Internet Access Management and Audit

Background

As businesses undergo digital transformation, the growing need for internet access for daily work introduces security risks such as data leaks and unauthorized access. To ensure network security and enhance control over employee internet activity, configuring domain name blacklist and whitelist policies provides fine-grained control over access to specific or wildcard domain names. Combined with comprehensive behavior logging and auditing, this not only meets corporate compliance requirements but also provides a reliable basis for tracing security incidents, helping you build a more secure and compliant network environment.

Policy detection logic

Internet access management supports whitelist and blacklist policies. When an access attempt matches a policy, SASE takes an action based on the policy's configuration. You must configure policies that meet your business requirements, taking into account the detection logic for blacklist and whitelist policies. You can add trusted users, user groups, and domain names to a global whitelist. Once a user, user group, or domain name is whitelisted, SASE no longer controls their internet access.

1. Check the global whitelist

   • SASE first checks if the user, user group, or accessed domain name has been added to the global whitelist. If there is a match, SASE allows access and checks no further policies.

2. Check blacklist policies

   • If the request does not match the global whitelist, SASE then checks if any blacklist policies are configured for the domain name that the user is accessing.

   • If a blacklist policy is configured, the configured action is performed (such as Block and Warn, Block Only, or monitor mode).

3. Check whitelist policies

   • If no blacklist policy is matched, SASE then checks if a whitelist policy is configured for the user.

   • If a whitelist policy is configured, the action specified in the policy is executed (such as Block and Warn, Block Only, or monitor mode).

Prerequisites

• This feature requires the SASE Internet Access DLP edition.

• The SASE App on enterprise endpoints must be version 4.0.5 or later.

• You have added a user group.

Configure the list library

Add domain names or wildcard domain names to the list library and organize them into custom categories. This allows for flexible selection when configuring blacklist and whitelist internet access management policies.

1. Go to the Behavior Management page. Select the Whitelist Management or Blacklist Management tab as needed, and then click List Group Management in the upper-right corner.

2. In the List Group Management panel, click Add to create a custom list type, add domain names or wildcard domain names, and then click Close.

   • Whitelist group management: Add a custom Whitelist Type and its corresponding domain names.

   • Blacklist group management: Add a custom Blacklist Type and its corresponding domain names.

Configure an internet access management policy

1. Go to the Behavior Management page. Select the Whitelist Management or Blacklist Management tab, and then click Create Policy.

   1. In the Create Policy panel, configure the following parameters.

      Parameter	Description
      Policy Name	Enter a descriptive name for the whitelist or blacklist policy.
      Priority	The execution priority of the policy. A smaller number indicates a higher priority. whitelist policy: For multiple policies applied to the same user. Different priorities: If multiple policies are enabled simultaneously, SASE executes only the whitelist policy with the highest priority. Same priority: If multiple policies with the same priority are enabled, SASE executes only the most recently created whitelist policy. blacklist policy: All applicable blacklist policies are executed. If a user matches multiple policies with the same configuration but different actions, SASE applies the principle of least privilege, prioritizing the most restrictive action to ensure optimal security and access control. Note For example, if a user's access to the Alibaba Cloud official website matches two blacklist policies (Policy A action is monitor mode, Policy B action is Block and Warn, and Priority A > B), the access is blocked and a warning is issued.
      Action	The action taken when a request matches the policy. The following actions are available: Important Because blacklist and whitelist policies have different functions, their actions apply to different targets. For help understanding the use cases for whitelist and blacklist policies, see Example: Configure internet access control. blacklist policy: The action applies when a user within the policy's effective scope accesses a domain name in the specified Blacklist Type. whitelist policy: The action applies when a user within the policy's effective scope accesses a domain name not in the specified Whitelist Type. Block and Warn: Blocks the user's access and displays a pop-up notification. If an employee needs to access a domain name that is not on your company's whitelist and the approval process is lengthy, they can use Wuying Cloud Browser. The browser is deployed in the cloud and isolated from the corporate network, safeguarding your company's security baseline. For information about billing for the cloud browser, see the Cloud Browser tab in Value-added Services. Click Buy Now to purchase and activate Wuying Cloud Browser. After purchase, enable the Redirection to Cloud Browser button. When this is enabled, if access is blocked by a policy, the user can click Access with Cloud Browser in the pop-up notification. Block Only: Blocks the request that matches the policy without notifying the user. Monitor: Only records a log entry. The user can access the website normally.
      Validity Period	The time when the policy is active. Permanently Valid Business Days in Each Week
      Policy Status	The policy is enabled by default.
      Blacklist Type/Whitelist Type	Select a custom domain name type configured in the list library.
      Effective Scope	The user group(s) to which the policy applies. You can select multiple user groups.
      Approval Process Configuration	When you set the action to Block and Warn, you can specify whether to allow employees to submit a request for temporary access. If you choose to allow employee requests, you must select an appropriate approval process. For information on how to create an approval process, see Configure an approval process.
      Prompt Display Configuration	Set the prompt message that appears when access is blocked. You can set messages in both Chinese and English.

   2. After completing the configuration, click OK.

Example: Configure internet access control

This example shows how a company can configure a Whitelist, a blacklist policy, and a whitelist policy to achieve the following outcomes:

• Allow all employees to access the company's main domain name to ensure normal daily work.

• Restrict employees in the HR department to accessing only recruitment-related websites.

• Prohibit employees in the R&D department from accessing certain forum websites.

Configure the global whitelist

You can add users, user groups, and domain names to a global whitelist. Once a user, user group, or domain name is added to the global whitelist, SASE no longer controls or blocks their internet activity or access to the specified domain names.

1. Go to the Behavior Management page and click Configure Whitelist in the upper-right corner. You are redirected to the Settings > Whitelist > Internet Behavior Management tab.

2. Configure the User Whitelist, User Group Whitelist, and Exceptional Domain Name lists. Click Submit.

View audit logs

SASE audits internet access behavior and provides logs that serve as a reliable basis for event tracing and compliance inquiries.