A policy is a group of settings that define how Enterprise Threat Protector (ETP) handles known or suspected threat events and access control events. You assign a policy to a location or sub-location. A location is a region or geographic area in your network such as a corporate field office. You can assign a different policy to each location or sub-location, or you can assign multiple locations to the same policy. You cannot assign more than one policy to a location or sub-location.

To configure a policy, you must be an ETP super administrator, delegated administrator, or a tenant administrator. If you are a delegated or tenant administrator, you can modify the policy you created or the policies that you are allowed to access.

In a policy configuration, you define the policy action and the response to users. You can also select whether alerts about threats are sent. The Threat tab allows you to select an action and response based on a threat category or type, while the Custom Lists tab allows you to set these settings for a custom, top-level domains, exception, and file hash list. In a custom list, you identify known and suspected domains and IP addresses. You can add or remove a list from a policy. For more information on threat categories, see Threat categories. For more information on custom lists, see Lists.

A policy is also where you configure access control settings, including application visibility and control (AVC) and data loss prevention (DLP). AVC allows you to control access to websites, web applications, and the specific operations that you can perform in a web application. You can design a policy that is based on risk level, categories, category operations, applications, application operations, and more. For more information, see Application visibility and control.

For DLP, you can associate a DLP dictionary to a policy to identify sensitive information that users upload. You can select to block or monitor this data. For more information, see Data loss prevention.

If your organization is participating in the data loss prevention (DLP) beta, you can associate a DLP dictionary to a policy to identify sensitive information that users upload. You can select to block or monitor this data. For more information, see Data loss prevention.

When creating or modifying a policy, an administrator can select a template to help define policy actions for threat categories in the Threat tab. You can use a security template as a starting point to your configuration. For more information, see Security templates.

A policy is also where you enable these features:
  • SafeSearch. SafeSearch allows you to block or prohibit adult and explicit content from Google and Bing search results. For more information, see SafeSearch and YouTube Restricted Mode.
  • YouTube Restricted Mode. You can restrict access to YouTube video content. For more information, see SafeSearch and YouTube Restricted Mode.
  • ETP Proxy. You can enable ETP Proxy to direct traffic to an HTTP or HTTPS proxy that intercepts and inspects HTTP requests. For more information, see ETP Proxy.
  • Proxy Authorization. Allows ETP Proxy to authorize connections from the on-premises proxy. ETP Proxy extracts the Proxy-Authorization header from the request. This header contains credentials that are used to authenticate the on-premises proxy to ETP Proxy. You configure proxy credentials both in ETP and in the on-premises proxy. For more information on proxy authorization, see Proxy authorization.
  • Origin ports. You can configure the origin ports or port ranges that you want to open for the full web proxy. By default, ETP allows connections to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.
  • Bypass Microsoft 365 traffic. Allows you to quickly resolve requests to Microsoft apps and services, such as Microsoft office apps, Outlook, cloud storage, and more. This setting securely retrieves the domains and IP addresses associated with these apps and services from Microsoft to bypass ETP Proxy scanning. This setting provides optimal routing to these websites. For more information, see Bypass Microsoft 365 traffic.
  • Unverifiable origin certificates. You can configure how ETP Proxy handles requests when it cannot verify the website’s origin certificates. For more information, see Unverifiable origin certificates.
  • Overwrite Device Proxy Settings. You can select to modify the local web proxy settings on the user’s machine and in turn, enable ETP Client as the local web proxy. You can choose to modify or not modify these settings, or you can only modify these settings when no web proxy is configured on the user’s machine. If ETP Client acts as the local web proxy, it forwards all traffic to ETP Proxy. For more information, see ETP Client for web traffic
  • Full Web Proxy. If your network includes an on-premises proxy or you’ve installed ETP Client on end user machines, you can forward all web traffic to ETP Proxy for analysis. Your organization must be licensed for ETP Advanced Threat. For more information, see Full web proxy.
  • Block incompatible domains. You can block domains that are not compatible with the TLS MITM certificate you generated or uploaded to ETP for the proxy. For more information, see Allow or block domains incompatible with TLS MITM certificate.
  • Local Breakout for Bypass Domains. Disable this option if your network does not have a direct route to the Internet and it cannot access domains that are configured in ETP for bypass. When disabled, ETP directs these domains to the origin. For more information, see Local breakout for bypass domains.
    Note: This feature is currently in beta. To participate in the beta, contact your Akamai representative.
  • Inline Payload Analysis. If ETP Proxy is enabled and your enterprise is enabled for ETP Advanced Threat, you can also choose to inspect the payload or content of a website or file sharing service. Multiple antivirus engines are used to scan content and identify threats. This option scans files up to 5 MB in size. For more information, see Inline payload analysis.

    This feature also allows ETP to analyze requested webpages and determine if the page was built with a phishing toolkit. For more information, see Zero-day phishing detection.

  • Block Unscannable Files. As part of inline payload analysis, you can block files that ETP Proxy cannot scan such as encrypted or compressed files. By default, this option is disabled.
  • Dynamic and static malware analysis. Configure ETP to scan files that are larger than 5 MB in size. You can configure ETP to perform static malware analysis offline or after a file that’s 5 MB to 2 GB in size is downloaded to the user’s browser. Static malware analysis scans content without executing or running it. If you enable dynamic malware analysis, files that are up to 64 MB in size are scanned in a secure sandbox box environment. To enable dynamic malware analysis, your organization must be licensed for both Advanced Threat and the Advanced Sandbox module. For more information, see Static malware analysis of large files and Dynamic malware analysis.
  • Forward Public IP to Origin. This setting forwards the user’s public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients.
  • Authentication Mode. You can require that users authenticate to access a website, web application, and more. For example, with AVC, you can configure authentication to access blocked websites in an acceptable use policy or custom list. You can also require that users authenticate to bypass DLP scanning for document or text uploads. If you require authentication or make authentication optional, you must select an identity provider. For more information, see Authentication policy.
  • User and group-based policy. While you can require that all users and groups in your Active Directory or directory service authenticate to access a website or web application, you can also provide access to only specific users and groups. For more information, see Acceptable use policy and User authentication and group policies.
Note: To encrypt DNS requests, Mozilla Firefox enables DNS over HTTPS (DoH). However, this feature causes traffic to bypass ETP. To avoid interfering with your network security solutions, Firefox checks to see whether a DNS filtering solution is already in place by requesting the canary domain use-application-dns.net. ETP responds with a NXDOMAIN to signal that this feature is not needed in your corporate network. For more information on Firefox and DoH, see this Mozilla knowledge base article.

An enterprise can create a maximum of 100 policies. If your organization requires more policies, contact your Akamai representative.