Configure application visibility and control

Complete this procedure to configure application visibility and control (AVC). AVC allows you to control access to web applications. In this procedure, you’ll define different components. This includes risk level, categories, category operations, applications, and application operations. The specific settings you define in the policy are prioritized over more general settings. For more information, see Application visibility and control.

How to

  1. In the Enterprise Center navigation menu, select Policies > Policies.
  2. Click the name of the policy that you want to edit.
  3. Go to the Settings tab.
  4. To use ETP Proxy with AVC, enable the proxy toggle. While the proxy is not required for configuring application visibility and control, you cannot configure category operations without enabling it.
  5. If you enabled the proxy, make sure inline payload analysis is also enabled.
  6. If you want to configure user and group exceptions to any blocked content in an AVC policy, complete these steps:
    1. Make sure Required or Optional is selected as an Authentication Mode. For more information, see Authentication policy.
    2. In the identity provider menu, select an identity provider if one is not selected.
  7. Click the Access Control tab.
  8. Click the AUP & Shadow IT subtab.
  9. Expand the Default area and select a default action. The action that’s selected determines default policy behavior as well as the type of proxy that’s enabled.
    • To bypass ETP Proxy, select the Bypass action. This action enables the selective proxy. Only risky traffic is forwarded to ETP Proxy for analysis.
    • To classify traffic, select the Classify action. This action directs all traffic to the full web proxy. This action is available to organizations that are licensed for ETP Advanced Threat.
    • To block traffic, select the Block - Error Page action. This action directs traffic to an error page.
  10. Expand the Risk area and select a policy action for any of the risk levels that you want to define in the policy. To remove a risk level, click the minus icon. As a best practice, select the block action for the critical risk level. If you select a block action and an identity provider is selected on the Settings tab, complete these steps to assign a user or group exception:
    1. Click the link icon in the exceptions column. A window appears.
    2. In the Groups tab, search for a group and select the group or groups that you want to exempt from the block action.
      If the group name you provide does not appear in the drop-down list, you can add the group. If you add a group, you must also add the group to the relevant directory for the group to authenticate and gain access.
    3. In the Users tab, search for the users and select the users that you want to exempt from the block action.
      If the user does not exist in the directory associated with the policy identity provider, you can enter a unique ID for a user you want to add and click the add button. This adds the unique ID to the list. You must also add the user to the relevant directory for the user to authenticate and gain access. The user ID that’s provided here is the ID that the user enters to authenticate.
    4. Click Associate.
  11. Expand the Category area and consider the policy actions that you want to apply to a category or categories. For example, you may choose to block Gambling websites. Complete these steps:
    1. Click the link icon and select the categories that you want to associate with the policy. Click Associate.
      Note: You can select a policy action as you associate a selected category or after you associate a category.
    2. Select an action for each category.
    3. If you select a block action and an identity provider is selected on the Settings tab,, complete steps 10a to 10d to assign a user or group exception.
  12. Expand the Category Operations area and consider the policy actions that you want to apply to an operation or operations. For example, you can search for all upload operations, select these operations for your policy, and select to block them across all categories. Complete these steps:
    1. Click the link icon and select the category operations that you want to associate to the policy. Click Associate.
      Note: You can select a policy action as you associate a category operation or after you associate a category operation.
    2. Select an action for each category operation.
    3. If you select a block action and an identity provider is selected on the Settings tab, complete steps 10a to 10d to assign a user or group exception.
  13. Expand the Applications area and consider the policy actions that you want to apply to an application or applications. If there is an operation supported for a selected application, you can also select a policy action for the application operation. Complete these steps:
    1. Click the link icon and select applications that you want to associate to the policy. Click Associate.
    2. Select an action for each application. If there are operations listed for an application, expand the application to view the operations. Select the policy action for the operations.
    3. If you select a block action and an identity provider is selected on the Settings tab, complete steps 10a to 10d to assign a user or group exception.
  14. Click Save.

Next steps

Deploy configuration changes