Data Loss Prevention by Scenario

In This Section: Creating New Rules Enabling and Disabling Rules Creating Exceptions Creating Exceptions with Data Type Groups

Creating New Rules

Create the rules that make up the DLP policy.

To create DLP rules:

1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Policy.
3. Click New Rule.

   A new line opens in the rule base table. The order of rules in the DLP policy does not matter. Each DLP gateway checks all installed rules.

4. In the Data column, click the plus to open the Data Type picker. Select the Data Type that you want to match against inspected content.

   If you add multiple Data Types to one rule, they are matched on OR - if at least one of the Data Types is matched, the rule is matched.

5. In the Source column, leave My Organization or click the plus to select a specific item from Users, Emails, or Networks.

   Note - If My Organization is the Source, you can right-click and select Edit. This opens the My Organization window, in which you can modify the definition of your internal organization. However, this definition is changed for all of DLP, not just this rule.

6. In the Destination column, choose one of the following:
   • Leave Outside My Org - to inspect data transmissions going to a destination that is not defined in My Organization.
   • Click the plus to select a specific item from Users, Emails, or Networks.
   • If Source is not My Organization, you can select Outside Source.

     Outside Source - Used as a Destination of a DLP rule, this value means any destination that is external to the Source. For example, if the source of the rule is Network_A, and Outside Source is the destination, then the rule inspects data transmissions going from Network_A to any address outside of Network_A. In comparison, if the destination was Outside My Org, the rule would inspect only data transmissions going from Network_A to any address outside of the organization. Use Outside to create inter-department rules.

7. In the Action column, do one of the following:
   • Leave Detect - To have a matching incident logged without disrupting the data transmission
   • Right-click and select Inform User - To pass the transmission but send notification to user
   • Right-click and select Ask User - To wait for user decision on whether to pass or discard.
   • Right-click and select Prevent - To stop the transmission.
8. In the Track column, leave Log (to log the incident and have it in SmartView Tracker for auditing), or right-click and select another tracking option.

   You can add a notification to the Data Owners: select Email and customize the notification that the Data Owners will see if this rule is matched.

9. In the Install On column, leave DLP Blades, to have this rule applied to all DLP Gateways, or click the plus icon and select a specific DLP gateway.
10. In the Time column, set a date and time of day that this is policy is enforced.

    A rule that uses a time object applies only to connections that begin during the specified date and time period. If the connection continues past that time frame, it is allowed to continue. The relevant time zone is that of the Check Point Security Gateway enforcing the rule.

11. In the Category column, right-click and select a defined category.
12. In the Comment column, right-click and select Edit to enter a comment for the rule.
13. Click Save and then close SmartDashboard.
14. From R80 SmartConsole, install the policy.

Enabling and Disabling Rules

You can define rules that you think you might need, and disable them until you want them to actually match traffic.

To enable and disable DLP rules:

1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Policy.
3. To disable a DLP rule, Right-click the rule to disable and select Disable Rule.
4. To enable a DLP rule:
   1. Right-click the disabled rule.

      It is marked with a red X in the rule base.

   2. Click Disable Rule to clear the selection.
5. Click Save and then close SmartDashboard.
6. From R80 SmartConsole, install the policy.

Creating Exceptions

To create an exception to a DLP rule:

1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. Right-click the Exceptions column of the rule and select Edit.

   The Exceptions for Rule window opens.

3. Click New Exception.

   The original rule parameters appear in the table.

4. Make the changes to the parameters to define the exception.
5. Click Save and then close SmartDashboard.
6. From R80 SmartConsole, install the policy.

Creating Exceptions with Data Type Groups

You can define a combination of Data Types for an exception: "allow this data if it comes with the second type of data".

To specify complex Data Types for exceptions:

1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Policy.
3. In the Data column of the exception, click the plus button.
4. In the new window, select the Data Types to add to the DLP exception.
5. Click OK.