Configure other ETP Proxy settings

Block unscannable files

Complete this procedure to block files that ETP Proxy cannot scan with internal payload analysis, such as compressed or encrypted files. This procedure describes how to enable this feature in a policy that is already created. To create a new policy, see Create a policy.

By default, this feature is not enabled in a policy.

To block unscannable files:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. Click the name of the policy that you want to edit.

  3. In the Settings tab:

    1. If ETP Proxy is not enabled, toggle Enable Proxy.

    2. If inline payload analysis is not enabled, toggle Enable Inline Payload Analysis.

    3. To block files that cannot be scanned by ETP Proxy, enable Block Unscannable Files.

  4. Click Save.

Next steps

Deploy the policy to the ETP network. For more information, see Deploy configuration changes.

Configure origin ports

Before you begin

  1. Make sure you set up and enable the full web proxy. For more information, see Enable full web proxy.
  2. If you are enabling the HTTP Forwarder, review the configuration steps for HTTP Forwarder. For more information, see Configure HTTP Forwarder.

You can configure the origin ports or port ranges that you want to open for the full web proxy or for HTTP Forwarder as a transparent proxy. By default, ​Enterprise Threat Protector​ allows connections to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.

📘

If you provide a port range, the difference between the maximum and minimum numbers in the range cannot exceed 32.

To configure origin ports:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. If you are creating a policy, click the plus sign icon.

  3. If you are editing a policy, click the name of the policy.

  4. Click the Settings tab.

  5. In the Settings tab, under Proxy Settings, navigate to the Origin Ports field.

  6. Enter a port or port range that you want to open. You can enter multiple ports or port ranges. Separate each value with a comma.

  7. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ETP network. For more information, see Deploy configuration changes.

Configure action for unverifiable certificates

Complete this procedure to configure how ETP Proxy handles requests when the proxy cannot verify a website's origin certificate. In this situation, you can block the request or select the bypass action. For more information, see Unverifiable origin certificates.

To configure an action for unverifiable certificates:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. If you are adding a new policy:

    1. On the Policies page, click the plus sign icon.

    2. Enter a name and description for the policy in the Name and Description field.

    3. To configure a policy with settings from a predefined template, select one of these templates and click Continue:

      • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.

      • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.

      • Custom. Lets you define policy actions for known and suspected threats.

    4. To assign a location or sub-location, click the link icon for locations or sub-locations, and select one or more. Then click Associate.

  3. If you are modifying a policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.

  4. Click the Settings tab.

  5. In the Proxy Settings area, toggle Enable Proxy to on.

  6. In the Invalid Certificate Response menu, select one of these actions:

    1. To block the request and show an error page, select Block - Error Page.

    2. To allow the request to bypass ETP Proxy, select Bypass.

  7. Depending on the type of ETP proxy that you want to configure for your enterprise, make
    sure you review and complete the steps that are outlined in these procedures:

    1. To enable a full web proxy, see Enable full web proxy.

    2. To enable a selective proxy, see Enable selective proxy.

  8. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ETP network. For more information,Deploy configuration changes.

Allow or block domains incompatible with TLS MITM certificate

You can allow or block domains that are not compatible with the TLS MITM certificate that is required for ETP Proxy. Depending on your organization, you may need to allow or block these domains. For a list of domains that are not compatible with the certificate, see Bypass list.

This procedure assumes that you are modifying an existing policy.

To allow or block incompatible domains:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. Click the name of the policy that you want to edit.

  3. Click the Settings tab.

  4. In the Proxy Settings area:

    1. To allow domains that are incompatible with the TLS MITM certificate, make sure the Block Incompatible Domains toggle is not enabled.

    2. To block domains that are incompatible with the TLS MITM certificate, toggle Block Incompatible Domains.

  5. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ETP network. For instructions, see Deploy configuration changes.


Did this page help you?