A policy is a group of settings that define how SIA handles known or suspected threat events and access control events. You assign a policy to a location or sub-location. A location is a region or geographic area in your network such as a corporate field office. You can assign a different policy to each location or sub-location, or you can assign multiple locations to the same policy. If your organization has deployed the Zero Trust Client or ETP Client, you can also assign a policy that’s applied to client traffic only.
You cannot assign more than one policy to a location or sub-location.
To configure a policy, you need to be an SIA administrator. If you are a delegated or strict delegated administrator, you can modify the policy you created or the policies that you are allowed to access.
When you configure a policy, you select from one of these policy types:
- DNS. This option enables DNS protection only.
- DNS + Proxy. This option enables SIA proxy, as well as DNS protection.
Based on the policy type, the settings that apply for the specific type are available. For example, if you select DNS + Proxy, the options that apply for the proxy are available for you to configure.
A policy is where you define the policy action and the response to users. You can also select whether alerts about threats are sent. The Threat tab allows you to select an action and response based on a threat category or type, while the Custom Lists tab allows you to set these settings for a list that you configure. You can add or remove a list from a policy. For more information on threat categories, see Threat categories. For more information on lists, see About lists.
A policy is also where you configure access control settings, including application visibility and control (AVC) and data loss prevention (DLP). AVC allows you to control access to websites, web applications, and the specific operations that you can perform in a web application. You can design a policy that is based on risk level, categories, category operations, applications, application operations, and more. For more information, see Application visibility and control.
For DLP, you can associate a DLP dictionary to a policy to identify sensitive information that users upload. You can select to block or monitor this data. For more information, see Data loss prevention.
When creating or modifying a policy, an administrator can select a template to help define policy actions for threat categories in the Threat tab. You can use a security template as a starting point to your configuration. For more information, see Security templates.
An enterprise can create a maximum of 100 policies. If your organization requires more policies, contact your Akamai representative.
In the Settings tab, you configure settings for the proxy, payload analysis, ETP Client, and more.
For SIA Proxy, you can define these settings:
Policy Type. When you create a policy, you can select the DNS + Proxy as the Policy Type. The DNS + Proxy policy type enables SIA Proxy, a proxy that intercepts and inspects HTTP or HTTPS requests. For more information, see About SIA Proxy.
Proxy Authorization. Allows SIA Proxy to authorize connections from the on-premises proxy. SIA Proxy extracts the Proxy-Authorization header from the request. This header contains credentials that are used to authenticate the on-premises proxy to SIA Proxy. You configure proxy credentials both in SIA and in the on-premises proxy. For more information on proxy authorization, see Configure proxy authorization.
Origin ports. You can configure the origin ports or port ranges that you want to open for the full web proxy. By default, SIA allows connections to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.
Trust XFF Header. The X-Forwarded-For (XFF) header contains the client IP address. This setting prevents users from anonymizing their IP address or configuring their browser to inject a fake XFF with a fake IP address. You should select this setting option only if the on-premises proxy is configured to add this header and your firewall blocks direct access to outbound port 443 for users who attempt to bypass the proxy.
Proxy Logging Mode. Setting where you define the details that are logged in SIA for HTTP or HTTPS threat events. Different logging levels are available to report data such as the HTTP headers, hostname, URL path, and query string information. For more information, see Proxy logging mode.
Bypass Microsoft 365 traffic. Allows you to quickly resolve requests to Microsoft apps and services, such as Microsoft office apps, Outlook, cloud storage, and more. This setting securely retrieves the domains and IP addresses associated with these apps and services from Microsoft to bypass SIA Proxy scanning. This setting provides optimal routing to these websites. For more information, see Bypass Microsoft 365 traffic.
Block incompatible domains. You can block domains that are not compatible with the TLS MITM certificate you generated or uploaded to SIA for the proxy. For more information, see Allow or block domains incompatible with TLS MITM certificate.
Invalid Certificate Response. You can configure how SIA Proxy handles requests when it cannot verify the website's origin certificates. For more information, see Unverifiable origin certificates.
Local Breakout for Bypass Domains. Disable this option if your network does not have a direct route to the Internet and it cannot access domains that are configured in SIA for bypass. When disabled, SIA directs these domains to the origin. For more information, see Local breakout for bypass domains.
