Enable selective proxy
Create certificates and distribute the certificates to devices and TLS clients on your network. For more information, see ETP Proxy as a TLS intermediary.
Before you begin
Complete this procedure to enable the selective proxy. The selective ETP Proxy analyzes risky web traffic.
- In the Enterprise Center navigation menu, select .
If you are adding a new policy:
- On the Policies page, click the plus sign icon.
- Enter a name and description for the policy in the Name and Description field.
To configure a policy with settings
from a predefined template, select one of these templates and click Continue:
- Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.
- Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.
- Custom. Lets you define policy actions for known and suspected threats.
- To assign a location, click the link icon, select a location or multiple locations, and click Associate.
- If you are modifying a policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.
- Click the Settings tab.
In the Proxy Settings section, complete the steps for these fields.
- Enable Proxy. Toggle on to Enable ETP Proxy.
- Bypass Microsoft 365 Traffic. Toggle on to bypass traffic to Microsoft 365 apps and services. Your organization must be licensed for ETP Advanced Threat to use this feature.
Local Breakout for Bypass Domains. Disable this option only
if your network has no default route to the Internet, and it cannot directly access
origins that are configured for bypass.
Note: This feature is currently in beta. To participate in the beta, contact your Akamai representative.
In the Payload Analysis section, complete the following steps for these fields:
- Enable Inline Payload Analysis. Toggle on to scan files that are up to 5 MB before they are downloaded.
- Block Unscannable Files. Toggle on if you want to block files that cannot be scanned with ETP Proxy as part of inline payload analysis.
- Block On Upload Scan Timeout. Toggle on if you want to block requests that cause scanning to take longer than expected. Note: This setting applies to DLP and File Type blocking.
- In the Other Settings area, enable the Forward Public IP to Origin toggle to forward the user’s public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients. If you enabled the Bypass Microsoft 365 Traffic option, make sure you also enable this setting.
If you’ve installed ETP Client on devices in your network, complete the following steps
for these fields:
- Overwrite Device Proxy Settings. Select Yes or Only if there’s no local proxy if you want to enable ETP Client as a proxy on the client computer or device. Otherwise, select No.
DNS-over-TLS Mode. Defines whether ETP Client uses DNS over
TLS (DoT) to protect DNS traffic it forwards to ETP. Select one of these modes:
- Attempt. Indicates ETP Client always attempts to use DoT. If DoT is not available, ETP Client falls back to plain DNS.
- Required. Indicates that DoT is required. If DoT is not available, DNS traffic is directed from ETP Client to the local DNS resolver.
- Disabled. Indicates that DoT is not used to secure DNS traffic from ETP Client.
- DNS-over-TLS Port. Port that’s used for DoT connections.
Define policy actions for a threat
category. Click the Threat tab and do the following based on threat
Known. If you want to
assign the same policy action to all known threat categories, select an action in the
Action column. Otherwise, make sure the Known option is expanded to show the threat
- For each threat category, select an action. For more information, see Policy actions.
- If you select Block, select a specific response to the user. The Response to User column is available when the Block action is selected.
- If Error Page is selected and you want to direct traffic to Security Connector, select a security connector in the Security Connector field. Otherwise, select None.
- Suspected. If you want to assign the same policy action to all suspected threat categories, select an action in the Action column. Otherwise, make sure the Suspected option is expanded to show the threat categories, and select an action for the individual categories.
- Risky. If you want to assign the same policy action to all risky categories, select an action in the Action column. Otherwise, make sure the Risky option is expanded to show categories, and select an action for the individual categories.
- Known. If you want to assign the same policy action to all known threat categories, select an action in the Action column. Otherwise, make sure the Known option is expanded to show the threat categories.
Click the Access Control tab and complete these steps:
Click the AUP & Shadow IT tab and complete the steps
described in Configure application visibility and control.
Note: Make sure you select Bypass for the Default Action.
- Click the DLP tab and complete the steps described in Select user and group exceptions for DLP scanning and Assign a DLP dictionary to a policy.
- If you want to block or monitor the download or upload of specific file types, click the File Types tab and follow the instructions described in Access by file type.
- Click the AUP & Shadow IT tab and complete the steps described in Configure application visibility and control.
- To assign a list to a policy, see Add a Block list to a policy and Add an Exception list to a policy.
- Click Save.
Deploy the policy to the ETP network. For instructions, see Deploy configuration changes.