Add an Internet Access Rule

Internet access rules specify how traffic to internet destinations should be handled.

Table of Contents


Note: Prerequisites for internet access rules are similar to but different from prerequisites for private access rules.


  1. Navigate to Secure > Access Rules.
  2. Click Add Rule > Internet Access.
    At the top of the rule is a summary section. Controls you configure in this rule will be summarized here:
  3. Configure access criteria:
    See Access Options
  4. Click Next.
    The Next button is not available until you give the rule a name and then click out of the Rule name field.
  5. Configure security controls:
    See Security Control Options
  6. Click Save.
  7. (Optional) Enable or disable the rule using the toggle at the top of the page.
  8. Additional rules are required for most traffic. See [Important! Ensure Rule Matching for Encrypted Internet Traffic].(doc:ensure-rule-matching-for-encrypted-internet-traffic)

Access Options

Disable or Enable the rule

After you configure the rule and click Save, the rule will take effect only if this toggle shows as Enabled.

Logging settings

Logging options are at the top right corner of the page:

To choose options, click Edit.

For details, see Manage Logging.


After you configure the rule, view a summary of the rule's action here.

If you see an Upgrade button, this means your company has an opportunity to upgrade to a licensing package that offers additional functionality. For details, contact your Cisco sales representative.

Rule name

You must give your rule a name before you can click Next at the bottom of the page (to specify security controls.)

Rule order

Specify where you want this rule in the overall rule order.

Secure Access applies the first rule in the list on the Access Policy page that matches the traffic.

Order your rules so that more specific rules are above more general rules that might also apply to the traffic.

For important guidelines, see Edit the Order of Rules on the Access Policy Page.

Rule action

By default, access to internet destinations is allowed unless an access rule blocks or modifies access using the Warn or Isolate options.

The action you choose determines which other options are available in the rule.

Specify the rule action before you specify other settings including source and destination, or those configurations will be reset when you change the action.

  • Allow - When the action is Allow, traffic can still be blocked if it does not pass the security controls specified in the rule.
  • Block - If you want to display a notification page to end users who attempt to access a blocked destination, see Manage Notification Pages.
  • Warn - When the action is Warn:
    • End users must click a link in a warning notification to access the destination.
    • The destination can include only content categories and content category lists.
    • You can configure a custom warning notification that Secure Access will present to users who attempt to access a warned destination. You can also preview the notification page. See Manage Notification Pages.
    • Decryption must be enabled in order to present the notification.
    • For required certificates for displaying notifications, see Certificates for Internet Decryption.
  • Isolate - If your license includes the Remote Browser Isolation feature, Secure Access creates a virtual browser that hosts applicable destination access requests. This action is available only for certain destinations.
    For information about the Isolate action, see Understand Isolated Destinations.
    If you see an Upgrade button, click it for information about enhanced functionality for this feature.


We recommend that you create reusable components rather than adding source IP addresses directly to a rule. See Components for Internet Access Rules. For detailed tips and guidelines when configuring sources, see About Configuring Sources for Internet Access Rules.

  • For Select sources, click in the white space beside the default value ("Any") and choose the configured source components in your organization. When you finish choosing your sources, click Done.
    For descriptions of the different types of sources, including links to how to create reusable sources, see Components for Internet Access Rules.
  • For Add a source, enter an IP or CIDR address as network connection source in the access rule, and then click Add. When you finish adding your sources, click Done.
    This option is useful if you need to quickly address a specific issue that arises, for example to immediately block a particular user's access to an internet destination. For more information, see About Configuring Source in Private Access Rules.

Note: The arrows out icon opens a window to configure the sources in your rule.


We recommend that you create reusable components rather than adding destinations directly in a rule. For more information, see Components for Internet Access Rules. For detailed tips and guidelines when configuring destinations, see About Configuring Destinations for Internet Access Rules.

Click in the white space beside the default value ("Any") and specify destinations:

  • Select destinations
    The destination options available depend on the rule action you choose.
    Usually you will select destinations that you or others have previously configured.
    For more information, see Components for Internet Access Rules.
  • For Add a destination, select Port, IP/CIDR Address, and Protocol. Choose from one of the supported protocols: Any, TCP, UDP, or ICMP. After each selection, click Add. When you finish adding the attributes of the private destination, click Done.

Advanced Application Controls

If configured destinations include Application Lists, Application Categories, or individual applications selected from Application Categories that support the ability to control uploads, downloads, posting, or sharing without entirely blocking access to the application, you will see the Advanced Application Controls section.

See Advanced Application Controls.

Security Control Options

Intrusion Prevention (IPS)

Choose the IPS profile that includes the threat detection settings that you want applied to traffic that matches this rule. You can also disable intrusion prevention for this rule.

See Manage IPS Profiles.

Web Profile

  • Choose the web profile that includes the web-related settings that you want applied to traffic that matches this rule.
  • For all rules, including Block, Warn, and Isolate rules, unless you have good reason not to, choose a web profile that is configured to decrypt the traffic that will hit the rule. Decryption is required to accurately process traffic to most internet destinations.

    Best practice: If decryption is disabled in a web profile, or if decryption is enabled only to show notifications, use that profile only in rules that include only trusted destinations.

    For important information about decryption, see Manage Web Profiles and Manage Traffic Decryption.
  • If the rule will block traffic or warn users, you can choose a web profile that specifies the notifications to display to end users.

For complete details, see Manage Web Profiles.

Tenant Control Profile

Tenant controls affect access to Microsoft 365, Google G Suite, Slack, and Dropbox.

For more information, see Manage Tenant Control Profiles.

For additional requirements, see Use Tenant Controls in Access Rules.

Advanced Security Controls

This section includes options to skip enforcement of certain security features, which you may want to do permanently for trusted destinations or temporarily to troubleshoot an issue.

This section includes the ability to access files without decrypting them (sometimes known as "protected file bypass") and the ability to not enforce certain web security features for this rule.

In general, you should allow access to encrypted files only for trusted destinations, because encrypted files cannot be effectively assessed for threats. By default, access to encrypted files is not enabled.

Disable security features only when you have a specific reason to do so.

Next Steps

Return to Get Started with Internet Access Rules and review additional steps you should take after configuring a rule.

Default Settings for Internet Access Rules< Add an Internet Access Rule > About Configuring Sources in Internet Access Rules