Disable Insecure Ciphers. Disables TLS 1.0, TLS 1.1, and non-Perfect Forward Secrecy (PFS) ciphers in all SIA Proxy communications with an origin server. If your organization needs to comply with the Payment Card Industry Data Security Standard (PCI DSS), make sure you enable this setting.
If SIA Proxy is enabled and your enterprise is licensed for SIA Advanced Threat, you can also choose to inspect the payload or content of a website or file sharing service. Multiple antivirus engines are used to scan content and identify threats. This option scans files up to 5 MB in size. For more information, see Inline payload analysis.
This feature also allows SIA to analyze requested webpages and determine if the page was built with a phishing toolkit. For more information, see Zero-day phishing detection.
When you enable Inline Payload Analysis, these settings are available:
Block Unscannable Files. As part of inline payload analysis, you can block files that SIA Proxy cannot scan such as encrypted or compressed files. By default, this option is disabled.
Block Uploads After Timeout. When using data loss protection or file blocking, enable this setting to block uploads that take longer than 15 seconds to scan.
Dynamic and static malware analysis. Configure SIA to scan files that are larger than 5 MB in size. You can configure SIA to perform static malware analysis offline or after a file that's 5 MB to 2 GB in size is downloaded to the user's browser. Static malware analysis scans content without executing or running it. If you enable dynamic malware analysis, files that are up to 64 MB in size are scanned in a secure sandbox environment. To enable dynamic malware analysis, your organization needs to be licensed for both Advanced Threat and the Advanced Sandbox module. For more information, see Static malware analysis of large files and Dynamic malware analysis.
These settings are available to restrict search results in browsers and YouTube.
SafeSearch. SafeSearch allows you to block or prohibit adult and explicit content from Google and Bing search results. For more information, see SafeSearch and YouTube Restricted Mode.
YouTube Restricted Mode. You can restrict access to YouTube video content. For more information, see SafeSearch and YouTube Restricted Mode.
Forward Public IP to Origin. This setting forwards the user's public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients.
IP Intelligence. Enable IP Intelligence to detect threats based on IP address. If a known or suspicious threat is detected, the threat is handled based on the actions you set in the policy. IP Intelligence is enabled by default in a policy.
Authentication Mode. You can require that users authenticate to access a website, web application, and more. For example, with AVC, you can configure authentication to access blocked websites in an AUP or custom list. You can also require that users authenticate to bypass DLP scanning for document or text uploads. If you require authentication or make authentication optional, you need to select an identity provider in the Identity Provider menu. For more information, see Authentication policy.
Disable Client. You can disable ETP Client in the locations that are associated with the policy.
Walled Garden Exceptions. You can enable this option to block all traffic when ETP Client is in an unprotected state. This setting blocks all traffic except for the domains and IP addresses that are configured as walled garden exceptions in the Local Bypass Settings. This setting also makes ETP Client the device web proxy. As a result, Yes is automatically selected for Overwrite Device Proxy Settings.
Avoid Local DNS Resolver. When enabled, ETP Client queries the local DNS resolver only for domains that are configured on the Local Bypass Settings page. All other traffic is directed to SIA instead of the local resolver.
Make sure you don’t enable the Avoid Local DNS Resolver setting when the client is on the network. When the client is on the network, local traffic should be directed to the local resolvers.
Overwrite Device Proxy Settings. You can select to modify the local web proxy settings on the user's machine and in turn, enable ETP Client as the local web proxy. You can choose to modify or not modify these settings, or you can only modify these settings when no web proxy is configured on the user's machine. If ETP Client acts as the local web proxy, it forwards all traffic to SIA Proxy. If you overwrite device proxy settings, you cannot restore them on the device. For more information, see ETP Client for web traffic.
Support multiple users per device. If this feature is enabled for your organization, you can show a login and logoff button on ETP Client 4.4.0 or later for Windows. This allows you to support Windows devices that are shared with multiple users.
For example, you can use ETP Client on a device that’s set up as a kiosk. After a new user accesses the device, there may be a short period of time where ETP Client has not yet synchronized with the identity provider to identify the user and grant access. The login and logout buttons allow the previous user to log out and the new user to log in. A user enters Login Portal credentials to access the network resources you’ve permitted through the identity provider and the SIA policy configuration.
