When you add or edit a cloud access rule from the Cloud Access Rules screen, a new screen opens, where you can specify the settings for the rule.
Item |
Setting |
---|---|
Rule name |
Specify a unique name for the cloud access rule. |
Description |
(Optional) Meaningful description to easily identify the cloud access rule. |
Enable |
Click On or Off to enable or disable the cloud access rule. If you no longer need a cloud access rule, delete it, instead of setting Enable to Off. |
Options include:
All: All users and groups created on or synchronized to the management console
Selected users/user groups: Specific users or user groups from those configured on the Hosted Users screen and synchronized from your organization's Active Directory servers
Exclude the following users or user groups: (Optional) Those among the selected users or user groups to be excluded from the rule
User groups are displayed in bold.
Selected IP address groups: Specific IP address groups from those configured on the IP Address Groups screen.
(Optional) Click Add IP Address Group to create a new IP address group on the current screen. For more information, see Configuring An IP Address Group.
If you want to apply cloud access rules based on IP addresses rather than user accounts of certain users, create IP address groups to include these IP addresses as necessary, and then add the groups to Bypass authentication under the User Authentication settings of the corresponding virtual gateway.
Exclude the following IP address groups: (Optional) Those among the selected IP address groups to be excluded from the rule
Options include:
All: Any domain that a user requests to access
Selected target domain groups: Specific domains from the target domain groups configured on the Target Domain Groups screen.
(Optional) Click Add Target Domain Group to create a new target domain group on the current screen. For more information, see Configuring A Target Domain Group.
Exclude the following target domain groups: (Optional) Those among the selected target domain groups to be excluded from the rule
Options include:
All: All application categories, URL categories, and cloud applications predefined by Trend Micro
Selected application categories and URL categories: Specific application categories or URL categories from the lists predefined by Trend Micro or customized by the administrator
For details about the predefined application categories and URL categories, see Application Category Groups and URL Filtering Category Groups.
(Optional) Click Add Customized URL Category to specify new URL categories that are not part of the Trend Micro predefined URL categories. For more information, see Configuring A Customized URL Category.
If application categories and URL categories are selected at the same time, the cloud access rule applies when user traffic matches any of the selected categories.
Selected cloud applications: Cloud applications preconfigured in the cloud application access sets
For details about the cloud application access sets, see Cloud Application Access Sets.
(Optional) Click Add Cloud Application Access Set to group a new set of cloud applications to apply the cloud access rule to. For more information, see Configuring A Cloud Application Access Set.
This feature is not available for the Standard license.
(Optional) Click Add Cloud Service Filter to specify a new cloud service filter to add here. For more information, see Configuring A Cloud Service Filter.
TMWS takes the actions configured in the selected cloud service filters on the matched web traffic, which means to modify the headers of the request HTTP messages, only when the web traffic is not blocked by the current cloud access rule and the Threat Protection template and Data Loss Prevention profile configured in this cloud access rule.
Use special caution in configuring cloud service filters because changing HTTP headers may affect the proper display of users' HTTP requests.
You can identify the types of content or files to block for security, monitoring, or performance purposes. Blocked content and files are not received by the requesting client or scanned - requests to retrieve a blocked file type are not executed. You have the option of blocking file types such as Microsoft Office documents, images, executables, audio/video files, Java applets, archives, or other files types that you specify. Options include:
MIME Content Types: Scans specific MIME content-type files.
File Names: Scans the files whose file name contains one or several of the configured strings, regardless of the file name extension.
In File Names, wildcards are supported.
True File Types: Examines the file header rather than the file name to ascertain the actual file type. This prevents users from trying to bypass the scan engines by changing the file extension or by some other form of file manipulation.
If MIME Content Types, File Names, and True File Types are configured at the same time, the cloud access rule applies when user traffic matches any of the configured types.
Here are three examples to explain how Traffic Types and Content Types work in a cloud access rule:
Example 1: If you want to block all webmail related content, select Webmail in Traffic Types > Selected application categories and URL categories > Application Categories and All in Content Types.
Example 2: If you want to block images in GIF format on Bing, select Bing in Traffic Types > Selected application categories and URL categories > Application Categories > Web and GIF in Content Types > True File Types > Images.
Example 3: If you want to block documents in PDF format in the cloud applications configured in a cloud application access set, select the set in Traffic Types > Selected cloud applications and PDF in Content Types > True File Types > Documents.
Options include:
Allow: The content that matches the cloud access rule will be further processed through the selected security templates before users can actually access it.
Block:
Block with no more actions: Users cannot access the content that matches the cloud access rule.
Enable warning: Users see a warning page when attempting to access specific content that matches the cloud access rule. If users choose to continue, the content will be further processed through the selected security templates before users can actually access it.
Enable password override: The content that matches the cloud access rule will be further processed through the selected security templates if users correctly type the password configured here.
Type a password in the Password text box. To ensure that you set the password correctly, select the Show password check box.
Inform the users of the password. When specific content matches the cloud access rule, TMWS shows a blocking page, where users can type the password.
Whether users can access the content depends on the actions configured in the selected security templates.
This section does not appear when Block with no more actions is selected in the Action section because in this case, data traffic that matches the cloud access rule is directly blocked and no security template requires to be enforced.