Create a policy

While Enterprise Threat Protector (ETP) includes a default policy, you can configure a policy to define how your company handles known or suspected threats.

As a best practice, assign Security Connector to the malware and command and control (C&C) categories. A C&C threat indicates that a user’s machine is already compromised by the time it’s detected. To clean compromised machines, you can use Security Connector to identify infected machines and get the information you need for remediation.

To perform this task, you must be an ETP super administrator, delegated administrator, or a tenant administrator.
Note: A tenant administrator cannot enable the ETP proxy and complete any step related to the proxy.

How to

  1. In the navigation menu, select Configuration > Policies.
    Note: If you are trying the new Enterprise Center interface, in the navigation menu, select Policies > Policies.
  2. On the Policies page, click the plus sign icon.
  3. Enter a name and description for the policy in the Name and Description field.
  4. To configure a policy with settings from a predefined template, select one of these templates and click Continue:
    • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.
    • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.
    • Custom. Lets you define policy actions for known and suspected threats.
  5. To assign a location, click the link icon, select a location or multiple locations, and click Associate.
  6. Click the Settings tab.
  7. In the Proxy Settings area:
    1. To enable the ETP proxy, toggle Enable Proxy to on.
    2. To require that ETP Proxy authorizes connections from the on-premises proxy, enable Proxy Authorization. To use this setting, you must configure proxy credentials in ETP and in the on-premises proxy. For more information, see Proxy authorization.
    3. If you want to allow outbound traffic on a new origin port, in the Origin Ports field, enter the port number or port range. Separate each port number or range with a comma. By default, the full web proxy allows outbound traffic to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.
    4. If you are configuring proxy chaining or the full web proxy, enable Trust XFF Header. Your organization must be licensed for ETP Advanced Threat.
      Note: The proxy chaining feature is currently in beta. To participate in this beta, contact your Akamai representative.
    5. To change the logging mode for ETP Proxy, click the Proxy Logging Mode menu and select a new logging mode. By default, Level 1 is selected to ensure that detailed data such as response or request headers are logged in HTTP or HTTPS threat events. For more information, see Proxy logging mode.
    6. To optimize traffic to Microsoft 365 apps and services, enable Optimize Microsoft 365 Traffic.
    7. If you want to apply the policy action of a threat category to risky domains that ETP Proxy detected are threats (for example, malware, phishing, or C&C threats), in the Risky Domains menu, make sure Classify is selected. Otherwise, you can select Allow to permit traffic to risky domains without analysis.
    8. If you want to apply the policy action of a threat category to file sharing domains that ETP Proxy detected are threats (for example, malware, phishing, or C&C threats), in the File Sharing menu, make sure Classify is selected. Otherwise, you can select Allow to permit traffic to file sharing domains.
      Note: If you block the File Sharing AUP category, the File Sharing field is not available.
    9. To select how requests are handled when ETP Proxy cannot validate a website’s origin certificate, in the Invalid Certificate Response menu, select Block - Error Page to block the request. Otherwise, you can select Bypass to bypass ETP Proxy.
    10. In the Default Action menu, select the action for unclassified traffic and for AUP categories that have no action assigned:
      • If you want traffic to bypass ETP Proxy, select Bypass. If you are licensed for ETP Advanced Threat, this option enables the selective proxy.
      • If you want to classify traffic that is not yet classified by ETP, select Classify. If you are licensed for ETP Advanced Threat, this option enables the full web proxy.
      • If you want to block traffic, select Block - Error Page.
  8. If you want to enable ETP Client as a proxy on the client computer or device, in the Enable ETP Client as Proxy menu, select Yes or Only if there’s no local proxy. Otherwise, you can select No.
  9. If you enabled the proxy and your organization is licensed for Advanced Threat, go to the Payload Analysis section and toggle Enable Inline Payload Analysis to on.
  10. If your organization is enabled for Advanced Sandbox, complete these steps:
