Application visibility and control

Application visibility and control allows you to create a policy where you control access to web applications. You can define default policy behavior or create a policy that is based on risk level, AUP categories, category operations, applications, or specific operations for an application. You can select the users and groups that can access a web application and perform specific operations in the application.

To control the use of shadow IT and unsanctioned applications, use this feature to identify and block applications based on risk score limiting application operations.

You can use AVC with any of these ETP setups:

  • ETP DNS. If ETP Proxy is not enabled, you can still control access to applications based on the application's domain and IP address.

  • ETP Secure Web Gateway. If ETP Proxy is enabled, you can control access to applications based on URLs, domains, IP addresses, and other attributes.

A policy for AVC is divided into these components:

IMAGE_STUBIMAGE_STUB

  • Operating Mode. You can select the mode that ETP uses for traffic by default. Unless more specific actions are defined in the policy, the behavior of these modes apply.

    • Full Proxy. Directs all web traffic to ETP Proxy, except for traffic that’s set to bypass.
    • Selective Proxy. Directs any traffic that matches a configured threat or AUP category to ETP Proxy. If no action is defined in the policy for traffic, traffic bypasses the proxy.
    • Walled Garden. Blocks all traffic unless it’s set to Allow.
      If your organization uses ETP Client and has configured Walled Garden exceptions, when the client is in an unprotected state, all traffic is blocked except for the exceptions that are configured in the Local Bypass Settings.
    • DNS Protection. Protects DNS traffic based on the policy. You can select this mode only when ETP Proxy is disabled.

    For more information, see Default operating mode.

  • Mobile Mode. Defines the mode for mobile traffic when ETP Client is installed on a device. You can define the mode for these mobile devices:

    • iOS. For iOS devices, you can select any of these modes: Full Proxy, Selective Proxy, and Walled Garden.
    • Android. For Android devices, you can select any of these modes: Full Proxy, Selective Proxy, Walled Garden, and Proxy (Browsers Only). Proxy (Browsers Only) directs only browser traffic to the proxy.
    • Chrome OS. For Chrome OS devices, you can select any of these modes: Full Proxy, Selective Proxy, and Walled Garden.
  • Risk. Defines the risk levels for a web application. Each of these levels indicate whether the application is a security risk that can result in a data breach, data loss, or other threats:

Icon

Level

Description

IMAGE_STUBIMAGE_STUB

Critical

Indicates the application is known to be malicious and a security risk.

Important: As a best practice, make sure you set the critical risk level to the block action.

IMAGE_STUBIMAGE_STUB

Very High

Indicates the application is extremely at risk for data loss or a security breach. These applications allow users to perform high-risk actions such as sending or sharing files and making remote connections that can bypass enterprise security.

IMAGE_STUBIMAGE_STUB

High

Indicates the application is moderately at risk for data loss or a security breach. These applications allow users to create and send data such as documents, multimedia content, emails, messages, voice communications, and more.

IMAGE_STUBIMAGE_STUB

Medium

Indicates the application is slightly at risk for data loss or a security breach. These applications allow users to perform slightly risky actions such as voting, rate scoring, text searches, translation, and more.

IMAGE_STUBIMAGE_STUB

Low

Indicates the application has the lowest amount of risk for data loss or a security breach. These applications allow users to perform low-risk actions such as viewing content, listening to music, downloading files, and more.

IMAGE_STUBIMAGE_STUB

Unknown

Indicates there is no application associated with the category and as a result, a risk level is not yet known for the category.

You can click the total number of applications to view a list of applications that are associated with each risk level. You can remove a risk level from the policy configuration and assign an action to any risk level that you want to define. The actions you select in this area overrides the default action.

  • Category. Acceptable use policy and application categories that you want to assign to this policy.

    You can click the total number of applications to view a list of applications that are associated with each category. You assign a policy action to a category. The action you select in this area overrides the risk level action if there is a conflict.

  • Category operations. Operations for AUP and application categories. Category operations are detected and shown in a policy if ETP Proxy is enabled for a policy.

    You can click the number of associated applications to view a list of applications that support a particular operation. The configuration you set in this section only applies to applications that support the selected operation. The action you define in this area overrides the category and risk level action if there is a conflict.

  • Applications. Specific web applications as well as the operations that apply to them. Operations appear for an application as long as the application can be identified by ETP Proxy and the operation is supported by the application. If ETP Proxy is not enabled, application operations are not listed. If the application does not support an operation, it's not listed. When the
    proxy is not enabled, you can configure access control only for applications
    that ETP can identify by hostname.

    You assign a policy action to a specific application and an application operation. The action or actions you select in this area override the category operations if there is a conflict.

As you define each level in this policy, the detailed levels you configure take precedence over more general settings. For example, the policy action you apply to an application takes precedence over an action that's applied to its corresponding category or category operation.

