Creating an internet access rule | Trend Micro Service Central

Views:

Configure an internet access rule to protect your users' internet access whether they are on or off your corporate network.

Note

Trend Vision One automatically creates a default internet access rule to apply when no other internet access rules are triggered. The default rule allows unrestricted access to the internet.
AI service access rules take priority over internet access rules.

Trend Vision One automatically creates a default internet access rule to apply when no other internet access rules are triggered. The default rule allows unrestricted access to the internet.

Procedure

Go to Secure Access Rules → Internet Access and click Create Rule.

The rule configuration screen appears with the Web access control rule template selected.
Specify a unique name and optional description for the rule.
Choose whether to enable or disable the rule by clicking the toggle next to Status.

Tip

You can also enable or disable rules on the Internet Access screen.

Configure the rule parameters.

Rule Parameter

Description

Settings

Source

Users, devices, and locations targeted by or excluded from the rule

Users/Groups/Private IP address groups: Target or exclude users or groups registered with your configured SSO provider. You may alternatively target or exclude private IP address groups from your internal corporate network locations.

Only users or groups from the IAM system configured as your SSO provider can be used in rules.
Define a new IP address group by clicking Add. The IP addresses or ranges must exist on your internal corporate network.

Important

Rules may not apply to devices without the Secure Access Module installed that do not send HTTP/HTTPS requests containing the X-Forwarded-For (XFF) header field. The Internet Access Gateway cannot retrieve the private IP addresses of these devices.

Device posture profile: Select or add a device posture profile to exclude compliant devices that have the Secure Access Module installed.
Locations: Target available corporate or public/home network locations as defined on your Internet Access Cloud Gateway or Internet Access On-Premises Gateways.
- Define network locations on particular gateways by going to Secure Access Configuration → Internet Access Configuration → Gateways.

Traffic

Web traffic and content targeted by the rule

URLs/Cloud apps: Specify applicable predefined or custom URL categories, predefined or custom cloud app categories, or custom cloud app actions such as file uploads or downloads.
HTTP/HTTPS traffic filters: Specify applicable HTTP/HTTPS traffic defined by HTTP/HTTPS traffic filters.
File types: Specify applicable file types defined by file profiles.

Schedule

The time period the rule is active

Choose Custom to set a weekly schedule. Check Only apply the rule during the specified period and choose a date range to set a specific period.

Note

Schedules use the time zones defined in your corporate network locations. Connections from public or home networks use UTC+0.

Actions

Actions taken when the rule is triggered

Access control: Allow, block, monitor or warn before access to the specified internet content.
- When warn before access is chosen, users must click a Continue button to access the content. The content is available with no restrictions for 24 hours, after which the user is warned again.

Advanced security settings:

Enable tenancy restriction: Restrict access to cloud apps defined by tenancy restriction rules.
Enable threat protection: Scan and potentially block internet content defined by threat protection rules.
Enable Data Loss Prevention: Scan outbound web traffic for content including sensitive data defined by Data Loss Prevention rules.

Note

Advanced security settings are not available if you choose to block content access.

Click Save.

View all available rules on the Internet Access screen.