Creating an Internet Access Control Rule

Configure an internet access control rule to protect your users' internet access whether they are on or off your corporate network.


Trend Vision One automatically creates a default internet access rule to apply whenever no other internet access rules are matched. The default rule allows unrestricted access to the internet.

  1. On the Secure Access Rules screen, click the Internet Access Control tab and then click Create Rule.

    The rule configuration screen appears with the Web access control rule template selected.

  2. Specify a unique name and a description for the rule.
  3. (Optional) To enable or disable the rule, click the toggle next to Status.

    You can also enable or disable rules on the Internet Access Control tab.

  4. Configure the following rule factors.

    Rule Factor




    The users and locations that the rule applies to

    Users / Groups / Private IP groups

    • Users / Groups: Specify users and user groups from your IAM system.


      If you have configured more than one IAM system, the IAM system with SSO enabled applies.

    • Private IP groups: Specify private IP address groups within your organization.

      A private IP address group references the IP addresses or segments on the internal corporate network that share the same egress IP address. You can define a private IP address group to identify a sub-location within a corporate network location. You can then use these sub-locations to implement different internet access rules for the corporate network location, regardless of which users are accessing from these internal IP addresses.

      • The selected private IP address group must be a subset of at least one corporate network location.

      • Internet access rules may not apply in the following situation because the Internet Access Gateway cannot retrieve private IP addresses: Devices are not installed with the Secure Access Module and HTTP/HTTPS requests do not contain the X-Forwarded-For (XFF) header field to carry the device IP address.

      • To define a new IP group using one or more private IP addresses on your internal corporate network, click Add private IP address group.


    Select the device posture profile to exclude "compliant" devices from the rule enforcement.


    This option only applies to internet access protected by the Secure Access Module.

    To add a device posture profile, click Add custom device posture profile.


    Specify corporate network locations, or public/home network locations with specified IP addresses or geographic regions.

    • Corporate network locations identify user traffic from known locations, such as the corporate headquarters, a branch office, or company VPN. Corporate network locations access the internet through a specified Internet Access Gateway.


      To define your corporate network locations on the Internet Access Cloud Gateway or through an Internet Access On-Premises Gateway, go to Secure Access Configuration > Internet Access Configuration and configure settings on the Gateways tab.

    • Public/home network locations identify roaming users, such as users connecting to public Wi-Fi networks or working from home. Public/home network locations are defined by IP address or geographic region.


      To define a new public/home network location using one or more IP addresses, click Add public IP address group.


    The internet content that the rule applies to

    URLs/Cloud apps

    Specify URL categories, cloud app categories, and specific actions for supported cloud apps.

    • Expand URL categories and apply the rule to URL categories predefined by Trend Micro or customized by the admin.

      For more information, see Custom URL Categories.

    • Expand Custom cloud app categories and apply the rule to cloud app categories predefined by Trend Micro or customized by the admin.

      For more information, see Custom Cloud App Categories.

    • Expand Custom cloud app actions and apply the rule to actions within apps. For example, you can block file downloads from Facebook.

    HTTP/HTTPS requests

    Specify the HTTP/HTTPS requests as defined by the HTTP/HTTPS request filters.

    For more information, see HTTP/HTTPS Request Filters.

    File types

    Specify media types, file names, or true file types as defined by file profiles.

    For more information, see File Profiles.


    The weekly period that the rule is applied

    To configure the recurrence of the schedule, select Only apply the rule during the specified period, and then select a start date and end date.


    The schedule uses the defined time zone of corporate network locations or UTC+0 for public/home network locations.


    The action taken when the rule is triggered

    Access control

    Allow, block, or monitor access to the specified internet content.


    Select Monitor URL/Cloud App Access to allow the internet access but log the activity.

    For more information about actions, see Zero Trust Actions.

    Advanced security settings

    If you selected Allow URL/Cloud App Access or Monitor URL/Cloud App Access, you can choose to apply the following advanced settings.

  5. Click Save.

    You can view the rule on the Internet Access Control tab.