Selective proxy

A selective proxy analyzes risky web traffic. It examines the domain and full URL of requests to determine if it's risky.

This graphic illustrates how the proxy functions in a network:


This graphic does not illustrate how ‚ÄčSIA‚Äč Proxy behaves when it's configured on a network with an on-premises proxy.

The corporate resolver forwards requests to ‚ÄčSIA‚Äč. Requests are forwarded to the ‚ÄčSIA‚Äč network in the closest geographical region. When Selective Proxy is set as the operating mode or as the mode for mobile traffic in a policy, ‚ÄčSIA‚Äč DNS directs requests to ‚ÄčSIA‚Äč Proxy. The IP address of the ‚ÄčSIA‚Äč proxy server is then cached in the resolver and all suspicious traffic is forwarded to the proxy.

With the selective proxy, ‚ÄčSIA‚Äč Threat Intelligence detects that a domain contains a suspicious URL. Traffic to risky domains is sent to ‚ÄčSIA‚Äč Proxy. However, only specific known threat URLs are blocked, monitored, or analyzed in accordance with the established policy. If a website is not a suspected threat or its category is assigned the Bypass action, it bypasses the proxy. For example, in the graphic above, the safe website is not inspected by the ‚ÄčSIA‚Äč proxy and the request is resolved.

A number of checks are performed to determine how suspicious traffic is handled:

  • ‚ÄčSIA‚Äč confirms that the request comes from an IP address that is registered as a location for your organization. If the IP address is unknown, the request is dropped.

  • If the IP address is known, the destination port is checked to confirm that port 443 or 80 is used. If these ports are not used, traffic is dropped.

  • For port 443, the TLS Server Name Identification (SNI) value is extracted and ‚ÄčSIA‚Äč connects to the origin server with that hostname.

  • For port 80, traffic is likely HTTP. ‚ÄčSIA‚Äč extracts the hostname from the Host header in the HTTP request.

  • If the hostname cannot be extracted or identified, the end user is shown an error page.


If your network already contains an on-premise proxy, the ‚ÄčSIA‚Äč proxy can work with the internal proxy without requiring significant changes to your network. For more information, see Support of an on-premises HTTP forward proxy.