DLP Policy

Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. (DLP) protects sensitive data from exposure by monitoring and controlling data actions in the browser, such as uploads, downloads, copy/paste, and prompts. It detects sensitive data based on defined data types and enforces actions such as allow, detect, ask, block, prevent, or redact to prevent unauthorized data transfer.

Managing a DLP Policy

DLP policies prevent sensitive data exposure during browser based data events.

Creating a DLP Rule

To create a DLP rule:

  1. Go to Policy > Data Loss Prevention.

  2. Click Create new.

  3. In the New rule pane, configure the following:

    1. Set the Status toggle to Active.

    2. In the Rule Type field, select one of the following options:

      • GenAI

      • Browse

    3. In the Event Type field, select an option based on the selected RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Type.

    4. In the Source field, select one of the following options:

      • Entire organization

      • Selected users and groups

    5. In the Destination field, select an option based on the selected Rule Type.

      Internal assets can be selected as destinations in DLP policies to control data uploads and interactions.

    6. In the Data Types drop-down, select one or more values.

      Click Data Types, select one or more data types by category, and click Done.

      For more information on Data Types, see Data Types Manager.

    7. From the Action drop-down, select Allow/ Block/ Ask/ Prevent/ Detect/ Redact.

    8. From the Logging drop-down, select Enabled or Disabled.

    9. (Optional) In the Comments field, enter your comments.

  4. Click Save.

Data Types Manager

Data Types represent categories of sensitive information (for example, PII, financial data, credentials) that DLP policies inspect during browser activity.

  • Data Types are managed centrally in the Data Types Manager.

  • The Data Types Manager defines:

    • Which data types are available for selection in DLP rules

    • How each data type is detected (patterns, keywords, ML, and metadata)

  • Any changes made to the Data Types Manager are automatically reflected in DLP rules.

DLP Action Behavior

Action

Description

Data Types Required

Notes

Allow

Allows the data action without inspection or enforcement.

No

The rule is enforced based only on the event, source, and destination.

Detect

Allows the data action and logs the event for visibility and auditing.

Yes

The action is enforced only when the selected data types are detected.

Ask

Prompts the user for confirmation or justification before allowing the action.

Yes

User input determines whether the action proceeds.

Block

Prevents the data action from completing.

No

Always block uploads or downloads without inspecting data types.

Prevent

Stops the data action automatically when protected data is detected.

Yes

Enforcement occurs only if selected data types are detected.

Redact

Removes or masks sensitive portions of the content while allowing the action to proceed.

Yes

Supported only for specific data types. If a data type does not support redaction, Redact is not applied.

Editing a DLP Rule

To edit a DLP rule:

  1. Go to Policy > Data Loss Prevention.

  2. Select a rule from the policy table.

  3. Update the required fields in the rule details pane.

  4. Click Save.

Deleting a DLP Rule

To delete a DLP rule:

  1. Go to Policy > Data Loss Prevention.

  2. Select the rule.

  3. Click Delete.

  4. In the Delete Rule pop-up, click Confirm.

DLP Evaluation Procedure

When a user uploads data in the browser, DLP triggers an evaluation event.

DLP operates on an event basis and activates only during data actions such as upload, paste, prompt, or similar events.

  1. Event Detection

    The upload action (file upload, text submission, prompt, copy/ paste, and so on) triggers DLP.

  2. Match Check: Event + Source + Destination

    1. DLP evaluates three factors together:

      • Event type (upload/ paste/ prompt)

      • Source (user or group)

      • Destination (URL, domain, category, or app)

    2. All three must match the rules to proceed.

  3. Content Inspection

    DLP inspects the data being uploaded using:

    • Pattern matching

    • Predefined data types (Financial data, credentials, etc.)

    • Custom data types

    • File metadata scanning

    • ML based detection for modified or obfuscated data

  4. Policy Enforcement

    If the upload contains protected data DLP applies the configured action:

    • Block (upload/ download without inspection)

    • Ask (prompt user for confirmation/ justification)

    • Detect (allow but log)

    • Redact sensitive parts

  5. Event Logging

    The enforcement result is recorded in the Events view with:

    • User + timestamp

    • Policy type (DLP)

    • Action taken

    • Resource accessed

    • Rule responsible

    DLP evaluates uploads by detecting the upload action, verifying event/ source/ destination, inspecting the uploaded content for sensitive data, enforcing the configured rule action, and logging the result.