This illustration shows the priority of these components in a policy. The operating mode is shown as a more general setting with the least priority as administrators define other levels of the policy. However, the operating mode applies if there is no configuration in place elsewhere in the policy for traffic.

Consider these examples:

  • If you define a block action to a high risk level and you select an allow action for a high risk category such as Sales and Marketing, web applications in this category are still allowed. The risk level setting still applies for other traffic that's not specifically defined at the category level of the policy.

  • If you select the block action to a File Transfer (Collaboration and Online Meetings) category operation and allow the file transfer operation in a specific application such as Slack, the allow action for transferring files to Slack takes precedence over the block action in the category operation.

📘

ETP may update the list of applications, application operations, and categories in a policy. If an application, operation, or category is discontinued, a message appears to notify administrators about this update. After an administrator confirms the message, ETP removes the unsupported settings from the policy. Administrators need to then redeploy the policy. For more information, see Updated list of access control applications.

Policy actions

Depending on the component that you are configuring in the policy for AVC, these actions may be available:

  • Bypass. Traffic bypasses ETP Proxy and is directed to the origin.

  • Allow. Traffic is directed to ETP Proxy where it's analyzed and assigned a category. Based on the category, a policy action is applied. If the proxy is disabled, traffic is directed to the origin.

  • Monitor. Traffic is allowed and an event is logged.

  • Block. Traffic is blocked and users are shown an error page.

    If the proxy is not enabled in a policy, you can select to show an error page or have traffic directed to a custom response. This option is available for risk levels, categories, category operations, applications, and application operations. For more information about custom responses, see Configure a custom response.

Note that not all these actions are available in each area of the policy for AVC.

Also, for some applications, the bypass action may not be available. This occurs if the application cannot be identified by domain and is only detected by ETP Proxy through a URL.

User and group exceptions

If you select the block action in the risk, category, category operations, and applications area, you can define any user or group that are exceptions to the block action.

You can select users and groups when this policy configuration is in place:

  • An Optional or Required authentication mode is set in the policy. For more information, see Authentication policy.

  • An identity provider is associated with the policy. As part of an IdP configuration, you'll associate the directory that contains users and groups. For more information, see About identity providers.

With this configuration, the selected users and groups can access the content you block.

Analytics

ETP shows AVC data in these reports:

  • Access Control. Contains events for violations to AVC, DLP, and blocked file types. For AVC, you can filter events based on category, risk level, operation, and application.

  • DNS Activity. Contains data on DNS traffic. For AVC, you can filter activity by category, risk level, and application.

  • Proxy Activity. Contains data on ETP Proxy traffic. For AVC, you can filter activity by risk level, operation, and application.

ETP also offers dashboard widgets that generate information specific to AVC. To track risky applications, machines, and users, administrators can add these widgets to their Enterprise Center dashboards:

  • Top Risky Applications
  • Top Risky Machines
  • Top Risky Users

For more information about the dashboard, see Dashboard.

Configure application visibility and control

Application visibility and control allows you to control access to web applications. In this procedure, you'll define different components. This includes risk level, categories, category operations, applications, and application operations. The specific settings you define in the policy are prioritized over more general settings. For more information, see Application visibility and control.

To configure AVC:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. Click the name of the policy that you want to edit.

  3. Go to the Settings tab.

  4. For the Policy Type menu, make sure DNS + Proxy is selected as the policy type. While the proxy is not required for configuring AVC, you cannot configure category operations without enabling it.

  5. If you enabled the proxy, make sure inline payload analysis is also enabled.

  6. If you want to configure user and group exceptions to any blocked content in an AVC policy:

    1. Make sure Required or Optional is selected as an Authentication Mode. For more information, see Authentication policy.

    2. In the IdP menu, select an identity provider if one is not selected.

    IMAGE_STUBIMAGE_STUB

  7. Click the Access Control tab.

  8. Click the AUP & Shadow IT subtab.

  9. Expand the Operating Mode area and select a mode, as shown in this example.

    These modes are available:

    • Selective Proxy. Directs any traffic that matches a configured threat or AUP category to ETP Proxy. If no action is defined in the policy for traffic, it bypasses the proxy.

    • Full Web Proxy. Directs web traffic to ETP Proxy, except for traffic that’s set to bypass.

    • Walled Garden. Blocks all traffic unless it is set to Allow.

      If your organization uses ETP Client and has configured Walled Garden exceptions, when the client is in an unprotected state, all traffic is blocked except for the exceptions that are configured in the ETP network configuration.

    • DNS Protection. Protects DNS traffic based on policy. You can select this mode only when ETP Proxy is disabled.

