Complete these tasks to create a block list or an exception list. To learn more about lists, see About lists.

Create a block list

Block lists are used to define whether a policy should block, monitor, or allow access when users make requests to outside resources. You can define this data in a block list:

• Domains
• IP addresses
• Top-level domains. You can define the country-code top-level domains (ccTLD) and generic top-level domains (gTLD).
• File hashes
• URLs

Complete this procedure to create a block list.

To create a block list:

1. In the Threat Protection menu of Enterprise Center, select Policies > Lists.

2. Click the plus sign icon () to add a new list.

3. Enter a name and description for the list.

4. In the Type menu, select Block.

5. In the Categories menu, select one of these categories for the list:

   • Malware. Domains and IP addresses of known or suspected malware.

   • Phishing. Domains and IP addresses of known or suspected phishing websites that gather user credential information.

   • C&C. Domains and IP addresses used by malicious C&C servers.

   • DNS Exfiltration. Domains and IP addresses that serve as a communication channel over DNS. This channel may be used to steal sensitive data or circumvent traditional access restrictions by allowing malware to communicate outside the network.

   • Other. Domains or IP addresses that are not associated with a specific threat category.

6. Click Create List.

7. To identify domains for the list:

   1. Click the arrow icon next to the Domains section to expand it.
   2. In the Known Domains, enter domains that you know are threats.
   3. In the Suspected Domains, enter domains that you suspect are threats.
   4. If you want to use a CSV file to configure multiple domains, see Download a list template file and Configure and upload domains or IP addresses with a CSV file.

8. To identify IP addresses for the list:

   1. Click the arrow icon next to the IPs section to expand it.
   2. In the Known IPs, enter IP addresses that you know are threats.
   3. In the Suspected IPs, enter the IP address that you suspect are threats.
   4. If you want to use a CSV file to configure multiple IP addresses, see Download a list template file and Configure and upload domains or IP addresses with a CSV file.

9. To identify file hashes for the list:

   1. Click the arrow icon next to the File Hashes section to expand it.
   2. Enter or paste the file hashes. Make sure you enter each hash in SHA-256 and it's formatted with 64 hexadecimal characters.

   📘

   If you need to generate a hash for a file, see Generate a hash value.

   3. If you want to use a CSV file to specify multiple hash values, see Download a list template file and Configure and upload file hashes with a CSV file.

10. To identify URLs for the list:

    1. Enter one or more URLs. For more information, see Specify URLs in lists.
    2. If you want to use a CSV file to specify multiple URLs, see Download a list template file and Configure and upload URLs with a CSV file.

11. To identify the top-level domains for the list:

    1. In the provided field, enter a top-level domain. Make sure to omit the dot before the top-level domain.

       ❗️

       You cannot create a top-level domain list that contains the com, org, and net top-level domains.

    2. If you want to use a CSV file to specify multiple top-level domains, see Download a list template file and Configure and upload top-level domains with a CSV file.

12. Click Save. If you want to save and deploy the list, click Save and Deploy.

Next steps

1. Assign the list to a policy. For instructions, see Add a block list to a policy.

2. If you haven't deployed the list, deploy it to the ​SIA​ network. For instructions, see Deploy configuration changes.

Add a block list to a policy

Before you begin

If you plan to assign users and groups that can access blocked websites in a custom list, make sure you complete these configuration steps in the policy settings.

1. Enable ​SIA​ Proxy.

2. Select Require or Optional as an Authentication Mode.

3. Associate an IdP to the policy.

For more information, see Require authentication to access a website or web application.

To associate a list with a policy, you add the list to the policy. You need to be an ​SIA​ administrator to perform this task. If you are a delegated administrator or a strict delegated administrator, you can modify the policy you created or the policies that you are allowed to access.

To add a block list to a policy:

1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

2. If you are modifying an existing policy, click the name of the policy that you want to edit.

3. Click the Custom Lists tab.

4. Click the Block Lists tab, then:

   1. Click the chain icon () to the right of the Custom Lists section.

   2. In the window that displays, select one or more lists and click Associate.

   📘

   All Block lists added to a policy are assigned the Monitor action by default.

5. To change the action value of a list to Block:

   1. Click the arrow icon next to Custom Lists to expand it.

   2. Expand the Known or Suspected sections.

   3. Go to the specific list where you want to modify the action. In the Action menu, select Block.

      If you want to block all Known or Suspected traffic in all the lists you selected, select Block in the Action menu next to Known or Suspected.

   4. Select one of these options as the response to a user:

      • Error Page. You can show an ​​SIA​​ error page to the user. If you select this option, you can also select a Security Connector when it’s configured as a sinkhole. For more information about Error pages, see Customize error pages. For more information about Security Connector, see Security Connector as a DNS sinkhole.
      • Any custom response. You can select a specific custom response to direct traffic for this list to a custom response.
      • Refused Response. You can show a browser-specific error message. This option is available only if ​​SIA​​ Proxy is enabled.

