Application visibility and control
- ETP DNS. If ETP Proxy is not enabled, you can still control access to applications based on the application’s domain and IP address.
- ETP Secure Web Gateway. If ETP Proxy is enabled and configured as a full web proxy, you can control access to applications based on URLs, domains, IP addresses, and other attributes.

- Default action.
Defines the action for traffic that’s not classified by ETP or found in any ETP
list such as a custom list, AUP category, or ETP Threat Intelligence. If no
specific action is defined in the policy for traffic, the default action is
applied.The policy action you select also determines configuration of the proxy:
- Bypass. Indicates that traffic bypasses ETP Proxy
and is directed to the origin. However, if ETP detects that this
traffic is risky, it’s directed to ETP Proxy for analysis.
This option enables the selective proxy.
- Classify. Indicates that traffic is directed to ETP
Proxy where it's analyzed and assigned a category. ETP Proxy applies
a policy action based on the assigned category.
This option enables the full web proxy.
- Block - Error Page. Indicates that traffic is blocked and users are shown an error.
Note: If your organization is not participating in the AVC beta, the default action is in the policy settings area.For more information, see Default action.
- Bypass. Indicates that traffic bypasses ETP Proxy
and is directed to the origin. However, if ETP detects that this
traffic is risky, it’s directed to ETP Proxy for analysis.
- Risk. Defines the
risk levels for a web application. Each level indicates whether the application
is a security risk that can result in a data breach, data loss, or other
threats.
Icon Level Description Critical Indicates the application is known to be malicious and a security risk. Important: As a best practice, make sure you set the critical risk level to the block action.Very High Indicates the application is extremely at risk for data loss or a security breach. These applications allow users to perform high-risk actions such as sending or sharing files and making remote connections that can bypass enterprise security. High Indicates the application is moderately at risk for data loss or a security breach. These applications allow users to create and send data such as documents, multimedia content, emails, messages, voice communications, and more. Medium Indicates the application is slightly at risk for data loss or a security breach. These applications allow users to perform slightly risky actions such as voting, rate scoring, text searches, translation, and more. Low Indicates the application has the lowest amount of risk for data loss or a security breach. These applications allow users to perform low-risk actions such as viewing content, listening to music, downloading files, and more. Unspecified / Unclassified Indicates that no risk level is currently associated with the category. You can click the total number of applications to view a list of applications that are associated with each risk level. You assign a policy action to a risk level. The action you select in this area overrides the default action.
- Category.
Acceptable use policy (AUP) and application categories that you want to assign
to this policy.
You can click the total number of applications to view a list of applications that are associated with each category. You assign a policy action to a category. The action you select in this area overrides the risk level action if there is a conflict.
- Category
operations. Operations for AUP and application categories.
Category operations are detected and shown in a policy if ETP Proxy is enabled
for a policy.
You can click the number of associated applications to view a list of applications that support a particular operation. The configuration you set in this section only applies to applications that support the selected operation. The action you define in this area overrides the category and risk level action if there is a conflict.
- Applications.
Specific web applications as well as the operations that apply to them.
Operations appear for an application as long as the application can be
identified by ETP Proxy and the operation is supported by the application. If
ETP Proxy is not enabled, application operations are not listed. If the
application does not support an operation, it's not listed.
You assign a policy action to a specific application and an application operation. The action or actions you select in this area override the category operations if there is a conflict.
As you define each level in this policy, the detailed levels you configure take precedence over more general settings. For example, the policy action you apply to an application takes precedence over an action that’s applied to its corresponding category or category operation.
The proceeding graphic shows the priority of these components in a policy. The default action is shown as a more general setting that has the least priority as administrators define other levels of the policy. However, the default action applies if there is no configuration in place elsewhere in the policy for traffic.

- If you define a block action to a high risk level and you select an allow action for a high risk category such as Sales and Marketing, web applications in this category are still allowed. The risk level setting still applies for other traffic that's not specifically defined at the category level of the policy.
- If you select the block action to a File Transfer (Collaboration and Online Meetings) category operation and allow the file transfer operation in a specific application such as Slack, the allow action for transferring files to Slack takes precedence over the block action in the category operation.
Policy actions
- Bypass. Traffic bypasses ETP Proxy and is directed to the origin.
- Classify. Traffic is directed to ETP Proxy where it's analyzed and assigned a category. Based on the category, a policy action is applied.
- Monitor. Traffic is allowed and an event is logged.
- Allow. Traffic is allowed and directed to the origin. If ETP Proxy is enabled, this traffic is scanned by the proxy.
- Block - Error Page. Traffic is blocked and users are shown an error page.
Note that not all these actions are available in each area of the policy for AVC.
Also, for some applications, the bypass action may not be available. This occurs if the application cannot be identified by domain and is only detected by ETP Proxy through a URL.
User and group exceptions
If you select the block action in the risk, category, category operations, and applications area, you can define any user or group that are exceptions to the block action.

- An Optional or Required authentication mode is set in the policy. For more information, see Authentication policy
- An identity provider is associated with the policy. As part of an identity provider configuration, you’ll associate the directory that contains users and groups. For more information, see Identity providers.
With this configuration, the selected users and groups can access the content you block.