Acceptable use policy

A policy is also where you define how ETP handles violations to an acceptable use policy (AUP). ETP includes AUP categories for content that you can block within an enterprise. For descriptions of these categories, see Acceptable use policy categories.

When configuring a policy, an ETP administrator can select to allow or block access to websites in each category. Administrators allow access to a category by deselecting the block action. If you block an AUP category, a warning message appears to the user when they attempt to access content in that category. You can change the look and feel of the message that appears to the user. For more information see Error pages.

With application visibility and control, you can add an AUP category to the policy and select a policy action. You can also see the web applications that are associated with each AUP category. To learn more about AVC, see Application visibility and control.

If ETP Proxy is enabled, you can:
  • Scan requested content with ETP malware engines. If ETP Proxy is configured as a full web proxy, ETP Proxy scans websites that are allowed in the AUP. This means categories that are not blocked are scanned by ETP malware engines. For more information about full web proxy, see Full web proxy.
  • Configure an authentication policy. To prompt users to authenticate before accessing an allowed website, you can select the Require or Optional authentication modes. Otherwise, you can select None. For more information, see Authentication policy.
  • Select the users and groups that are exceptions to a blocked AUP category. This functionality is available when authentication is required or optional in a policy configuration. Users or groups that are exceptions to a block action are prompted to authenticate. If no threat is detected, these users are granted access to websites in these categories. To select users or groups as exceptions, you must assign an identity provider to the policy.
  • Select to bypass an AUP category. This action allows websites in the associated category to bypass ETP or if the proxy is enabled, ETP Proxy.

    You may want to select the bypass action for categories that are associated with sensitive information such as the Finance & Investing and the Healthcare categories. This action prevents ETP or ETP Proxy from inspecting this traffic.

  • Select a default action when no action is assigned to an AUP category. The Default Action menu in the policy settings defines the default action for an AUP category when no action is assigned in the AUP policy. You can select the Bypass, Classify, or Block - Error Page actions. Note the following about these actions:
    • Bypass. Bypasses ETP Proxy and directs requests to the origin.
    • Classify. Directs traffic to ETP Proxy where it’s scanned.
    • Block - Error Page. Blocks traffic and shows users an error page.

    If the Default Action option in the policy is set to Bypass for the selective proxy, categories that are not blocked are reported as unclassified.

ETP includes AUP categories and subcategories that you should consider blocking in your network:
  • Anonymizers. Subcategory of the Large Bandwidth AUP category. This category is made up of services that allow users in your corporate network to bypass enterprise security settings. These services may include a personal VPN or an anonymizing proxy.
  • File Sharing. Category for file sharing services or applications such as Dropbox, Google Drive, and OneDrive. These services allow users to download and upload a large number of files to your network, potentially creating a backdoor to your organization's network. If you do not want to block File Sharing, ETP provides a policy option that allows you to analyze downloads from these domains. For more information, see Scan file sharing downloads for malware.

If your organization is enabled to use a custom response with the AUP and ETP Proxy is disabled, you can associate a custom response to a blocked action. As part of the block action, traffic to blocked websites is forwarded to the custom response. Information about the machine that made the request is recorded. Keep in mind that this data is not reported in ETP. To learn more about custom responses, see Custom response.