All Products
Search

This Product

    Secure Access Service Edge:Internet access management and audit

    Document Center

    Secure Access Service Edge:Internet access management and audit

    Last Updated:Nov 11, 2025

    This document describes how to configure domain name blacklist and whitelist policies for fine-grained control over employee Internet access. It also explains how to audit all access behaviors to ensure corporate network security and compliance.

    Background

    As digital transformation progresses, employees increasingly need to access the Internet for their daily work. This creates security risks, such as data breaches and unauthorized access. To secure your corporate network and control employee Internet activity, you can configure domain name blacklists and whitelists. This provides fine-grained access control for specific domain names and wildcard domain names. The system also records and audits all access behaviors. This helps you meet compliance requirements and provides a reliable basis for tracing security events. This approach helps you build a more secure and compliant network environment.

    Behavior management policy detection logic

    Internet access management supports whitelist and blacklist policies. Access behaviors that match a policy are handled based on the configured action. You can configure management policies based on your business needs and the detection logic of blacklist and whitelist policies. You can add trusted users, user groups, and domain names to a whitelist. After you add them to a whitelist, their access behavior is not controlled.

    image

    1. Check whitelists

      • SASE checks whether the user, user group, and domain name are in a whitelist.

    2. Check blacklist policies

      • If the access does not hit a whitelist, SASE checks whether a blacklist policy is configured for the domain name that the user attempts to access.

      • If a blacklist policy is hit, the configured action is executed, such as Block and Warn, Block Only, or Monitor.

    3. Check whitelist policies

      • If no blacklist policy is hit, SASE checks whether a whitelist policy is configured.

      • If a whitelist policy is hit, the action configured in the whitelist policy is executed, such as Block and Warn, Block Only, or Monitor.

    Note

    If no policy is configured, Internet access from users and user groups and access to domain names are not controlled or restricted.

    Scope

    • You have purchased SASE Internet Access DLP (data loss prevention).

    • The SASE App installed on enterprise endpoints is version 4.0.5 or later.

    • A user group is created. For more information, see Create a user group.

    Configure the list library

    You can add domain names or wildcard domain names to the list library and create custom categories. This allows for flexible selection when you configure blacklist and whitelist policies for Internet access management.

    1. Go to the Behavior Management page. Based on your requirements, select the Whitelist Management or Blacklist Management tab, and then click List Group Management in the upper-right corner of the page.

    2. image

    3. In the List Group Management panel, click Add to create a custom list type. Then, add domain names or wildcard domain names to the list type and click Close.

      • Whitelist group management: Create a custom Whitelist Type and add domain names to it.

      • Blacklist group management: Create a custom Blacklist Type and add domain names to it.

    Configure an Internet access management policy

    1. Go to the Behavior Management page. Based on your requirements, select the Whitelist Management tab or the Blacklist Management tab, and then click Create Policy.

      1. In the Create Policy panel, configure the parameters.

        Parameter

        Description

        Policy Name

        Enter a name for the whitelist or blacklist policy.

        Priority

        Set the execution priority of the policy. A smaller value indicates a higher priority.

        • Whitelist policy: For different policies applied to the same user:

          • Different priorities: If multiple policies are enabled, only the policy with the highest priority is executed.

          • Same priority: If multiple policies are enabled, only the most recently created policy is executed.

        • Blacklist policy: All blacklist policies are evaluated. If a user matches multiple policies with the same configuration but different actions, the action of the policy with the highest priority is executed.

          Note

          If a user accesses the Alibaba Cloud official website and matches two blacklist policies (Policy A action is Monitor, Policy B action is Block and Warn, and Priority A > Priority B), the system logs the behavior for observation and does not block access.

        Action

        Set the action to take. Three actions are supported.

        Important

        Blacklist and whitelist policies take effect on different objects.

        For more information about scenarios of whitelist and blacklist policies, see Examples for configuring Internet access management.

        • Blacklist policy: The action takes effect on the domain names that are configured for the Blacklist Type parameter.

        • Whitelist policy: The action takes effect on domain names that are not configured for the Whitelist Type parameter.

        • Block and Warn: Blocks the user's access and displays a pop-up prompt.

        • Block Only: blocks requests that hit the policy.

        • Monitor: Records logs and allows normal user access.

        Validity Period

        Set the time when the policy is in effect.

        • Permanently Valid

        • Business Days in Each Week

        Policy Status

        The policy is enabled by default.

        Blacklist Type/Whitelist Type

        Select a custom domain name type configured in the list library.

        Effective Scope

        Select the user groups to which the policy applies. You can select multiple user groups.

        Approval Process Configuration

        When you configure Block and Warn, you can configure whether to allow employees to submit applications for approval.

        If you allow users to submit an application for approval, you must select a proper approval workflow. For more information, see Create an approval workflow.

        Pop-up Prompt Configuration

        Set the notification message for blocked outbound file transfers. You can set the message in Chinese and English.

      2. After you complete the configuration, click OK.

    Example: Configure Internet access management

    For example, an enterprise wants to configure a Whitelist, a Blacklist Policy, and a Whitelist Policy for Internet access management to achieve the following results:

    • All employees can access the primary corporate domain name for their daily work.

    • Employees in the human resources department can access only recruitment-related websites.

    • Employees in the R&D department are prohibited from accessing certain forum websites.

    Step 1: Configure a whitelist

    To ensure that all employees can access the primary corporate domain name, you must configure a whitelist.

    Step 2: Configure a whitelist policy

    To restrict employees in the human resources department to accessing only recruitment-related websites, you can add the recruitment-related domain names to the whitelist library and configure a whitelist policy with the following settings.

    image

    Step 3: Configure a blacklist policy

    To prohibit employees in the R&D department from accessing certain forum websites, you can add the forum-related domain names to the blacklist library and configure a blacklist policy with the following settings.

    image

    Configure a whitelist

    You can add a user, user group, or domain name to a whitelist. After an item is added to a whitelist, SASE no longer controls or blocks the online activities of the user or user group, or access to the domain name.

    1. Go to the Behavior Management page and click Configure Whitelist in the upper-right corner to go to the Settings > Whitelist > Internet Behavior Management tab.

      image

    2. Configure the User Whitelist, User Group Whitelist, and Exceptional Domain Name parameters. Then, click Submit.

    View audit logs

    SASE performs log audits of Internet access behavior to provide a valid basis for subsequent event tracing and compliance queries.

    Behavior audit

    SASE provides log auditing for actions that are triggered by whitelist and blacklist policies.

    1. Go to the Behavior Audit page.

    2. On the Whitelist Audit and Blacklist Audit tabs, you can view the audit logs for access control types such as Block and Warn, Block Only, or Monitor Mode - Allow.

      You can filter data by criteria such as time, username, department, and domain name.

    Log audit

    You can view all types of Internet access records for corporate employees, including normal access.

    1. Go to the Log Audit page.

    2. On the Internet Access Audit tab, you can view the website access records of enterprise users. You can view records for access control types such as Block and Warn, Block Only, Monitor Mode - Allow, Add to Whitelist - Allow, and Trusted Request.