your network need to have a direct route to the Internet. If your network does not have a direct route to the Internet and as a result, it cannot access these origins, make sure you disable this option. When disabled, the traffic is directed to ​SIA​. ​SIA​ directs this traffic to the origin without scanning it.

Note these conditions with this option:

  • Bypass is supported on TLS and HTTP/1 traffic. The bypass action is not supported on traffic that uses other protocols such as user datagram protocol (UDP), HTTP/2, or Quick UDP Internet Connection (QUIC).

  • If ​ETP Client​ is active on client devices, this setting ignores traffic from clients that are off the corporate network.

  • This setting applies to domains that are configured in the policy with the bypass action. It does not apply to internal IP addresses or DNS suffixes that are configured in the Local Bypass Settings.

  • If you disable this setting, make sure the domains that are required for ​SIA​ are allowed by your organization's firewall and can access the Internet. For a list of domains, see Configure your firewall.

  • If your enterprise sets up ​SIA​ Proxy as a selective proxy only and your organization does not use ​ETP Client​, Security Connector as a DNS Forwarder, or proxy chaining, make sure the Local Breakout for Bypass Domains setting is enabled. If this setting is disabled, domains that are configured for bypass are directed to ​SIA​ for resolution and then dropped.

Summary of policy actions

This table describes the behavior of policy actions based on whether the ​SIA​ proxy is enabled or disabled. For more detailed information, see Policy actions.

📘

When ​SIA​ Proxy is enabled in a policy configuration, an organization need to set up a TLS MITM certificate. For more information, see Create an ​SIA​ Proxy MITM certificate.

ActionResponse to user (set in Policy)​SIA​ Proxy is disabled​SIA​ Proxy is enabledImpact to reporting
BypassN/ARequest bypasses ​SIA​ protection and resolves to the IP address of the origin (destination web server).Traffic is not directed to ​SIA​ Proxy. Therefore, the request is not decrypted with the TLS MITM certificate. The request is sent directly to the origin.

However, if ​SIA​ detects that this traffic is risky, it's directed to ​SIA​ Proxy for analysis.
No event is logged.

Like all network activity, this action is logged on the Network Traffic activity report.
BlockRefused ResponseRequest is denied and a browser-specific error message appears to end users.Request is denied and a browser-specific error message appears to end users.

When the proxy is enabled, a refused response is only available for custom lists.
An event is logged in the threat events or access control reports.
BlockError PageRequest is redirected to a custom error page that indicates website access is prohibited.

You can select to redirect traffic to Enterprise Security Connector.

For HTTPS requests, users receive a certificate browser error because there is a certificate mismatch.
Request is redirected to a custom error page. ​SIA​ Proxy can intercept and inspect HTTPS requests with a MITM CA TLS certificate to show the corresponding error page.

You can select to redirect traffic to Enterprise Security Connector.
An event is logged in the threat events or access control reports.
BlockCustom ResponseRequest is redirected to the IP address of a custom response.If the request matches a domain in a list, the request is redirected to the IP address of a custom response.

If the request matches a URL in a list, the request is redirected to a custom error page and is not forwarded to a custom response.
For a DNS request, an event is logged in the threat event or access control reports.

For an HTTP or HTTPS request, an event is logged in the threat event or access control report.
BlockN/ARequest is blocked. User is shown a custom error page.Requests resolve to the origin unless ​SIA​ Proxy is set up as a full web proxy. In this situation, requests and responses are first scanned by ​SIA​ Proxy. If a threat is detected, the request is blocked.

If the proxy is enabled, but it’s not set up as a full web proxy, then the request resolves to the origin.
An event is logged in the threat event or access control report.
MonitorN/ARequest resolves as expected.Traffic is directed to the proxy where it’s inspected for threats. This occurs regardless if the proxy is configured as a full or selective proxy.An event is logged in reports.
AllowN/ATraffic is directed to the origin.If the full web proxy is set as the operating mode, this action examines the full URL of a request. Similarly, for a selective proxy, the proxy examines only risky domains and URLs. If a URL is a known threat, a corresponding threat category is assigned.

If inline payload analysis is enabled, this action also scans HTTP responses for threats. If a threat is found, this action assigns a corresponding threat category to it.

​SIA​ then applies the action assigned to that threat category (for example, malware, phishing, or C&C).
If malicious content is discovered, an event is logged in the threat event or access control report.