  10. Expand the Mobile Mode area and select a mode based on the device operating system.

    • Selective Proxy. Directs any traffic that matches a configured threat or AUP category to ETP Proxy. If no action is defined in the policy for traffic, it bypasses the proxy. This is the default mode for mobile devices.

    • Full Proxy. Directs web traffic to ETP Proxy, except for traffic that’s set to bypass. This mode is recommended for managed devices. Make sure you test your managed applications and bypass any applications that fail.

    • Walled Garden. Blocks all traffic unless it is set to Allow.

    • Proxy (Browser Only). Directs only browser traffic from an Android device to the proxy. Application traffic is directed to the origin. This mode is available for Android devices only.

  11. Expand the Risk area and select a policy action for any of the risk levels that you want to define in the policy. In the Action column heading, you can select an action for all risk levels, or you can select an action for an individual risk level. To remove a risk level, click the minus icon. As a best practice, select the block action for the critical risk level. If you select a block action and an IdP is selected on the Settings tab, complete these steps to assign a user or group exception:

    1. Click the link icon in the exceptions column. A window appears.

    2. In the Groups tab, search for a group and select the group or groups that you want to exempt from the block action.

      If the group name you provide does not appear in the drop-down list, you can add the group. If you add a group, you need to also add the group to the relevant directory for the group to authenticate and gain access.

    3. In the Users tab, search for the users and select the users that you want to exempt from the block action.

      If the user does not exist in the directory associated with the policy IdP, you can enter a unique ID for a user you want to add and click the add button. This adds the unique ID to the list. You need to also add the user to the relevant directory for the user to authenticate and gain access.

      The user ID provided in this example is the ID the user enters to authenticate:

    4. Click Associate.

  12. Expand the Category area and consider the policy actions you want to apply to a category or categories, for example, you may choose to block Gambling websites:

    1. Click the link icon and select the categories that you want to associate with the policy. Click Associate.

    📘

    You can select a policy action as you associate a selected category or after you associate a category.

    1. Select an action for each category. In the action column, you can select an action for all categories, or you can select an action for an individual category.

    2. If you select a block action and an IdP is selected on the Settings tab, complete steps 11a to 11d to assign a user or group exception.

  13. Expand the Category Operations area and consider the policy actions that you want to apply to an operation or operations, for example, you can search for all upload operations, select these operations for your policy, and select to block them across all categories:

    1. Click the link icon and select the category operations that you want to associate to the policy. Click Associate.

    📘

    You can select a policy action as you associate a category operation or after you associate a category operation.

    1. Select an action for each category operation. In the action column, you can select an action for all category operations, or you can select an action for an individual category operation.

    2. If you select a block action and an IdP is selected on the Settings tab, complete steps 11a to 11d to assign a user or group exception.

  14. Expand the Applications area and consider the policy actions that you want to apply to an application or applications:

    Note that if there's an operation supported for a selected application, you can also select a policy action for the application operation.

    1. Click the link icon and select applications you want to associate to the policy. Click Associate.

    2. Select an action for each application. If there are operations listed for an application, expand the application to view the operations. Select the policy action for the operations. In the action column, you can select an action for all applications or you can select an action for an individual application or application operation.

    3. If you select a block action and an IdP is selected on the Settings tab, complete steps 11a to 11d to assign a user or group exception.

  15. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ETP network. For instructions, see Deploy configuration changes.

Default operating mode

With the Operating Mode setting, you define how ETP handles traffic by default unless you configure more specific actions for lists, threat categories, and for AUP or AVC settings. These modes are available:

  • Full Proxy. Directs all web traffic to ETP Proxy, except for traffic that’s set to bypass.

  • Selective Proxy. Directs domains and risky web traffic to ETP Proxy for threat inspection. This includes traffic that matches a configured threat or AUP category.

  • Walled Garden. Blocks all traffic unless it’s configured with the Allow action.

    If your organization uses ETP Client and has configured Walled Garden exceptions, when the client is in an unprotected state, all traffic is blocked except for the exceptions that are configured in the Local Bypass Settings.

  • DNS Protection. Protects DNS traffic based on policy. You can select this mode only when ETP Proxy is disabled.

For information on configuring the default action as part of AVC, see Application visibility and control and Configure application visibility and control.

You can also configure a mode for your mobile devices. This is a setting that’s also set in the policy as part of AUP and AVC. For more information, see Mode for mobile devices.

Depending on your organization's requirements and the balance your organization needs to maintain between security, privacy, and user productivity, you can configure ETP policy and the operating mode based on one of these scenarios:

  • Scenario 1: Balance security and user productivity (Recommended). If you want to block known threats and scan all other traffic, consider this configuration:

    • Enable ETP Proxy as a full web proxy.

    • Select Full Web Proxy as the Operating Mode.

