Policy actions for lists and threat categories

ETP performs actions on detected or suspected threats based on the policy configuration. As an ETP administrator, you select the actions for a threat category or a custom list.

When designing your policy, you can select from actions that detect or prevent threats. Some organizations may use a phased approach to first configure the policy to detect threats before assigning the block action for a list or threat category. Note:
  • Threat Detection. Occurs when the monitor action is assigned to threat categories and lists. This threat response does not stop traffic. Security events are detected, reported in the Threat Events report, and email notifications are sent to recipients as configured by an administrator.
  • Threat Prevention. Occurs when the block action is assigned. This action prevents requests that threaten your network. When the block action is selected, you can select the response to the user. For example, as part of the block action, you can select that users receive a custom error page or you can redirect the user’s request to Enterprise Security Connector to identify the infected machine.

For each list, you can further select whether an ETP alert recipient receives an email alert notification when a security event is reported.

If domains and IP addresses are configured in multiple lists with conflicting actions, ETP selects the action based on this priority:
  1. Bypass
  2. Block
  3. Monitor
  4. Classify
  5. Allow

Bypass

With this action, ETP DNS resolves requests to the origin IP address. If the proxy is enabled, the request is not decrypted with the TLS MITM certificate. It is sent directly to the destination web server. While no event is logged in the Threat Events report, bypassed traffic is logged in the Network Traffic report.

This action is assigned to custom exception lists.

Block

This policy action denies the request. When this action is selected in a policy, the administrator can select the response or the type of block that the user experiences. You can select the block action for a threat category or a custom list.

These responses are available for a block action:

  • Error Page. User is shown a custom error message based on the threat violation. For more information on error pages, see Error pages.

    If Error Page is selected as the threat response, administrators can select to redirect malicious traffic to a security connector that is deployed in the network. A security connector records the internal IP address of the infected machine that made the request. For more information on Security Connector, see Security Connector as a DNS sinkhole.

    This behavior applies to Security Connector version 2.5.0:
    • If the proxy is disabled, the user is shown an error message to indicate that website access is prohibited.
    • If the proxy is enabled, the user is shown the error message that corresponds to the threat type.

    You should assign a security connector to the command and control (C&C) and malware threat categories because it allows an enterprise to discover the IP address and computer name of an infected machine in the network.

    With this action, a threat event is logged in the threat events report. If Security Connector is enabled, a security connector event is also logged.

  • Custom Response. Request is redirected to the IP address of the custom response. However, if the proxy is enabled and the request matches a URL in a request, the request is redirected to a custom error page instead.

    For DNS and HTTP or HTTPS events, events are logged in the Threat Events report.

  • Refused Response. User is shown a browser-specific error message. If ETP Proxy is enabled, a refused response is available to assign to custom lists only.

Monitor

This policy action does not stop traffic. Administrators can assign the monitor action to a threat category in the Threat Events report or to a list in the Custom Lists page.

Depending on whether the proxy is enabled or disabled, this behavior applies:

  • If the proxy is not enabled, requests resolve as expected.
  • If the proxy is enabled, DNS requests for malicious or risky domains are resolved to ETP Proxy. HTTPS requests are decrypted by ETP Proxy. Requests and responses are then analyzed by the proxy’s multiple anti-malware engines.

If a threat is found, this action generates a threat event in ETP.

Note: Select the Monitor action for lists in the default policy. The default policy is associated with the Unidentified IPs location, a location open to the Internet. If you select another action, a malicious user may suspect that your organization blocks specific domains.

Classify

This action sends traffic to ETP Proxy. The ETP proxy action examines the full URL of a request. If a threat is discovered, a corresponding threat category is assigned to the URL.

If inline payload analysis is enabled, this action sends traffic to the destination web server and the downloaded response is scanned for malware and other threats. If a threat is detected, ETP applies the action according to the malware, phishing, or command and control (C&C) threat type.

This action is available for custom lists, file sharing and risky domains. This action is not available for a threat category. For more information on file sharing or risky domains, see Risky domains and file sharing domains.

Allow

If an AUP category is not blocked, requests to domains in these categories resolve to the origin IP address. In cases where ETP proxy is enabled, this traffic is directed to the proxy. If a threat is discovered, the policy action assigned to the corresponding threat category is applied. For example, if malware is discovered, the policy action assigned to the Malware category in the Threat tab is applied.
Note: The Allow action is no longer available to select in the Custom Lists tab unless it was selected in an existing policy. If there is a policy with the Allow action and you choose to modify it, you cannot save the policy until a new action is selected. To define domains and IP addresses that you want to bypass ETP, create an exception list and assign it to the policy. For more information, see Exception lists.

If you want to use the Allow action for risky or file sharing domains, see Risky domains and file sharing domains.