Acceptable use policy

In addition to configuring how threats are handled, a policy is also where your organization controls access to websites and web applications. ETP includes categories for websites that you can block within an enterprise.

Acceptable use policy (AUP) categories classify requested websites. Depending on the action that’s associated with a category, the policy defines whether traffic to domains in a category is allowed, scanned by ETP, monitored by ETP, or blocked in your network. For a list and description of all AUP categories, see Acceptable use policy categories.

With application visibility and control, you can add an AUP category to the policy and select a policy action. You can also see the web applications that are associated with each AUP category. To learn more about AVC, see Application visibility and control.

If ETP Proxy is enabled, you can:
  • Scan requested content with ETP malware engines. If ETP Proxy is configured as a full web proxy, ETP Proxy scans websites for categories that are not blocked or assigned the bypass action. For more information about full web proxy, see Full web proxy.
  • Configure an authentication policy. To prompt users to authenticate before accessing an allowed website or web application, you can select the Require or Optional authentication modes. Otherwise, you can select None. For more information, see Authentication policy.
  • Select the users and groups granted access to websites or web applications. This functionality is available when authentication is required or optional in a policy configuration. Users or groups that are exceptions to a block action are prompted to authenticate. If no threat is detected, these users are granted access to websites in these categories. To select users or groups as exceptions, you must assign an identity provider to the policy.
  • Bypass a category. This action allows websites or web applications in the associated category to bypass ETP or if the proxy is enabled, ETP Proxy.

    You may want to select the bypass action for categories that are associated with sensitive information such as the Finance & Investing and the Healthcare categories. This action prevents ETP or ETP Proxy from inspecting this traffic.

  • Select a default action when no action is assigned. The Default Action menu in the policy defines the default action when no action is assigned to an ETP list, category, and an access control policy configuration. You can select the Bypass, Classify, or Block - Error Page actions. Note the following about these actions:
    • Bypass. Bypasses ETP Proxy and directs requests to the origin.
    • Classify. Directs traffic to ETP Proxy where it’s scanned.
    • Block - Error Page. Blocks traffic and shows users an error page.

    If the Default Action option in the policy is set to Bypass for the selective proxy, categories that are not blocked are reported as unclassified. For more information, see Default action.

ETP includes AUP categories and subcategories that you should consider blocking in your network:
  • Anonymizers. Subcategory of the Large Bandwidth AUP category. This category is made up of services that allow users in your corporate network to bypass enterprise security settings. These services may include a personal VPN or an anonymizing proxy.
  • File Sharing. Category for file sharing services or applications such as Dropbox, Google Drive, and OneDrive. These services allow users to download and upload a large number of files to your network, potentially creating a backdoor to your organization's network. If you do not want to block File Sharing, ETP provides a policy option that allows you to analyze downloads from these domains. For more information, see Scan file sharing downloads for malware.

If your organization uses a custom response and ETP Proxy is disabled, you can associate a custom response to a blocked action. As part of the block action, traffic to blocked websites and web applications is forwarded to the custom response. Information about the machine that made the request is recorded. Keep in mind that this data is not reported in ETP. To learn more about custom responses, see Custom response.