Policy actions for lists and threat categories
ETP performs actions on detected or suspected threats based on the policy configuration. As an ETP administrator, you select the actions for a threat category or a custom list.
- Threat Detection. Occurs when the monitor action is assigned to threat categories and lists. This threat response does not stop traffic. Security events are detected, reported in the Threat Events report, and email notifications are sent to recipients as configured by an administrator.
- Threat Prevention. Occurs when the block action is assigned. This action prevents requests that threaten your network. When the block action is selected, you can select the response to the user. For example, as part of the block action, you can select that users receive a custom error page or you can redirect the user’s request to Enterprise Security Connector to identify the infected machine.
For each list, you can further select whether an ETP alert recipient receives an email alert notification when a security event is reported.
With this action, ETP DNS resolves requests to the origin IP address. If the proxy is enabled, the request is not decrypted with the TLS MITM certificate. It is sent directly to the destination web server. While no event is logged in the Threat Events report, bypassed traffic is logged in the Network Traffic report.
This action is assigned to custom exception lists.
This policy action denies the request. When this action is selected in a policy, the administrator can select the response or the type of block that the user experiences. You can select the block action for a threat category or a custom list.
These responses are available for a block action:
- Error Page. User
is shown a custom error message based on the threat violation. For more
information on error pages, see Error pages.
If Error Page is selected as the threat response, administrators can select to redirect malicious traffic to a security connector that is deployed in the network. A security connector records the internal IP address of the infected machine that made the request. For more information on Security Connector, see Security Connector as a DNS sinkhole.This behavior applies to Security Connector version 2.5.0:
- If the proxy is disabled, the user is shown an error message to indicate that website access is prohibited.
- If the proxy is enabled, the user is shown the error message that corresponds to the threat type.
You should assign a security connector to the command and control (C&C) and malware threat categories because it allows an enterprise to discover the IP address and computer name of an infected machine in the network.
With this action, a threat event is logged in the threat events report. If Security Connector is enabled, a security connector event is also logged.
- Custom Response.
Request is redirected to the IP address of the custom response. However, if the
proxy is enabled and the request matches a URL in a request, the request is
redirected to a custom error page instead.
For DNS and HTTP or HTTPS events, events are logged in the Threat Events report.
- Refused Response. User is shown a browser-specific error message. If ETP Proxy is enabled, a refused response is available to assign to custom lists only.
This policy action does not stop traffic. Administrators can assign the monitor action to a threat category in the Threat Events report or to a list in the Custom Lists page.
Depending on whether the proxy is enabled or disabled, this behavior applies:
- If the proxy is not enabled, requests resolve as expected.
- If the proxy is enabled, DNS requests for malicious or risky domains are resolved to ETP Proxy. HTTPS requests are decrypted by ETP Proxy. Requests and responses are then analyzed by the proxy’s multiple anti-malware engines.
If a threat is found, this action generates a threat event in ETP.
This action sends traffic to ETP Proxy. The ETP proxy action examines the full URL of a request. If a threat is discovered, a corresponding threat category is assigned to the URL.
If inline payload analysis is enabled, this action sends traffic to the destination web server and the downloaded response is scanned for malware and other threats. If a threat is detected, ETP applies the action according to the malware, phishing, or command and control (C&C) threat type.
This action is available for custom lists, file sharing and risky domains. This action is not available for a threat category. For more information on file sharing or risky domains, see Risky domains and file sharing domains.
If you want to use the Allow action for risky or file sharing domains, see Risky domains and file sharing domains.