To enable this feature, contact your Akamai representative.
DNS-over-TLS Mode. When enabled, ETP Client uses DNS over TLS (DoT) to protect DNS traffic it forwards to SIA. You can select from one of these modes:
Attempt. Indicates ETP Client always attempts to use DoT. If DoT is not available, ETP Client falls back to plain DNS.
Required. Indicates that DoT is required. If DoT is not available, DNS traffic is directed from ETP Client to the local DNS resolver.
Disabled. Indicates that DoT is not used to secure DNS traffic from ETP Client.
For more information on DoT, see Encrypt DNS queries with DoT or DoH.
DNS-over-TLS Port. If you enable DoT, you can specify the port that’s used for DoT connections.
To encrypt DNS requests, Mozilla Firefox enables DNS over HTTPS (DoH). However, this feature causes traffic to bypass SIA. To avoid interfering with your network security solutions, Firefox checks to see whether a DNS filtering solution is already in place by requesting the canary domain
use-application-dns.net. Secure Internet Access Enterprise responds with a NXDOMAIN to signal that this feature is not needed in your corporate network. For more information on Firefox and DoH, see this Mozilla knowledge base article.
By default, each policy is configured with threat categories. Threat categories classify domains and IP addresses that Akamai has confirmed or suspects are malicious or risky. The domains and IP addresses that are included in these categories are updated automatically as new threats are identified. If SIA determines that a suspected threat for a category is malicious, the threat is added to the list of known threats in that category.
Risky domains are newly registered, discovered, and used for potentially malicious activity.
For known and suspected threats, SIA includes these threat categories:
Malware. Domains and IP addresses used to host malicious software.
Phishing. Domains and IP addresses used to host phishing websites that gather user credential information.
C&C. Domains and IP addresses used by malicious command-and-control (C&C) servers.
DNS Exfiltration. Domains that serve as a communication channel over DNS. This channel may be used to steal sensitive data or circumvent traditional access restrictions by allowing malware to communicate outside the network over the DNS protocol.
For risky domains, SIA includes these threat categories:
Adware. Domains that display malicious content in advertisements.
Coin Mining. Domains that are used for mining cryptocurrency.
Newly Registered. Domains that were recently registered.
Newly Seen. Domains that were recently visited by users.
Potentially Harmful. Domains that appear to be harmful to an enterprise network.
DNS Tunneling. Domains that are used to hide and transmit malicious data in a DNS tunnel.
The default actions and alert settings that are assigned to these threat categories are recommended. For more information on policy actions, see Policy actions.
When defining policy actions for the DNS exfiltration category, consider this configuration:
Assign the monitor policy action to suspected DNS exfiltration threats. The monitor action allows SIA to analyze suspected domains and subdomains. If SIA determines that a domain or subdomain is a threat, it's added to the list associated with the known DNS exfiltration category.
Configure known DNS exfiltration threats with the block policy action to ensure these known threats are not accessible. By default, the strict policy template assigns this action to known DNS exfiltration threats.
If there are domains and IP addresses that you don't want SIA to analyze, add them to an exception list. After you add an exception list to a policy, the list is configured with the bypass policy action. For more information, see Exception lists.
To implement policy best practices, an administrator can apply a security template to configure policy actions for threat categories.
You can use these templates as a starting point to a policy configuration. After you select one of these preset templates, you can then change any of the applied settings such as policy actions, response to user, and more to define settings that best fit your network and your company's security policy. When you do this, the policy indicates that you are using a custom template.
These templates only apply to the categories in the Akamai Security tab. They do not configure settings to other areas of the policy, such as custom lists.
You can select from these templates:
Strict. Includes strict policy actions to make sure that threats are blocked from your network. This template includes these settings:
All known threat categories are assigned the block policy action. Most of these block actions are assigned the Error page response to user.
For known and suspected DNS exfiltration threats, a refused response is configured as the response to the user.
A monitor action is assigned to suspected malware and phishing threats.
Alerts are enabled for C&C and DNS exfiltration categories.