    • Block all known threats. You can choose the block action for threat categories and for specific custom lists that contain known threats.

      For instructions, see Enable full web proxy.

  • Scenario 2: Allow only known, trusted traffic (walled garden). If you want to block most traffic and grant users access to known, safe websites only, consider this configuration:

    • Create an exception list that contains the websites that you want users to access.

    • Select Walled Garden as the Operating Mode.

    • Block all threat categories.

Mode for mobile devices

When ETP Client is installed on a mobile device, you can define how mobile traffic is handled. Similar to the operating mode that’s used for general traffic, you can select a specific proxy type or configure a walled garden.

📘

You need to enable and set up ETP Proxy to configure mobile mode settings in a policy.

This table lists the mobile devices that are supported and the modes that are available for these devices:

Mobile Operating System

Available Modes

iOS
(includes iPadOS)

  • Selective Proxy
  • Full Proxy
  • Walled Garden

Android

  • Proxy (Browser)
  • Selective Proxy
  • Full Proxy
  • Walled Garden

Chrome OS

  • Selective Proxy
  • Full Proxy
  • Walled Garden

You can select from these modes:

  • Selective Proxy. Directs any traffic that matches a configured threat or AUP category to ETP Proxy. This is the default mode for mobile devices.

  • Full Proxy. Directs all web traffic to the proxy, unless traffic is configured for bypass in the policy. This mode is recommended for managed devices. Make sure you test your managed applications and bypass any applications that fail.

  • Walled Garden. Blocks all traffic unless it’s set to Allow in the policy.

  • Proxy (Browser). This mode is available for Android devices only. It directs only browser traffic to the proxy. Application traffic is directed to the origin and not scanned by the proxy.

For more information about the operating mode, see Default operating mode.

Walled garden

A walled garden blocks all traffic except for the traffic that’s explicitly allowed in the policy. You can define a walled garden as an operating mode in ETP policy. This is the default mode that’s applied to traffic unless more detailed settings are configured in the policy. If the proxy is enabled, you can also set walled garden as the mode for your mobile devices. You can select walled garden as a mode for iOS, Android, and Chrome OS devices. For more information, see Default operating mode and Mode for mobile devices.

Allowed traffic in a walled garden includes:

  • The domains, IP addresses, URLs, and file hashes that you define in an exception list.
  • Any risk level, category, operation, and application that you set with the Allow action under Access Control.
  • Any traffic that's configured in the Local Bypass Settings.

When traffic is blocked with a walled garden, users are presented with an ETP error page to indicate that the website is blocked and prohibited. For more on ETP error pages, see Customize error pages.

Note the following when configuring a walled garden:

  • If the mobile mode is set to Walled Garden for any mobile device, make sure you also select Walled Garden as the default operating mode in the policy.
  • If you select the full proxy for any mobile device or you select Proxy (Browser Only) mode for Android, make sure the default operating mode is not set to Walled Garden.

Configure a walled garden

Before you begin:

  • Make sure the Local Bypass Settings contain the internal traffic that you want users to access. For more information, see Configure local bypass settings.
  • Make sure you create exception lists with the traffic that you want to allow. For more information, see Exception lists.

You can configure a walled garden to block all traffic except for the traffic that your organization wants to allow.

To configure a walled garden:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. Click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.

  3. Click the Access Control tab.

  4. Click the AUP & Shadow IT subtab.

  5. For the Operating Mode, select Walled Garden.

  6. Under Mobile Mode, select Walled Garden for iOS, Android, and Chrome OS devices.

  7. To add an exception list, see Add an Exception list to a policy.

  8. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next Steps

If you haven’t deployed the policy, make sure you deploy it to the ETP network. For instructions see Deploy configuration changes.

Application visibility and control categories

In addition to AUP categories, these additional categories are also available when you configure AVC in a policy. For more information on AUP categories, see Acceptable use policy categories.

Category

Description

Collaboration and Online Meetings

Cloud applications that offer online communication and collaboration services such as online meetings, Internet telephony, messaging, voice over IP (VoIP), and more.

IT Services

Cloud applications that offer IT services, such as device and identity management.

Productivity and CRM Tools

Cloud applications that offer productivity and management tools. This includes customer relationship management (CRM) tools.

Sales and Marketing

Cloud applications that offer sales and marketing tools.

System and Development

Cloud applications that offer system and development tools.

Internet Utilities

Cloud applications that offer general Internet services and utilities.

Document Management

Cloud applications that secure document information, such as data in an electronic form.

Updated list of access control applications

Policy settings that are defined for applications, categories, and operations may require removal based on updates from the intelligence feeds. When you open a policy that requires this kind of update, ETP displays the settings that need to be removed, as shown in this example:

To remove the unsupported policy settings, click Confirm and deploy your changes.


Did this page help you?