Security Profiles for Internet Access

A security profile for internet access includes security controls and other settings such as acceptable use controls that you configure as a set, then use as a unit in internet access rules. For example, you can use different security profiles for different sets of users, or for different types of destinations.

You can use each profile in one or more internet access rules.

Secure Access comes with a partially configured security profile for internet access; you must either configure that profile to suit your needs or create a different security profile and designate that profile as the default security profile for internet access rules.

To configure security profiles for internet access, see detailed information in Add a Security Profile for Internet Access.

Table of Contents


Functionality Included in a Security Profile for Internet Access

You can configure various settings and security controls on a security profile for internet access.

Decryption

Decryption is necessary for proper functioning of all features enabled in the security profile, and for processing traffic to most internet destinations in general. When enabled, all internet traffic will be decrypted except as specified in the selected Do Not Decrypt list. For more information about decryption, see Manage Traffic Decryption.

Generally, you should disable decryption only if the security profile will be used in rules that:

  • Have only destinations to which traffic should never be decrypted, for example for privacy or confidentiality reasons, such as medical or financial sites, for locations that regulate this traffic.
  • Have sources that only include devices on which you cannot install certificates required to decrypt and inspect traffic, such as devices that are not managed by your organization, for example vendors’ or contractors’ devices.
  • Have only sources that cannot respond to certificates required for decryption, such as IoT devices, printers, or kiosks
  • Allow access to applications that will not work properly if decryption is enabled, including Microsoft 365 and applications that use certificate pinning.
  • Include only known safe destinations.
    For example, use this profile for rules that control access to the sites that IoT devices access in order to update their software.

If you enable decryption, you can opt not to decrypt traffic to specific destinations. For more information, see Important Information About Do Not Decrypt Lists.


SAML Authentication

If your organization uses SAML authentication, you should generally enable this option on the networks and tunnels configured for the rules that use this profile.

Requirements for Enabling SAML Authentication

  • Configure SAML authentication to authorize connections to the secure web gateway from user devices on networks and network tunnels, and connections using Zero Trust Access (ZTA). For more information, see Configure Integrations with SAML Identity Providers.
  • Decryption must also be enabled for network SAML enforcement.

Requirements for Disabling SAML Authentication

  • Decryption is disabled in the security profile, or is enabled only for notifications.
  • The security profile will be used in rules that include sources that:
    • Are not configured for SAML authentication.
    • Cannot be authenticated using SAML.
      For example, if the rule source includes:
      • Devices that are not managed by your organization, when certificates are required for authentication but cannot be installed on the device. Such devices might be used by contractors or vendors on your guest network.
      • Devices such as IoT devices, printers, or kiosks that cannot respond to authentication requests or present certificates required for authentication.
    • Should not be authenticated using SAML.
      For example, if users should not be identified for privacy or confidentiality reasons, such as by regulation or policy.

Security and Acceptable Use Controls

These controls include the following:

OptionDescriptionMore Information
Threat CategoriesBlock traffic to sites that have been categorized as risky or threatening.Manage Threat Categories
File inspectionBlock download of files known to carry threats, and anayze files for suspicious behaviors.Manage File Inspection
File type blockingBlock files based on filename extension, such as executable files.Manage File Type Controls
SafeSearchReturn only family-friendly search results in popular search engines.Enable SafeSearch

Note: For acceptable use controls on access to web sites based on categories that are not known security threats, see Manage Content Category Lists. You will specify these categories or lists an access rules.


End-User Notifications

You configure two types of end-user notifications in security profiles for internet access:

  • Block notifications that end users see instead of a browser error when they attempt to access a destination that is blocked by an access rule.
  • Warning notifications that end users must click through in order to access destinations in rules configured with the Warn action.

For details, see Manage Notification Pages.


Manage Security Profiles < Security Profiles for Internet Access > Add a Security Profile for Internet Access