Edit a policy

If you are an ETP super administrator, delegated administrator, or tenant administrator, you can modify the settings associated with a policy. If you are a delegated or tenant administrator, you can modify the policy you created or the policies that you are allowed to access.
Note: A tenant administrator cannot enable the ETP proxy and complete any step related to the proxy.

How to

  1. In the Enterprise Center navigation menu, select Policies > Policies.
  2. Click the name of the policy that you want to edit.
  3. Edit or enter a new name or description for the policy in the Name or Description fields.
  4. To modify the locations that are assigned to the policy:
    1. Click the link icon for Location Assignments.
    2. To assign a location, find and select the location. You can also enter the location name in the search field.
    3. To unassign a location, deselect a location.
    4. Click Associate.
  5. Click the Settings tab.
  6. In the Proxy Settings section, complete the following steps for these fields:
    1. Enable Proxy. Toggle on to enable the ETP Proxy.
    2. Proxy Authorization. Toggle on to require that ETP Proxy authorizes connections from the on-premises proxy. To use this setting, you must configure proxy credentials in ETP and in the on-premises proxy. For more information, see Proxy authorization.
    3. Origin Ports. If you want to allow outbound traffic on a new origin port, enter the port number or port range. Separate each port number or range with a comma. By default, the full web proxy allows outbound traffic to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.
    4. Trust XFF Header. Toggle on if you are configuring proxy chaining or the full web proxy. Your organization must be licensed for ETP Advanced Threat.
    5. Proxy Logging Mode. To change the ETP Proxy logging mode, select a different level. The default Level 1 ensures that detailed data is logged, such as response or request headers in HTTP or HTTPS threat events. For more information, see Proxy logging mode.
    6. Bypass Microsoft 365 Traffic. Toggle on to bypass traffic to Microsoft 365 apps and services.
    7. Block Incompatible Domains. Toggle on to block domains that are not compatible with TLS encryption. Otherwise, these domains bypass ETP Proxy.
    8. Invalid Certificate Response. Select Block - Error Page to block a request if ETP Proxy cannot verify a website's origin certificate. Otherwise, select Bypass to bypass ETP Proxy.
    9. Local Breakout for Bypass Domains. Disable this option only if your network has no default route to the Internet, and it cannot directly access origins that are configured for bypass.
      Note: This feature is currently in beta. To participate in the beta, contact your Akamai representative.
  7. In the Payload Analysis section, enable inline payload analysis to scan files that are up to 5 MB before they are downloaded. You must enable ETP Proxy to use payload analysis. Complete the following steps for these fields:
    1. Block Unscannable Files. Toggle on if you want to block files that cannot be scanned with ETP Proxy as part of inline payload analysis.
    2. Block On Upload Scan Timeout. Toggle on if you want to block requests that cause scanning to take longer than expected. Note: This setting applies to DLP and File Type blocking.
    3. Risky File Handling - by file size. If your organization is enabled for Advanced Sandbox:
      • For downloads that range from 5 MB to 2 GB in size, select Allow or Allow and Scan. Otherwise, select Block - Error Page. For more information, see Static malware analysis of large files.
      • If you select Allow and Scan, the Dynamic Analysis toggle is available. To enable dynamic analysis, toggle this setting to on. For more information, see Dynamic malware analysis.
      • For files that are greater than 2 GB (huge files), select an action. You can select Block - Error Page or Allow. For more information, see Payload analysis.
  8. In the Browsing Restrictions section, complete the following steps for these fields:
    1. Safe Search. Toggle on to block explicit results from Google and Bing searches.
    2. YouTube. Select Strict or Moderate to enable YouTube Restricted Mode. Otherwise, select Unrestricted to allow unrestricted access to YouTube content.
  9. In the Other Settings section, complete the following steps for these fields:
    1. Forward Public IP to Origin. Toggle on to forward the user’s public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients. Make sure you also enable this setting if you enabled the Bypass Microsoft 365 Traffic option.
    2. Authentication Mode. Select Require to require authentication, Optional to give users the option to skip authentication, or None. This mode defines whether users are prompted to authenticate when accessing allowed websites or web applications.
    3. Identity Provider. Select an identity provider if you selected Require or Optional as an authentication mode.
  10. If you’ve installed ETP Client on devices in your network, complete the following steps for these fields:
    1. Overwrite Device Proxy Settings. Select Yes or Only if there’s no local proxy if you want to enable ETP Client as a proxy on the client computer or device. Otherwise, select No.
    2. DNS-over-TLS Mode. Defines whether ETP Client uses DNS over TLS (DoT) to protect DNS traffic it forwards to ETP. Select one of these modes:
      • Attempt. Indicates ETP Client always attempts to use DoT. If DoT is not available, ETP Client falls back to plain DNS.
      • Required. Indicates that DoT is required. If DoT is not available, DNS traffic is directed from ETP Client to the local DNS resolver.
      • Disabled. Indicates that DoT is not used to secure DNS traffic from ETP Client.
    3. DNS-over-TLS Port. Port that’s used for DoT connections.
  11. Define policy actions for a threat category. Click the Threat tab and do the following based on threat type:
    1. Known. If you want to assign the same policy action to all known threat categories, select an action in the Action column. Otherwise, make sure the Known option is expanded to show the threat categories.
      • For each threat category, select an action. For more information, see Policy actions.
      • If you select Block, select a specific response to the user. The Response to User column is available when the Block action is selected.
      • If Error Page is selected and you want to direct traffic to Security Connector, select a security connector in the Security Connector field. Otherwise, select None.
    2. Suspected. If you want to assign the same policy action to all suspected threat categories, select an action in the Action column. Otherwise, make sure the Suspected option is expanded to show the threat categories and complete the fields as described in the previous step.
    3. Risky. If you want to assign the same policy action to all risky categories, select an action in the Action column. Otherwise, make sure the Risky option is expanded to show categories, and select an action for the individual categories.
  12. To send alerts for a threat, toggle Alerts to on.
  13. Click the Access Control tab and complete these steps:
    1. Click the AUP & Shadow IT tab and complete the steps described in Configure application visibility and control.
    2. Click the DLP tab and complete the steps described in Select user and group exceptions for DLP scanning and Assign a DLP dictionary to a policy.
    3. If you want to block or monitor the download or upload of specific file types, click the File Types tab and follow the instructions described in Access by file type.
  14. To add a list to the policy, see Add a Block list to a policy or Add an Exception list to a policy.
  15. To configure custom headers, see Add a custom header.
  16. Click Save.

Next steps

After you edit a policy, you must deploy the configuration changes to the ETP network. For instructions see Deploy configuration changes.