Monitor-only. Assigns the monitor action to all known and suspected threat categories. Alerts are enabled for the C&C and DNS exfiltration categories. This template logs and reports threats but it does not block them. The Monitor-only template is ideal for testing or assessing policy impact before using the Strict template.
SIA performs actions on detected or suspected threats based on the policy configuration. As an SIA administrator, you can select policy actions for a threat category, list, DLP dictionary, and AVC configuration.
When designing your policy, you can select from actions that detect or prevent threats. Some organizations may use a phased approach to first configure the policy to detect threats before assigning the block action. Note:
Threat Detection. Occurs when the monitor action is assigned. This threat response does not stop traffic. Security events are detected, reported, and email notifications are sent to recipients as configured by an administrator.
Threat Prevention. Occurs when the block action is assigned. This action prevents requests that threaten your network. When the block action is selected, you can select the response to the user. For example, as part of the block action, you can select that users receive a custom error page or you can redirect the user's request to Enterprise Security Connector to identify the infected machine.
For each list, you can further select whether an SIA alert recipient receives an email alert notification when a security event is reported.
If domains and IP addresses are configured in multiple lists with conflicting actions, SIA selects the action based on this priority:
For more information on policy action conflicts, see Policy conflicts.
With this action, requests bypass SIA Proxy and resolve to the origin IP address. If the proxy is enabled, the request is not decrypted with the TLS MITM certificate. It is sent directly to the destination web server. While no event is logged in a report, bypassed traffic is logged in the DNS Activity report and in the Network Traffic report.
This action is automatically assigned to custom exception lists. It is also an action that’s available for the analysis of large files. You can select this action to ensure payloads bypass SIA Proxy.
This policy action denies the request. When this action is selected in a policy, the administrator can select the response or the type of block that the user experiences.
These responses are available for a block action:
Error Page. User is shown a custom error message based on the threat violation. For more information on error pages, see Customize error pages.
If Error Page is selected as the threat response, administrators can select to redirect malicious traffic to a security connector that is deployed in the network. A security connector records the internal IP address of the infected machine that made the request. For more information on Security Connector, see Security Connector as a DNS sinkhole.
This behavior applies to Security Connector version 2.5.0:
If the proxy is disabled, the user is shown an error message to indicate that website access is prohibited.
If the proxy is enabled, the user is shown the error message that corresponds to the threat type.
You should assign a security connector to the C&C and malware threat categories because it allows an enterprise to discover the IP address and computer name of an infected machine in the network.
With this action, a threat event is logged in the threat events report. If Security Connector is enabled, a security connector event is also logged.
Custom Response. Request is redirected to the IP address of the custom response. However, if the proxy is enabled and the request matches a URL in a request, the request is redirected to a custom error page instead.
For DNS and HTTP or HTTPS events, events are logged in the Threat Events report.
Refused Response. User is shown a browser-specific error message. If SIA Proxy is enabled, a refused response is available to assign to custom lists only.
Administrators can assign the monitor action to a threat category, list, and access control feature. This action is also available when configuring risk, categories, operations, and applications for an AVC configuration. For more information about DLP or AVC, see Data loss prevention and Application visibility and control.
With this policy action, requests generally resolve to the origin and a user is able to access the website they requested. This action generates a threat or access control event in SIA.
If SIA Proxy is enabled as a selective or full web proxy, traffic is forwarded to SIA Proxy where it's scanned by multiple anti-malware engines. In this situation, if a threat is detected, then the user is unable to access the URL or website they requested.
Select the Monitor action for lists in the default policy. By default, the default policy is associated with unidentified IP addresses. If you select another action, a malicious user may suspect that your organization blocks specific domains.
Depending on whether the proxy is enabled, the following applies:
- If the proxy is enabled, this action directs traffic to SIA Proxy for analysis.
- If the proxy is disabled, this action resolves requests to the origin.
The proxy examines the full URL of a request. If a threat is discovered, a corresponding threat category is assigned to the URL. When inline payload analysis is enabled, this action sends traffic to the destination web server and the downloaded response is scanned for malware and other threats. If a threat is detected, SIA applies the action according to the malware, phishing, or C&C threat type.
This action is available for the Risky threat categories, block lists, and for application visibility and control settings.
