Summary of policy actions

This table describes the behavior of policy actions based on whether the ETP proxy is enabled or disabled. For more detailed information, see Policy actions for lists and threat categories.

Note: When ETP Proxy is enabled in a policy configuration, an organization must set up a TLS man-in-the-middle certificate. For more information, see ETP Proxy as a TLS intermediary.
Policy actions
Action Response to user ETP Proxy is disabled ETP Proxy is enabled Impact to reporting
Block Refused Response Request is denied and a browser-specific error message appears to end users. Request is denied and a browser-specific error message appears to end users.

When the proxy is enabled, a refused response is only available for custom lists.

Threat event is logged on the Threat Events report.
Error Page Request is redirected to a custom error page that indicates website access is prohibited.

You can select to redirect traffic to Enterprise Security Connector.

For HTTPS requests, users receive a certificate browser error because there is a certificate mismatch.

Request is redirected to a custom error page. ETP Proxy can intercept and inspect HTTPS requests with a man-in-the-middle (MITM) certificate authority (CA) TLS certificate to show the corresponding error page.

You can select to redirect traffic to Enterprise Security Connector.

Threat event is logged on the Threat Events report.
Custom Response Request is redirected to the IP address of a custom response. If the request matches a domain in a list, the request is redirected to the IP address of a custom response.

If the request matches a URL in a list, the request is redirected to a custom error page and is not forwarded to a custom response.

For a DNS request, a threat event is logged.

For an HTTP or HTTPS request, a threat event is logged on the Threat Events report.

Monitor N/A Request resolves as expected. DNS requests are resolved to ETP Proxy.

HTTP or HTTPS requests are decrypted with the TLS MITM certificate. Requests and responses are analyzed by ETP Proxy.

An event is logged on the Threat Events report.
These additional policy actions are also available for specific types of custom lists:
  • Bypass. Available for an exception list.
  • Classify. Available for a custom and a top-level domains list.
Action ETP Proxy is disabled ETP Proxy is enabled Impact to reporting
Bypass Request resolves to the IP address of the origin. Traffic is not directed to ETP Proxy. Therefore, the request is not decrypted with the TLS MITM certificate. The request is sent directly to the destination web server. No event is logged.

Like all network activity, this action is logged on the Network Traffic activity report.

Classify N/A

This action examines the full URL of a request. If a URL is a known threat, a corresponding threat category is assigned.

If inline payload analysis is enabled, this action also scans HTTP responses for threats. If a threat is found, this action assigns a corresponding threat category to it.

ETP then applies the action assigned to that threat category (for example, malware, phishing, or C&C).

If malicious content is discovered, a threat event is logged on the Threat Events report.