ETP Secure Web Gateway

You can configure cloud ETP Proxy as a Secure Web Gateway (SWG) that performs URL filtering, anti-malware scanning, and applies acceptable use policies to each user. To do this, you’ll need to send all web traffic to ETP Proxy.

The full web proxy is available with these features:
  • Proxy chaining. Directs all HTTP and HTTPS traffic from your organization’s on-premises proxy to ETP Proxy. As part of this feature, you enable specific settings in a policy and configure your on-premises proxy to forward traffic to ETP. For more information, see Proxy chaining.
  • ETP Client. ETP Client 3.0.4 or later allows you to forward web traffic from user machines to ETP. You can configure ETP Client as a local web proxy on the user’s machine. The client also supports networks that split internal traffic from external web traffic and use an on-premises proxy. Depending on your ETP license, you can also configure ETP Client to forward only DNS and risky web traffic. For more information, see ETP Client.
With the full web proxy, you can further use these features to secure website access and prevent users from accessing malicious content.
  • Decrypt TLS traffic with trusted certificate. ETP Proxy uses a man-in-the-middle (MITM) certificate authority (CA) TLS certificate to generate and sign origin certificates for HTTP or HTTPS websites. You must generate an Akamai certificate or upload a certificate signed by your company’s CA. For enterprise client computers to accept and trust these certificates, the trusted MITM CA root certificate must be deployed on all enterprise devices and TLS clients. For more information, see ETP Proxy as a TLS intermediary.
  • User Authentication. You can define the users or user groups that can access websites in an acceptable use policy (AUP) after they authenticate. You can require that users authenticate before accessing a website or you can make authentication optional. Optional authentication may be a useful recovery mode for users who are unable to authenticate. For more information, see User authentication and group policies.
    To implement authentication, you must also set up:
    • Identity providers. A service that creates, manages, and saves user and group identity information for authentication. You can create an identity provider (IdP) or integrate a third-party IdP such as Okta, Microsoft Azure AD, and Active Directory Federation Services (AD FS). In an IdP configuration, you can enable multi-factor authentication, define session settings, design the login page, and more. For more information on identity providers, see Identity providers.
    • Directories. A service that your enterprise uses to manage users and user groups. You must associate a directory to an IdP. The following directory services are supported:
      • Active Directory
      • Lightweight Directory Access Protocol (LDAP)
      • Active Directory Lightweight Directory Services (AD LDS)

      ETP also offers Cloud Directory, an internal directory that you can use for testing purposes until an identity provider is fully deployed. For more information, see Directories.

    • Identity connectors. An identity connector is a virtual appliance that you download in ETP and deploy behind the firewall in your data centers or hybrid cloud environments. You associate an identity connector to a directory. It allows ETP to synchronize with your directory service inside your data center. For more information, see Identity connectors.
  • Scan unclassified traffic. In a policy, you can define an action for unclassified domains. Unclassified domains do not appear in any ETP list, such as a threat category list, custom lists, or the acceptable use policy (AUP). If the Classify action is selected for unclassified traffic, ETP Proxy scans and analyzes these domains. After this analysis is completed, the traffic is assigned a category and a corresponding policy action.

    Depending on your organization’s requirements, you can use this feature to implement a strict policy. For example, if you select the block action and choose to block all threat categories, you can create a walled garden where only trusted traffic is allowed in your network. For more information, see Default action.

  • Inline payload analysis. Allows ETP to scan files or website content before end users see the downloaded content. In ETP, this action is available for files that do not exceed 5 MB. For more information, see Inline payload analysis.
  • Static malware analysis for large files. Allows ETP to scan files that are 5 MB to 2 GB in size. ETP scans these files after they are downloaded. If ETP detects malware, a threat event is reported. In the ETP threat event on the Threat Events report, you can download a deep scan report in PDF format that includes more detailed information. To use this feature, in a policy, you must enable Inline Payload Analysis and select the Allow and Scan option for large files. For more information, see Static malware analysis of large files.
  • Dynamic malware analysis in a Sandbox environment. Scans files in a secure sandbox environment that’s isolated from your network. In this environment, files are executed and analyzed to determine whether malicious code or activity is detected. This feature:
    • Analyzes files that are up to 64 MB in size.
    • Automatically scans files offline (after they are downloaded).
    • Publishes a deep scan report in ETP when it detects a threat. You can download the report in PDF format from the corresponding event in ETP.

    To use this feature, in a policy, you must enable Inline Payload Analysis, select the Allow and Scan option for large files, and enable Dynamic Analysis. This feature is available to organizations that are licensed for Advanced Sandbox. For more information, see Dynamic malware analysis.

ETP includes reports where you can view detailed information about traffic, such as:
  • DNS Activity. Shows data on DNS traffic that’s directed to ETP or ETP Proxy. This report allows you to:
    • Investigate suspicious activity.
    • Review requests made to a specific domain.
    • Check activity from a specific client internal IP address or machine name.
    • Troubleshoot a failed request based on connection ID or client request ID.
  • Proxy Activity. Shows the traffic that’s directed to ETP Proxy. This report can show the requested domain, internal IP address of the user’s machine, the username of the user who made the request, the action that was applied to traffic, and more.

These reports are available to super administrators and users who are assigned the etpRestrictedPageViewRole role permission. For more information, see Enterprise Threat Protector roles.