A selective proxy analyzes risky web traffic. It examines the domain and full URL of request to determine if it’s risky.
This graphic illustrates how the proxy functions in a network:
When enabled, the corporate resolver forwards requests to ETP. Requests are forwarded to the ETP network in the closest geographical region. Based on the configured policy, if the assigned action is Block or Classify, ETP DNS directs requests to ETP Proxy. The IP address of the ETP proxy server is then cached in the resolver and all suspicious traffic is forwarded to the proxy.
With the selective proxy, ETP Threat Intelligence detects that a domain contains a suspicious URL. Traffic to risky domains is sent to ETP Proxy. However, only specific known threat URLs are blocked, monitored, or analyzed in accordance with the established policy. If a website is not a suspected threat or its category is assigned the Bypass action, it bypasses the proxy. For example, in the graphic above, the safe website is not inspected by the ETP proxy and the request is resolved.
A number of checks are performed to determine how suspicious traffic is handled:
- ETP confirms that the request comes from an IP address that is registered as a location for your organization. If the IP address is unknown, the request is dropped.
- If the IP address is known, the destination port is checked to confirm that port 443 or 80 is used. If these ports are not used, traffic is dropped.
- For port 443, the Transport Layer Security (TLS) Server Name Identification (SNI) value is extracted and ETP connects to the origin server with that hostname.
- For port 80, traffic is likely HTTP. ETP extracts the hostname from the Host header in the HTTP request.
- If the hostname cannot be extracted or identified, the end user is shown an error page.