Edit a policy

If you are an Enterprise Threat Protector (ETP) super administrator, delegated administrator, or tenant administrator, you can modify the settings associated with a policy. If you are a delegated or tenant administrator, you can modify the policy you created or the policies that you are allowed to access.
Note: A tenant administrator cannot enable the ETP proxy and complete any step related to the proxy.

How to

  1. In the navigation menu, select Configuration > Policies.
    Note: If you are trying the new Enterprise Center interface, in the navigation menu, select Policies > Policies.
  2. Click the name of the policy that you want to edit.
  3. Edit or enter a new name or description for the policy in the Name or Description fields.
  4. To modify the locations that are assigned to the policy:
    1. Click the link icon for Location Assignments.
    2. To assign a location, find and select the location. You can also enter the location name in the search field.
    3. To unassign a location, deselect a location.
    4. Click Associate.
  5. To modify the proxy settings, click Settings and complete these steps:
    1. To enable ETP Proxy, toggle Enable Proxy to on.
    2. To require that ETP Proxy authorizes connections from the on-premises proxy, enable Proxy Authorization. To use this setting, you must configure proxy credentials in ETP and in the on-premises proxy. For more information, see Proxy authorization.
    3. If you want to allow outbound traffic on a new origin port for the full web proxy, in the Origin Ports field, enter the port number or port range. Separate each port number or range with a comma.
    4. If you are configuring proxy chaining or the full web proxy, enable Trust XFF Header. Your organization must be licensed for ETP Advanced Threat.
    5. To optimize access to Microsoft 365 apps and services, enable Optimize Microsoft 365 Traffic.
    6. If you enabled the ETP Proxy and you want to change the logging mode, select a new logging mode.
    7. If you want to assign risky domains the same action that’s assigned to a threat category, select Classify in the Risky Domains menu. If you want to allow traffic to risky domains, select Allow.
    8. If you want to assign file sharing domains the same action that’s assigned to a threat category, select Classify in the File Sharing menu. If you want to allow traffic to file sharing domains, select Allow.
    9. To select how requests are handled when ETP Proxy cannot validate a website’s origin certificate, in the Invalid Certificate Response menu, select Block - Error Page to block the request. Otherwise, you can select Bypass to bypass ETP Proxy.
    10. To select a default action for unclassified traffic and for AUP categories that have no action assigned, go to the Default Action menu and do one of the following:
      • If you want traffic to bypass ETP Proxy, select Bypass. If you are licensed for ETP Advanced Threat, this option enables the selective proxy.
      • If you want to classify traffic that is not yet classified by ETP, select Classify. If you are licensed for ETP Advanced Threat, this option enables the full web proxy.
      • If you want to block traffic, select Block - Error Page.
      Note: If your organization is participating in the application visibility and control (AVC) beta, the default action setting is not available in the Settings tab. You configure this setting as part of an AVC configuration in the Access Control area.
  6. If you want to enable ETP Client as a proxy on the client computer, in the Overwrite Device Proxy Settings menu, select Yes or Only if there’s no local proxy. Otherwise, you can select No.
  7. To modify payload analysis settings, complete these steps:
    1. To enable inline payload analysis, in the Payload Analysis area, toggle Enable Inline Payload Analysis to on.
      Note: Inline payload analysis is available to organizations that are licensed for ETP Advanced Threat.
    2. To block files that cannot be scanned by ETP Proxy as part of inline payload analysis, make sure Block Unscannable Files is enabled.
    3. If you are enabled for Advanced Sandbox and you want to change the action associated with large or huge files, select new settings. To enable Dynamic Analysis, make sure the toggle is turned on. For more information, see Payload analysis.
  8. To modify browsing restrictions, complete these steps:
    1. To enable SafeSearch, toggle Safe Search to on.
    2. To enable YouTube Restricted Mode, in the YouTube menu, select Strict or Moderate. Otherwise, you can select Unrestricted mode to allow unrestricted access to YouTube content.
  9. To modify other settings, including authentication settings, complete these steps:
    1. Make sure the option Forward Public IP to Origin is enabled. This setting forwards the user’s public IP address to authoritative DNS servers and web servers, and it identifies the geolocation of clients. If you enabled the Optimize Microsoft 365 Traffic option, make sure you also enable this setting.
    2. To change authentication settings, select a new mode from the Authentication Mode menu. If you select Require or Optional, you must select an identity provider.
  10. To change the policy action that’s associated with a threat category or custom list that you want to modify, in the Threat or Custom Lists tab:
    1. Navigate to the threat category or custom list that you want to configure with a new action. Click the Action menu for known or suspected domains or IP addresses.
    2. If applicable, select a new response and Security Connector.
    Note: On the Threat tab, you can also select a predefined security template. For more information, see Security templates.
  11. To add a list to the policy, see Add a list to a policy.
  12. To configure custom headers, see Add a custom header.
  13. If your organization is participating in the data loss prevention (DLP) beta and you want to associate a DLP dictionary, complete these steps:
    1. Go to the Access Control tab.
    2. In the DLP tab, click the link icon and select a dictionary or multiple dictionaries.
    3. Click Associate. By default, DLP dictionaries are assigned the Monitor action.
    4. To assign the Block - Error Page action, select it from the Action menu.
      Note: You must have enabled ETP Proxy and inline payload analysis to complete this step. This feature is in beta and available to organizations that are licensed for ETP Advanced Threat.
    5. To remove a dictionary, click the delete icon.
  14. To modify alert settings, toggle the Send Alert option to enable or disable alerts.
  15. If your organization is participating in the application visibility and control (AVC) beta, see Configure application visibility and control. Otherwise, see Configure an Acceptable Use Policy to configure an acceptable use policy (AUP).
  16. Click Save.

Next steps

After you edit a policy, you must deploy the configuration changes to the ETP network. For instructions see Deploy configuration changes.