Manage Internet Threat Protection (ITP) Policies

Creating, editing, and prioritizing ITP policies in SonicWall Cloud Secure Edge (CSE)
Updated On: Jun 24, 2026

ITP Policy Overview

Internet Threat Protection (ITP) policies are designed to protect users and devices from untrusted internet resources. Admins can create and manage ITP policies in the Command Center. Admins assign ITP policies to users and devices via Roles, similar to other protected services in the Cloud Secure Edge (CSE).

In CSE, admins decide which content categories, which domains, and which apps they want to block or allow. Additionally, a selection of common threat categories are pre-selected and always toggled on for protection against. Admins then associate the ITP policy with a device or a group of devices.

How ITP rules are processed #

ITP rules are evaluated in a fixed order on every request:

  1. Bypasses are evaluated first. Any traffic that matches a Domain & URL Bypass entry, an Application Bypass entry, or another bypass type is excluded from ITP inspection. Bypassed traffic is not sent to the SWG agent and does not appear in logging.
  2. Blocks are evaluated next. Category Filtering, Domain & URL Blocking, Application Filtering, Geo-Blocking, and the always-on Threat Protection categories all run after bypasses. If a request matches any block rule, the request is blocked.
  3. Risk-based URL inspection runs on remaining traffic when SSL decryption is enabled and Risk-based URL Filtering is on. See Enabling Risk-based URL Filtering.
  4. File Analysis runs on remaining downloads when SSL decryption is enabled and Malware Download Protection is on. See Malware Download Protection.

Because bypasses are always processed first, the Domain & URL Bypass field is the single place to add any URL or domain you want to exclude from every ITP rule — including category filtering, domain blocks, threat protections, risk-based URL filtering, and file analysis.

Create an ITP Policy #

Step 1: Create an ITP Policy

1.1 Navigate from Internet Access > Internet Threat Protection.

1.2 Select + Create Policy.

Step 2: Assign the ITP policy and configure SSL decryption

2.1 Name your ITP policy and add an optional description.

2.2 Attach one or more Role(s) to assign your ITP policy to.

2.3 Enter custom messaging for your ITP block page.

2.4 Toggle SSL decryption on or off.

  • On (recommended for full coverage). Domain & URL Bypass and Domain & URL Blocking accept both domain entries and URL entries. Risk-based URL Filtering and File Analysis can be enabled in the following steps.
  • Off. Only domain entries are inspected in the Bypass and Blocking sections. Any URL entries already configured are kept on the policy but are not enforced. Risk-based URL Filtering and File Analysis are unavailable until SSL decryption is turned back on.

If URLs are already configured in Domain & URL Bypass or Domain & URL Blocking when SSL decryption is turned off, the console displays a warning. If you continue, the URL entries on the policy are outlined in red and an inline error confirms they will not be enforced. Re-enabling SSL decryption restores enforcement for those URLs without re-entry.

2.5 Select Next.

Step 3: Configure Content Filtering, Domain & URL Blocking, and Domain & URL Bypass

3.1 Select which categories of content you want to block your end users from accessing by toggling on Category Filtering, selecting + Select categories to filter, and selecting categories from the dropdown menu. To remove an added category, select the x beside the category name.

3.2 Select which domains or URLs you want to block your end users from accessing by toggling on Domain & URL Blocking, and then entering the domain or URL. To block more than one entry, select the + beside the field.

URL entries are enforced only when SSL decryption is on (see Step 2.4). Domain entries are enforced in both modes.

3.3 Select which domains or URLs you want to configure as bypasses for your ITP policy by toggling on Domain & URL Bypass, and then entering the domain or URL. To add more bypasses, select the + beside the field.

Bypass is the single exception path across the entire ITP policy. A bypassed domain or URL is excluded from every block rule — category, threat, risk-based URL, and file analysis. Private domains can also be added here. URL entries are enforced only when SSL decryption is on. Bypassed traffic does not appear in logging.

3.4 Optional: Toggle on Geo-Blocking if you want to block access to IP ranges associated with specific countries. Use the + Select countries button and select countries from the drop-down menu. To remove selected countries, select the x adjacent to the country's name.

