Policy actions

ETP performs actions on detected or suspected threats based on the policy configuration. As an ETP administrator, you can select policy actions for a threat category, list, data loss prevention (DLP) dictionary, and application and visibility control (AVC) configuration.

When designing your policy, you can select from actions that detect or prevent threats. Some organizations may use a phased approach to first configure the policy to detect threats before assigning the block action. Note:
  • Threat Detection. Occurs when the monitor action is assigned. This threat response does not stop traffic. Security events are detected, reported, and email notifications are sent to recipients as configured by an administrator.
  • Threat Prevention. Occurs when the block action is assigned. This action prevents requests that threaten your network. When the block action is selected, you can select the response to the user. For example, as part of the block action, you can select that users receive a custom error page or you can redirect the user’s request to Enterprise Security Connector to identify the infected machine.

For each list, you can further select whether an ETP alert recipient receives an email alert notification when a security event is reported.

If domains and IP addresses are configured in multiple lists with conflicting actions, ETP selects the action based on this priority:
  1. Bypass
  2. Block
  3. Monitor
  4. Classify
  5. Allow

Bypass

With this action, ETP DNS resolves requests to the origin IP address. If the proxy is enabled, the request is not decrypted with the TLS MITM certificate. It is sent directly to the destination web server. While no event is logged in a report, bypassed traffic is logged in the Network Traffic report.

This action is automatically assigned to custom exception lists.

Block

This policy action denies the request. When this action is selected in a policy, the administrator can select the response or the type of block that the user experiences.

These responses are available for a block action:

  • Error Page. User is shown a custom error message based on the threat violation. For more information on error pages, see Error pages.

    If Error Page is selected as the threat response, administrators can select to redirect malicious traffic to a security connector that is deployed in the network. A security connector records the internal IP address of the infected machine that made the request. For more information on Security Connector, see Security Connector as a DNS sinkhole.

    This behavior applies to Security Connector version 2.5.0:
    • If the proxy is disabled, the user is shown an error message to indicate that website access is prohibited.
    • If the proxy is enabled, the user is shown the error message that corresponds to the threat type.

    You should assign a security connector to the command and control (C&C) and malware threat categories because it allows an enterprise to discover the IP address and computer name of an infected machine in the network.

    With this action, a threat event is logged in the threat events report. If Security Connector is enabled, a security connector event is also logged.

  • Custom Response. Request is redirected to the IP address of the custom response. However, if the proxy is enabled and the request matches a URL in a request, the request is redirected to a custom error page instead.

    For DNS and HTTP or HTTPS events, events are logged in the Threat Events report.

  • Refused Response. User is shown a browser-specific error message. If ETP Proxy is enabled, a refused response is available to assign to custom lists only.

Monitor

Administrators can assign the monitor action to a threat category, list, and data loss prevention (DLP) dictionary. This action is also available when configuring risk, categories, operations, and applications for an AVC configuration. For more information about DLP or AVC, see Data loss prevention and Application visibility and control. These features are currently in beta.

With this policy action, requests generally resolve to the origin and a user is able to access the website they requested. This action generates a threat or access control event in ETP.

If ETP Proxy is set up as a full web proxy with ETP Client or proxy chaining, traffic is forwarded to ETP Proxy where it’s scanned by multiple anti-malware engines. In this situation, if a threat is detected, then the user is unable to access the URL or website they requested.

Note: Select the Monitor action for lists in the default policy. The default policy is associated with the Unidentified IPs location, a location open to the Internet. If you select another action, a malicious user may suspect that your organization blocks specific domains.

Classify

This action sends traffic to ETP Proxy. The ETP proxy action examines the full URL of a request. If a threat is discovered, a corresponding threat category is assigned to the URL.

If inline payload analysis is enabled, this action sends traffic to the destination web server and the downloaded response is scanned for malware and other threats. If a threat is detected, ETP applies the action according to the malware, phishing, or command and control (C&C) threat type.

This action is available for custom lists, file sharing and risky domains. It is also available for the Default Action that can be configured in the application and visibility control (AVC) feature. This action is not available for a threat category. For more information on file sharing or risky domains, see Risky domains and file sharing domains. For more information on AVC, see Application visibility and control.

Allow

You can set the Allow action when configuring an action for risk, categories, category operations, applications, and application categories in the AVC feature. You can also set this action for risky and file sharing domains. With this action, requests resolve to the origin. In cases where ETP proxy is enabled, this traffic is directed to the proxy. If a threat is discovered, the policy action assigned to the corresponding threat category is applied. For example, if malware is discovered, the policy action assigned to the Malware category in the Threat tab is applied.
Note: The Allow action is no longer available to select in the Custom Lists tab unless it was selected in an existing policy. If there is a policy with the Allow action and you choose to modify it, you cannot save the policy until a new action is selected. To define domains and IP addresses that you want to bypass ETP, create an exception list and assign it to the policy. For more information, see Exception lists.

If you want to use the Allow action for risky or file sharing domains, see Risky domains and file sharing domains.