Policy conflicts may occur if multiple lists are assigned to a policy and those lists contain matching or overlapping domain names, IP addresses, or URLs. When conflicts exist, SIA uses this logic to determine the policy action:
All lists that are created by administrators (block and exceptions lists) are prioritized over other lists in SIA. This means that the action associated to domains or URLs in custom block list or exception list prevail over the action associated to the same domain or URL in any of these lists:
Akamai Security lists. This includes the domains, IP addresses, and URLs associated with Akamai threat categories, such as malware, phishing, command & control, and more.
Microsoft 365. Domains and IP addresses associated with Microsoft apps and services, such as Microsoft office apps, Outlook, cloud storage, and more.
Acceptable use policy and AVC. Domains, IP addresses, and URLs for websites and applications. These websites and applications correspond to the AUP and AVC configuration in a policy.
If the same domain is specified in multiple custom lists or SIA lists using different suffix lengths, SIA enforces the policy action assigned to the longest matching address.
If the same domain or URL is found in a custom block or exception list and in an SIA list, the policy action of the custom list takes priority.
For example, if these lists are assigned to the same policy and a user goes to foo.bar.com, the Monitor action prevails, because it satisfies the longest matching address.
List 1 is set to Block bar.com.
List 2 is set to Monitor foo.bar.com.
If the same domains, IP addresses, and URLs are configured in multiple custom lists or in multiple Akamai lists with conflicting actions, SIA selects the action based on this priority:
For example, if these lists are assigned to the same policy and a user goes to bar.com, the Bypass action prevails, because it has higher priority.
List 1 is set to Block bar.com.
List 2 is set to Bypass bar.com.
An SIA administrator can enable SafeSearch in a policy to block and prohibit adult or explicit content from search results that are completed with Google and Bing search engines. When end users in locations assigned to this policy complete searches with Google or Bing, this feature creates a canonical name (CNAME) record.
These conditions apply:
www.google.com, SIA creates a CNAME to
www.bing.com, SIA creates a CNAME to
This means end users are routed to
strict.bing.com when performing searches with these search engines.
Similarly, in a policy configuration, you can also enable YouTube restricted mode. This feature prevents users from accessing video content that contains mature content, language, situations, and more. You can select from these modes:
Strict. Provides access to a limited collection of video content. This is the most restricted mode.
Moderate. Provides some restricted access but is less strict than Strict mode. Moderate mode allows users to access a larger collection of video content.
Unrestricted. Provides access to all YouTube content. This option is selected by default.
SIA creates a CNAME for these hostnames:
For Strict YouTube Restricted mode, these domains are a CNAME for
restrict.youtube.com. For Moderate YouTube Restricted mode, these domains are a CNAME for
In a policy configuration, you define the details that are logged in SIA for HTTP or HTTPS threat events. Different logging levels are available to report data such as the HTTP headers, hostname, URL path, and query string information.
The Proxy Logging Mode setting is available in a policy only when you enable SIA Proxy.
To make sure that your enterprise can investigate security incidents and determine why traffic is blocked, do not change the default logging mode. Level 1 provides details that are best for troubleshooting and investigating events.
You can select from these levels:
|Level 1 (Recommended)||Logs the HTTP headers in the request and response as well as the hostname, path, and query string in the URL.|
|Level 2||Logs the hostname, path, and query string in the URL.|
|Level 3||Logs the hostname and path in the URL.|
|Level 4||Logs the hostname.|
By default, Level 1 is selected. This data is reported in the Threat Events report.
Clicking to view more information about an event opens the Event Details window where you can view general and specific traffic information. The Traffic General subtab contains the hostname and path of a URL, while the Traffic Details subtab contains the query string, request and response information. If you select a logging method that does not record some of this information, this data is not shown. For example, if you select level 4, the Traffic Details subtab is disabled. While the hostname is reported in the associated field, the URI field does not show any information.
If you change the logging mode of a policy, the new mode affects all future events. It does not modify logged data in existing events.
Use Level 1 logging mode to ensure that detailed data is logged for threat events.
The Local Breakout for Bypass Domains setting is enabled by default in a policy to ensure that domains configured in SIA for bypass are directed to the origin from the branch or enterprise network. These domains bypass SIA Proxy. For this configuration, your network need to have a direct route to the Internet. If your network does not have a direct route to the Internet and as a result, it cannot access these origins, make sure you disable this option. When disabled, the traffic is directed to SIA. SIA directs this traffic to the origin without scanning it.