To use Geo-Blocking, admins require an SIA Advanced license for their org.

3.5 Select Next.

Step 4: Configure App Filtering and App Bypass

4.1 Select which apps you want to block your end users from accessing by toggling on Application Filtering, selecting + Select Apps, and selecting or entering the specific apps you want blocked.

4.2 Select which apps you want to add as bypasses from this ITP policy by toggling on Application Bypass, selecting + Select Apps, and selecting or entering the specific apps you want bypassed.

4.3 Select Next.

Step 5: Review Threat Protections

5.1 Under the Threat Protection tab, review which threat categories are blocked by default for your devices. To learn more about the threat, hover above the info icon.

These are common threat categories that are always toggled on to ensure user protection. These cannot be toggled off.

5.2 Select Save.

Migration from URL Allowlist and Explicit URL Blocking

Earlier versions of the ITP policy split URL exceptions and URL blocks into separate URL Allowlist and Explicit URL Blocking sections under Risk-based URL Filtering. Those sections have been consolidated:

  • Entries previously listed in URL Allowlist are now part of Domain & URL Bypass.
  • Entries previously listed in Explicit URL Blocking are now part of Domain & URL Blocking.

Migration is automatic. No action is required from admins on existing policies — your URL entries are preserved in the new fields. Policies that previously had Risk-based URL Filtering or File Analysis enabled retain those settings, gated on SSL decryption staying on.

Edit or Delete an ITP Policy

In the Command Center, navigate from Internet Access > Internet Threat Protection. From your list of ITP policies, select the Name of one you want to edit or delete.

Edit

1. To edit, select the pencil icon in the top right corner of the ITP policy page.

2. Adjust your toggles under Threat Protection, Content Filtering, or Assignment.

3. Select Save.

Delete

1. To delete your ITP policy, select the trash icon in the top right corner of the ITP policy page.

2. A modal will pop up, double-checking if you want to delete your policy. Select Delete.

Prioritizing ITP Policies

Devices are not required to have an ITP policy associated with them; however, each device can only have one policy active at a time. ITP policies can be prioritized: higher priority policies will take precedence when two or more policies apply to one device (i.e., a device with multiple Roles and separate ITP policies applicable to each Role).

Exclude Users from ITP Policies

The exclude ITP policy (i.e., Excluded Devices) is always the highest priority and cannot be re-prioritized or deleted. The exclude policy will by default include a role called Mobile Devices that cannot be removed.

1. In the Command Center, navigate from Internet Access > Internet Threat Protection.

2. In your list of ITP policies, select the default Excluded Devices policy, and attach whichever Roles you want to be excluded from all ITP policies.

3. Select Save.

How to prioritize ITP policies

1. In the Command Center, navigate from Internet Access > Internet Threat Protection.

2. Select the Reorder button in the top right corner of the page (i.e., the button with an up and down arrow).

3. Drag your ITP policies into your preferred order of priority, where 1 is the highest priority.

4. Select Save.

ITP policy sync status

When ITP policy assignments are edited or policies are re-prioritized, the console does not typically reflect these changes immediately; for larger environments with many devices, syncs tend to take longer, and updates are only reflected in the console when CSE completes the next sync.

CSE's sync status indicates whether the ITP policies page in the console is up-to-date or in progress. If a sync is in progress, then an ETA will also be available, so that admins can expect when ITP policy updates will be reflected in the console.

If the ITP policy sync status fails to complete, contact SonicWall CSE support.

Lookup Domain

Lookup Domain allows admins to view which Content Categories and Threat Classification a given domain falls under. It also offers a Policy Verdict, indicating whether your ITP policy is configured to block or allow the searched domain. Lookup Domain is available as a feature for those who have enabled Internet Threat Protection in CSE.

To use Lookup Domain, navigate to an Internet Threat Protection (ITP) policy in the Command Center.

Disabling ITP

If an ITP policy is disabled by an end user in their device's app, it will automatically be re-enabled after 1 hour. CSE generates logs detailing when the ITP policy was disabled and when it was re-enabled. These logs can be found under Events in the Command Center.