ETP Secure Web Gateway
You can configure cloud ETP Proxy as a Secure Web Gateway (SWG) that performs URL filtering, anti-malware scanning, and applies acceptable use policies to each user. To do this, you’ll need to send all web traffic to ETP Proxy.
- Proxy chaining. Directs all HTTP and HTTPS traffic from your organization’s on-premises proxy to ETP Proxy. As part of this feature, you enable specific settings in a policy and configure your on-premises proxy to forward traffic to ETP. For more information, see Proxy chaining.
- ETP Client. ETP Client 3.0.4 or later allows you to forward web traffic from user machines to ETP. You can configure ETP Client as a local web proxy on the user’s machine. The client also supports networks that split internal traffic from external web traffic and use an on-premises proxy. Depending on your ETP license, you can also configure ETP Client to forward only DNS and risky web traffic. For more information, see ETP Client.
- Decrypt TLS traffic with trusted certificate. ETP Proxy uses a man-in-the-middle (MITM) certificate authority (CA) TLS certificate to generate and sign origin certificates for HTTP or HTTPS websites. You must generate an Akamai certificate or upload a certificate signed by your company’s CA. For enterprise client computers to accept and trust these certificates, the trusted MITM CA root certificate must be deployed on all enterprise devices and TLS clients. For more information, see ETP Proxy as a TLS intermediary.
- User Authentication. You can
define the users or user groups that can access websites or web applications after they
authenticate. You can require that users authenticate before accessing a website or web
application, or you can make authentication optional. Optional authentication may be a
useful recovery mode for users who are unable to authenticate. For more information, see
User authentication and group policies.To implement authentication, you must also set up:
- Identity providers. A service that creates, manages, and saves user and group identity information for authentication. You can create an identity provider (IdP) or integrate a third-party IdP such as Okta, Microsoft Azure AD, and Active Directory Federation Services (AD FS). In an IdP configuration, you can enable multi-factor authentication, define session settings, design the login page, and more. For more information on identity providers, see Identity providers.
- Directories. A service
that your enterprise uses to manage users and user groups. You must associate a
directory to an IdP. The following directory services are supported:
- Active Directory
- Lightweight Directory Access Protocol (LDAP)
- Active Directory Lightweight Directory Services (AD LDS)
ETP also offers Cloud Directory, an internal directory that you can use for testing purposes until an identity provider is fully deployed. For more information, see Directories.
- Identity connectors. An identity connector is a virtual appliance that you download in ETP and deploy behind the firewall in your data centers or hybrid cloud environments. You associate an identity connector to a directory. It allows ETP to synchronize with your directory service inside your data center. For more information, see Identity connectors.
- Scan unclassified traffic. In
a policy, you can define an action for unclassified domains. Unclassified domains do not
appear in any ETP list, such as a threat category list, custom lists, or the acceptable
use policy (AUP). If the Classify action is selected for unclassified traffic, ETP Proxy
scans and analyzes these domains. After this analysis is completed, the traffic is
assigned a category and a corresponding policy action.
Depending on your organization’s requirements, you can use this feature to implement a strict policy. For example, if you select the block action and choose to block all threat categories, you can create a walled garden where only trusted traffic is allowed in your network. For more information, see Default action.
- Inline payload analysis. Allows ETP to scan files or website content before end users see the downloaded content. In ETP, this action is available for files that do not exceed 5 MB. For more information, see Inline payload analysis.
- Static malware analysis for large files. Allows ETP to scan files that are 5 MB to 2 GB in size. ETP scans these files after they are downloaded. If ETP detects malware, a threat event is reported. In the ETP threat event on the Threat Events report, you can download a deep scan report in PDF format that includes more detailed information. To use this feature, in a policy, you must enable Inline Payload Analysis and select the Allow and Scan option for large files. For more information, see Static malware analysis of large files.
- Dynamic malware analysis in a Sandbox environment. Scans files in
a secure sandbox environment that’s isolated from your network. In this environment, files
are executed and analyzed to determine whether malicious code or activity is detected.
- Analyzes files that are up to 64 MB in size.
- Automatically scans files offline (after they are downloaded).
- Publishes a deep scan report in ETP when it detects a threat. You can download the report in PDF format from the corresponding event in ETP.
To use this feature, in a policy, you must enable Inline Payload Analysis, select the Allow and Scan option for large files, and enable Dynamic Analysis. This feature is available to organizations that are licensed for Advanced Sandbox. For more information, see Dynamic malware analysis.
- DNS Activity. Shows data on DNS traffic that’s directed to ETP or
ETP Proxy. This report allows you to:
- Investigate suspicious activity.
- Review requests made to a specific domain.
- Check activity from a specific client internal IP address or machine name.
- Troubleshoot a failed request based on connection ID or client request ID.
- Proxy Activity. Shows the traffic that’s directed to ETP Proxy. This report can show the requested domain, internal IP address of the user’s machine, the username of the user who made the request, the action that was applied to traffic, and more.
These reports are available to super administrators and users who are assigned the etpRestrictedPageViewRole role permission. For more information, see Enterprise Threat Protector roles.