Summary of policy actions

This table describes the behavior of policy actions based on whether the ETP proxy is enabled or disabled. For more detailed information, see Policy actions.

Note: When ETP Proxy is enabled in a policy configuration, an organization must set up a TLS man-in-the-middle certificate. For more information, see ETP Proxy as a TLS intermediary.
Policy actions
Action Response to user ETP Proxy is disabled ETP Proxy is enabled Impact to reporting
Block Refused Response Request is denied and a browser-specific error message appears to end users. Request is denied and a browser-specific error message appears to end users.

When the proxy is enabled, a refused response is only available for custom lists.

An event is logged in the threat events or access control reports.
Error Page Request is redirected to a custom error page that indicates website access is prohibited.

You can select to redirect traffic to Enterprise Security Connector.

For HTTPS requests, users receive a certificate browser error because there is a certificate mismatch.

Request is redirected to a custom error page. ETP Proxy can intercept and inspect HTTPS requests with a man-in-the-middle (MITM) certificate authority (CA) TLS certificate to show the corresponding error page.

You can select to redirect traffic to Enterprise Security Connector.

An event is logged in the threat events or access control reports.
Custom Response Request is redirected to the IP address of a custom response. If the request matches a domain in a list, the request is redirected to the IP address of a custom response.

If the request matches a URL in a list, the request is redirected to a custom error page and is not forwarded to a custom response.

For a DNS request, an event is logged in the threat event or access control reports.

For an HTTP or HTTPS request, an event is logged in the threat event or access control report.

Monitor N/A Request resolves as expected.

Requests resolve to the origin unless ETP Proxy is set up as a full web proxy. In this situation, requests and responses are first scanned by ETP Proxy. If a threat is detected, the request is blocked.

If the proxy is enabled, but it’s not set up as a full web proxy, then the request resolves to the origin.

An event is logged in the threat event or access control report.

Depending on what you’re configuring in the policy, these additional policy actions may be available:

Action ETP Proxy is disabled ETP Proxy is enabled Impact to reporting
Bypass Request resolves to the IP address of the origin. Traffic is not directed to ETP Proxy. Therefore, the request is not decrypted with the TLS MITM certificate. The request is sent directly to the destination web server. No event is logged.

Like all network activity, this action is logged on the Network Traffic activity report.

Classify N/A

This action examines the full URL of a request. If a URL is a known threat, a corresponding threat category is assigned.

If inline payload analysis is enabled, this action also scans HTTP responses for threats. If a threat is found, this action assigns a corresponding threat category to it.

ETP then applies the action assigned to that threat category (for example, malware, phishing, or C&C).

If malicious content is discovered, an event is logged in the threat event or access control report.