A policy is a group of settings that define how Enterprise Threat Protector (ETP) handles known or suspected threat events and acceptable use policy (AUP) events. You assign a policy to a location. A location is a region or geographic area in your network such as a corporate field office. You can assign a different policy to each location or you can assign multiple locations to the same policy. You cannot assign more than one policy to a location.

To configure a policy, you must be an ETP super administrator, delegated administrator, or a tenant administrator. If you are a delegated or tenant administrator, you can modify the policy you created or the policies that you are allowed to access.

In a policy configuration, you define the policy action and the response to users. You can also select whether alerts about threats are sent. The Threat tab allows you to select an action and response based on a threat category or type, while the Custom Lists tab allows you to set these settings for a custom, top-level domains, exception, and file hash list. In a custom list, you identify known and suspected domains and IP addresses. You can add or remove a list from a policy. For more information on threat categories, see Threat categories. For more information on custom lists, see Custom lists.

If your organization is participating in the data loss prevention (DLP) beta, you can associate a DLP dictionary to a policy to identify sensitive information that users upload. You can select to block or monitor this data. For more information, see Data loss prevention.

When creating or modifying a policy, an administrator can select a template to help define policy actions for threat categories in the Threat tab. You can use a security template as a starting point to your configuration. For more information, see Security templates.

A policy is also where you enable these features:
  • SafeSearch. SafeSearch allows you to block or prohibit adult and explicit content from Google and Bing search results. For more information, see SafeSearch and YouTube Restricted Mode.
  • YouTube Restricted Mode. You can restrict access to YouTube video content. For more information, see SafeSearch and YouTube Restricted Mode.
  • ETP Proxy. You can enable ETP Proxy to direct traffic to an HTTP or HTTPS proxy that intercepts and inspects HTTP requests. For more information, see Enterprise Threat Protector Proxy.
  • Proxy Authorization. Allows ETP Proxy to authorize connections from the on-premises proxy. ETP Proxy extracts the Proxy-Authorization header from the request. This header contains credentials that are used to authenticate the on-premises proxy to ETP Proxy. You configure proxy credentials both in ETP and in the on-premises proxy. For more information on proxy authorization, see Proxy authorization.
  • Origin ports. You can configure the origin ports or port ranges that you want to open for the full web proxy. By default, ETP allows connections to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.
  • Optimize Microsoft 365 traffic. Allows you to quickly resolve requests to Microsoft apps and services, such as Microsoft office apps, Outlook, cloud storage, and more. This setting securely retrieves the domains and IP addresses associated with these apps and services from Microsoft to bypass ETP Proxy scanning. This setting provides optimal routing to these websites. For more information, see Optimize Microsoft 365 traffic.
  • Unverifiable origin certificates. You can configure how ETP Proxy handles requests when it cannot verify the website’s origin certificates. For more information, see Unverifiable origin certificates.
  • ETP Client machine as a web proxy. You can select to modify the local web proxy settings on the user’s machine and in turn, enable ETP Client as the local web proxy. You can choose to modify or not modify these settings, or you can only modify these settings when no web proxy is configured on the user’s machine. If ETP Client acts as the local web proxy, it forwards all traffic to ETP Proxy. For more information, see ETP Client for web traffic
  • Full Web Proxy. If your network includes an on-premises proxy or you’ve installed ETP Client on end user machines, you can forward all web traffic to ETP Proxy for analysis. Your organization must be licensed for ETP Advanced Threat. For more information, see Full web proxy.
  • Block incompatible domains. You can block domains that are not compatible with the TLS MITM certificate you generated or uploaded to ETP for the proxy. For more information, see Allow or block domains incompatible with TLS MITM certificate.
  • Default action for unclassified traffic or when no action is assigned to an AUP category. You can select the default action that’s applied to unclassified traffic or to an AUP category when no action is assigned to a category. Unclassified traffic is traffic that is not known by ETP Threat Intelligence and is not associated with any list in ETP such as an AUP, custom list, or a threat category. You can select from a Bypass, Classified, or Block - Error Page action. For more information, see Default action.
  • Inline Payload Analysis. If ETP Proxy is enabled and your enterprise is enabled for ETP Advanced Threat, you can also choose to inspect the payload or content of a website or file sharing service. Multiple antivirus engines are used to scan content and identify threats. This option scans files up to 5 MB in size. For more information, see Inline payload analysis.

    This feature also allows ETP to analyze requested webpages and determine if the page was built with a phishing toolkit. For more information, see Zero-day phishing detection.

  • Dynamic and static malware analysis. Configure ETP to scan files that are larger than 5 MB in size. You can configure ETP to perform static malware analysis offline or after a file that’s 5 MB to 2 GB in size is downloaded to the user’s browser. Static malware analysis scans content without executing or running it. If you enable dynamic malware analysis, files that are up to 64 MB in size are scanned in a secure sandbox box environment. To enable dynamic malware analysis, your organization must be licensed for both Advanced Threat and the Advanced Sandbox module. For more information, see Static malware analysis of large files and Dynamic malware analysis.
  • Forward Public IP to Origin. This setting forwards the user’s public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients.
  • Authentication Mode. You can require that users authenticate when accessing websites that are allowed in an acceptable use policy. If you require authentication or make authentication optional, you must select an identity provider. For more information, see Authentication policy.
  • User and group-based policy for AUP. While you can require that all users and groups in your Active Directory or directory service authenticate to access a website in an AUP, you can also provide access to only specific users and groups. For more information, see Acceptable use policy and User authentication and group policies.
Note: To encrypt DNS requests, Mozilla Firefox enables DNS over HTTPS (DoH). However, this feature causes traffic to bypass ETP. To avoid interfering with your network security solutions, Firefox checks to see whether a DNS filtering solution is already in place by requesting the canary domain use-application-dns.net. ETP responds with a NXDOMAIN to signal that this feature is not needed in your corporate network. For more information on Firefox and DoH, see this Mozilla knowledge base article.