    1. For downloads that range from 5 MB to 2 GB in size (large files), select an action. You can select the Block - Error Page, Allow, or the Allow and Scan action. For more information, see Static malware analysis of large files.
    2. If you selected Allow and Scan action for large files, the Dynamic Analysis toggle is available. To enable dynamic analysis, toggle this setting to on. For more information, see Dynamic malware analysis.
    3. For files that are greater than 2 GB (huge files), select an action. You can select either the Block - Error Page or the Allow action. For more information, see Payload analysis.
  11. In the Browsing Restrictions area, complete these steps:
    1. To enable SafeSearch, toggle Safe Search to on.
    2. To enable YouTube Restricted Mode, in the YouTube menu, select Strict or Moderate. Otherwise, you can select Unrestricted mode to allow unrestricted access to YouTube content.
  12. In the Other Settings area, complete these steps:
    1. Enable Forward Public IP to Origin to forward the user’s public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients. If you enabled the Optimize Microsoft 365 Traffic option, make sure you also enable this setting.
    2. In the Authentication Mode menu, you can select Require to require authentication, Optional to give users the option to skip authentication, or you can select None. This mode defines whether users are prompted to authenticate when accessing allowed websites in an Acceptable Use Policy (AUP).
    3. If you selected Require or Optional, select an identity provider.
  13. To define policy actions for a threat category, in the Threat tab, complete these steps:
    1. If you want to assign the same policy action to all known threat categories, in the Action menu beside the Known option, select an action. Otherwise, make sure the Known option is expanded to show the threat categories.
    2. For each threat category, select an action. For more information on policy actions, see Policy actions for lists and threat categories.
    3. If you select the Block action, select a specific response to the user. The Response to User menu is available when the Block action is selected.
    4. If Error Page is selected and you want to direct traffic to Security Connector, in the Security Connector menu, select a security connector. If you do not want to associate a Security Connector to an Error Page response, select None.
    5. If you want to configure the same policy actions to suspected threats, in the menu beside the Suspected option, select Same as Known. Otherwise, expand the Suspected option to view threat categories and complete steps 13b to 13d.
  14. To configure the Acceptable Use Policy (AUP):
    1. In the Acceptable Use Policy tab, click the arrow icon to expand categories that contain subcategories.
    2. To allow content for any AUP category or subcategory, make sure that the Block option is deselected.
    3. To block content in any of the provided categories or subcategories, select Block. If ETP Proxy is not enabled, do one of the following to select the response to the user:
      • To show an end user a custom error page, select Error Page.
      • To show an end user a browser-specific error page and direct traffic to a custom response that’s already configured in ETP, select the custom response from the list. To configure a custom response, see Add a custom response.
    4. If you enabled authentication and you want to grant specific users or groups access to a blocked category or subcategory, see Grant specific users or groups access to an AUP category or subcategory.
    5. If you want a category to bypass ETP or ETP Proxy, select the bypass action. This action is useful when you want to protect user privacy in categories that are associated with sensitive information, such as the Finance & Investing and the Healthcare categories.
  15. To assign a list to the policy, see Add a list to a policy.
  16. If you are participating in the data loss prevention (DLP) beta and you want to associate a DLP dictionary, complete these steps:
    1. In the DLP tab, click the link icon and select a dictionary or multiple dictionaries.
    2. Click Associate. By default, DLP dictionaries are assigned the Monitor action.
    3. To assign the Block - Error Page action, select it from the Action menu.
      Note: You must have enabled ETP Proxy and inline payload analysis to complete this step. This feature is currently in beta and available to organizations that are licensed for ETP Advanced Threat.
  17. To enable alerts for a security category or list, toggle the Send Alert setting that’s available for each category or list on the Threat tab or the Custom Lists tab.
  18. Click Save.

Next steps

After creating a policy, you must deploy the configuration to the ETP network. For instructions see Deploy configuration changes.