Configure payload analysis

Before you begin

To set up ETP Proxy, you must create and distribute a certificate to devices and TLS clients in your network. For more information, see ETP Proxy as a TLS intermediary

If you enable inline payload analysis, you can configure how Enterprise Threat Protector analyzes files and content on websites.

To enable dynamic or static malware analysis for large files, you must be licensed for the Advanced Sandbox module.

How to

  1. In the navigation menu, select Configuration > Policies.
    Note: If you are trying the new Enterprise Center interface, in the navigation menu, select Policies > Policies.
  2. If you are adding a new policy:
    1. On the Policies page, click the plus sign icon.
    2. Enter a name and description for the policy in the Name and Description field.
    3. To configure a policy with settings from a predefined template, select one of these templates and click Continue:
      • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.
      • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.
      • Custom. Lets you define policy actions for known and suspected threats.
    4. To assign a location, click the link icon, select a location or multiple locations, and click Associate.
  3. If you are modifying an existing policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.
  4. Click the Settings tab.
  5. In the Proxy Settings area, toggle Enable Proxy to on.
  6. If you enabled the proxy and your organization is licensed for Advanced Threat, toggle Enable Inline Payload Analysis to on.
  7. If your organization is enabled for Advanced Sandbox, complete these steps:
    1. For downloads that range from 5 MB to 2 GB in size (large files), select an action. You can select the Block - Error Page, Allow, or the Allow and Scan action. For more information, see Static malware analysis of large files.
    2. If you selected Allow and Scan action for large files, the Dynamic Analysis toggle is available. To enable dynamic analysis, toggle this setting to on. For more information, see Dynamic malware analysis.
  8. For files that are greater than 2 GB (huge files), select an action. You can select either the Block - Error Page or the Allow action. For more information, see Payload analysis.
  9. In the Threat tab, select policy actions for threat categories. For more information on policy actions, see Policy actions for lists and threat categories.
  10. To assign a list to a policy, see Add a list to a policy.
  11. In the Acceptable Use Policy tab, select the block action to block websites in any of these categories or subcategories. To allow websites or content in these categories or subcategories, make sure the block action is not selected.
  12. Click Save.

Next steps

Deploy configuration changes to the ETP network. For instructions, see Deploy configuration changes.