6. If you selected Error Page as the response to a user and you set up authentication in the policy, complete these steps:

   1. In the Exceptions column for a list, click the link icon.
   2. In the Groups tab, select a group or groups.
   3. In the Users tab, search for the users and select a user or multiple users. If the user you searched for is not in the search results, you can click the add icon to add the user to the selected list.
   4. Click Associate.

7. Select the check box for alerts if you want to send alerts to administrators when the selected action is taken on traffic.

8. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ​SIA​ network. For instructions, see Deploy configuration changes.

Create an exception list

Exception lists are used to define the specific traffic and file hashes that you don’t want scanned by ​SIA​ or ​SIA​ Proxy. If ​SIA​ Proxy is enabled, the proxy does not scan the domains, IP addresses, URLs, or file hashes in exception lists. By default, when a user associates an exception list to a policy, it's assigned the bypass policy action.

You can define this data in an exception list:

• Domains. You can specify the domains that are bypassed by ​SIA​ policy. If ​​SIA​​ Proxy is enabled, these domains and IP addresses are bypassed by the proxy.
• IP addresses. You can specify IP addresses that are bypassed by ​​SIA​​ policy. If ​​SIA​​ Proxy is enabled, these domains and IP addresses are bypassed by the proxy.
• File hashes. You can specify the hashes of files that you don't want scanned by the proxy.
• URLs. You can specify one or more URLs that you don't want scanned by the proxy.

Complete this procedure to create an exception list.

To create an exception list:

1. In the Threat Protection menu of Enterprise Center, select Policies > Lists.

2. Click the plus sign icon () to add a new list.

3. Enter a name and description.

4. In the Type menu, select Exception.

5. Click Create List.

6. To identify domains you want directed to the origin:

   1. Click the arrow icon next to the Domains section to expand it.
   2. Enter one or more domains.
   3. If you want to use a CSV file to upload multiple domains, see Download a list template file and Configure and upload domains or IP addresses with a CSV file.

7. To identify IP addresses you want directed to the origin:

   1. Click the arrow icon next to the IPs section to expand it.
   2. Enter one or more IP addresses.
   3. If you want to use a CSV file to upload multiple IP addresses, see Download a list template file and Configure and upload domains or IP addresses with a CSV file.

8. To identify file hashes that you don’t want scanned by the proxy:

   1. Click the arrow icon next to the File Hashes section to expand it.
   2. Enter or paste the file hashes. Make sure you enter each hash in SHA-256 and it's formatted with 64 hexadecimal characters.

      📘

      If you need to generate a hash for a file, see Generate a hash value.

   3. If you want to use a CSV file to specify multiple hash values, see Download a list template file and Configure and upload file hashes with a CSV file.

9. To identify URLs that you prefer bypass ​SIA​ security:

   1. Enter one or more URLs. For more information, see Specify URLs in lists.
   2. If you want to use a CSV file to specify multiple URLs, see Download a list template file and Configure and upload URLs with a CSV file.

10. Click Save. If you want to save and deploy the list, click Save and Deploy.

Next steps

1. Add the exception to a policy. See Add an exception list to a policy.

2. If you haven't deployed the list, deploy it to the ​SIA​ network. For instructions, see Deploy configuration changes.

Add an exception list to a policy

After you create a list, you need to add the list to the policy.

You need to be an ​SIA​ administrator to perform this task. If you are a delegated administrator or strict delegated administrator, you can modify the policy you created or the policies that you are allowed to access.

To add an exception to a policy:

1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

2. If you are modifying an existing policy, click the name of the policy that you want to edit.

3. Click the Custom Lists tab.

4. Click the Exception Lists tab, and do the following:

   1. For Custom Lists, click the chain icon.

   2. In the window that displays, select one or more exception lists and click Associate.

      📘

      All exception lists added to a policy are assigned the Bypass action. This cannot be changed.

   3. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps
If you haven’t deployed the policy, make sure you deploy it to the ​SIA​ network. For instructions, see Deploy configuration changes.

Generate a hash value

If there are files that you don't want scanned by ​SIA​ Proxy, you can add the hash value of these files to an exception list. Files that are included in an exception list automatically bypass ​SIA​ Proxy. You can also add hash values to a block list.

Depending on the operating system, complete this procedure to generate a hash value that you can copy to a list:

On Windows:

1. Open a PowerShell window.

2. Change directories to the location where the file is located.

3. Enter this command:

   get-FileHash [filename] -Algorithm SHA256

   where [filename] is the filename.

Next steps

Copy the hash value to a block or exception list. To create a block or exception list, see Create a list.

On Mac:

1. Open a terminal window.

2. Enter this command:

   shasum -a 256 <fileLocation>

   where <fileLocation> is the full path of the file. You can also drag and drop the file to the terminal window.

Next steps

Copy the hash value to a block or exception list. To create a block or exception list, see Create a list.