Note these conditions with this option:
Bypass is supported on TLS and HTTP/1 traffic. The bypass action is not supported on traffic that uses other protocols such as user datagram protocol (UDP), HTTP/2, or Quick UDP Internet Connection (QUIC).
If ETP Client is active on client devices, this setting ignores traffic from clients that are off the corporate network.
This setting applies to domains that are configured in the policy with the bypass action. It does not apply to internal IP addresses or DNS suffixes that are configured in the Local Bypass Settings.
If you disable this setting, make sure the domains that are required for SIA are allowed by your organization's firewall and can access the Internet. For a list of domains, see Configure your firewall.
If your enterprise sets up SIA Proxy as a selective proxy only and your organization does not use ETP Client, Security Connector as a DNS Forwarder, or proxy chaining, make sure the Local Breakout for Bypass Domains setting is enabled. If this setting is disabled, domains that are configured for bypass are directed to SIA for resolution and then dropped.
This table describes the behavior of policy actions based on whether the SIA proxy is enabled or disabled. For more detailed information, see Policy actions.
When SIA Proxy is enabled in a policy configuration, an organization need to set up a TLS MITM certificate. For more information, see Create an SIA Proxy MITM certificate.
|Action||Response to user (set in Policy)||SIA Proxy is disabled||SIA Proxy is enabled||Impact to reporting|
|Bypass||N/A||Request bypasses SIA protection and resolves to the IP address of the origin (destination web server).||Traffic is not directed to SIA Proxy. Therefore, the request is not decrypted with the TLS MITM certificate. The request is sent directly to the origin.|
However, if SIA detects that this traffic is risky, it's directed to SIA Proxy for analysis.
|No event is logged.|
Like all network activity, this action is logged on the Network Traffic activity report.
|Block||Refused Response||Request is denied and a browser-specific error message appears to end users.||Request is denied and a browser-specific error message appears to end users.|
When the proxy is enabled, a refused response is only available for custom lists.
|An event is logged in the threat events or access control reports.|
|Block||Error Page||Request is redirected to a custom error page that indicates website access is prohibited.|
You can select to redirect traffic to Enterprise Security Connector.
For HTTPS requests, users receive a certificate browser error because there is a certificate mismatch.
|Request is redirected to a custom error page. SIA Proxy can intercept and inspect HTTPS requests with a MITM CA TLS certificate to show the corresponding error page.|
You can select to redirect traffic to Enterprise Security Connector.
|An event is logged in the threat events or access control reports.|
|Block||Custom Response||Request is redirected to the IP address of a custom response.||If the request matches a domain in a list, the request is redirected to the IP address of a custom response.|
If the request matches a URL in a list, the request is redirected to a custom error page and is not forwarded to a custom response.
|For a DNS request, an event is logged in the threat event or access control reports.|
For an HTTP or HTTPS request, an event is logged in the threat event or access control report.
|Block||N/A||Request is blocked. User is shown a custom error page.||Requests resolve to the origin unless SIA Proxy is set up as a full web proxy. In this situation, requests and responses are first scanned by SIA Proxy. If a threat is detected, the request is blocked.|
If the proxy is enabled, but it’s not set up as a full web proxy, then the request resolves to the origin.
|An event is logged in the threat event or access control report.|
|Monitor||N/A||Request resolves as expected.||Traffic is directed to the proxy where it’s inspected for threats. This occurs regardless if the proxy is configured as a full or selective proxy.||An event is logged in reports.|
|Allow||N/A||Traffic is directed to the origin.||If the full web proxy is set as the operating mode, this action examines the full URL of a request. Similarly, for a selective proxy, the proxy examines only risky domains and URLs. If a URL is a known threat, a corresponding threat category is assigned.|
If inline payload analysis is enabled, this action also scans HTTP responses for threats. If a threat is found, this action assigns a corresponding threat category to it.
SIA then applies the action assigned to that threat category (for example, malware, phishing, or C&C).
|If malicious content is discovered, an event is logged in the threat event or access control report.|
Updated 2 months ago