Advanced Data Types

The Data TypeClosed Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. Wizard has four advanced Data Types:

If you begin by creating a Data Type for keyword or pattern, and realize that it is not ALL or ANY, but that one word is a sign of protected data in itself, and other word would be a suspicious sign only if it appeared numerous times, you can define this complex data representation as a Weighted Keyword rather than a simple keyword or pattern.

Transmissions that contain this list of words, in the weight-sum that you define in their data, are handled based on the action of the rules that use this Data Type.

To create a Data Type representation of weighted keywords:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., from the left navigation panel, click Manage & Settings.

  2. In the top left section, click Blades.

  3. In the Data Loss Prevention section, click Configure in SmartDashboard.

  4. SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens the Data Loss Prevention tab.

  5. In the left pane, click Data Types.

  6. From the top toolbar, click New.

  7. The Data Type Wizard opens.

  8. On the Data Representation page:

    1. Enter a name for the new data type.

    2. At the bottom, select Advanced and from the drop-down list, select Weighted keywords.

    3. Click Next.

  9. On the Specify Weighted Keywords page:

    1. From the top toolbar, click Add.

    2. Enter the weighted keyword, phrase, or regular expression.

    3. In the Weight section:

      Each occurrence of matching data content counts as 1 (default) or more, and the weight has limits or has no limits.

      • Each appearance of this word contributes the following weight - set to 1 for the lowest weight, 2 for the double-weight (one instance of this string is counted as though two), and so on.

      • The weight of this word is limited to - set to 0 for no limit, or set to a number greater than the weight in the field above. In this way, you set a maximum count (a ceiling) for this one weighted string.

    4. In the Regular Expression section:

      If the string you entered in the top field is a regular expression, then select This keyword is a Regular Expression.

    5. Click OK.

    6. In the Threshold field, enter the applicable value.

      If data content matches any of the words in this Data Type, with a total weight that is greater than this value, the data is matched to the Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

    7. Click Next.

  10. On the Finished Data Type Wizard page:

    1. If you want to open this Data Type object to configure more settings, select the checkbox Configure additional Data Type properties after clicking Finish.

    2. Click Finish.

  11. In the left pane, click Policy and configure the applicable rules that use this Data Type.

  12. Save the changes in SmartDashboard (in the top left corner, click the diskette icon).

  13. Close SmartDashboard.

  14. In SmartConsole, install the Access Control Policy.

If you have a list of the keywords that flag data as protected, you do not need to enter them one by one in a keyword data representation. Instead, you can upload the list as a static dictionary. You decide how many of the items in the list have to be matched to have the data match a DLP rule.

Best Practice - Dictionary files must contain one word or phrase on each line. If the dictionary file must contain non-English words, we recommend that it be a Word document (*.doc).

Dictionaries that are simple text files (*.txt) must be in the UTF-8 format.

To create a Data Type representation of a static dictionary:

  1. In SmartConsole, from the left navigation panel, click Manage & Settings.

  2. In the top left section, click Blades.

  3. In the Data Loss Prevention section, click Configure in SmartDashboard.

  4. SmartDashboard opens the Data Loss Prevention tab.

  5. In the left pane, click Data Types.

  6. From the top toolbar, click New.

  7. The Data Type Wizard opens.

  8. On the Data Representation page:

    1. Enter a name for the new data type.

    2. At the bottom, select Advanced and from the drop-down list, select Words from a dictionary.

    3. Click Next.

  9. On the Dictionary page:

    1. In the Upload a dictionary field, browse to and select the file that contains the list of terms.

    2. In the Threshold section, configure the number of terms that must be in the content for the DLP Gateway to match the Data Type to a DLP rule.

      Best Practice - First, set this to the highest reasonable value, and then lower it after you audit the Logs & Events logs.

      For example, if the dictionary is a list of employee names, do not set the threshold to 1 because it catches every email that has a signature. Instead, set the threshold value to half the number of users and the corresponding DLP rule to Detect. If after about a week the rule catches no data, lower the threshold and check again. When the rule begins to detect this information that is sent out, set it to Ask User to make the users explain why they send this information outside before they do so. With this information, you can create a usable, reasonable, and accurate enforcement of the corporate policy.

    3. Click Next.

  10. On the Finished Data Type Wizard page:

    1. If you want to open this Data Type object to configure more settings, select the checkbox Configure additional Data Type properties after clicking Finish.

    2. Click Finish.

  11. In the left pane, click Policy and configure the applicable rules that use this Data Type.

  12. Save the changes in SmartDashboard (in the top left corner, click the diskette icon).

  13. Close SmartDashboard.

  14. In SmartConsole, install the Access Control Policy.

With Dynamic Dictionaries, an administrator can automatically update the DLP dictionaries without the need to manually upload the dictionaries files to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. after each change and install the Access Control Policy on all DLP Gateways.

To use Dynamic Dictionaries, the administrator places dynamic dictionary files on a web server that is accessible from the DLP Gateways and configures a dictionary Data Type that contains the full address of the file on this web server. The DLP Gateways download this file every 60 minutes (default interval that can be changed) and starts to enforce it immediately.

SmartConsole and SmartView show a log entry for each downloaded dynamic dictionary.

Supported Items:

  • Supported data file types: txt (must be in the UTF-8 format), doc, docx

  • Maximum dictionary file size: 10 megabytes

  • Maximum number of lines in a dictionary file: 500,000

To create a Data Type representation of a dynamic dictionary:

  1. Create a data file and upload it to your web server:

    1. Create a file that contains the required data.

      Example:

      customers.txt

      Best Practice - Dictionary files must contain one word or phrase on each line. If the dictionary file must contain non-English words, we recommend that it be a Word document (*.doc or *.docx).

    2. Upload this file to your web server.

  2. Create a dynamic dictionary file:

    1. In a plain-text editor, create a dynamic dictionary file with the file extension *.dyn_dict (<Name_of_File>.dyn_dict).

      Example:

      customer_info.dyn_dict

    2. The first line of the dynamic dictionary file must contain the URL (http or https) of the data file on your server.

      Example:

      http://192.168.22.33/public/customers.txt

    3. The second line and the third lines are optional.

      If the server requires authentication, enter the username in the second line and enter the password in the third line.

      Example:

      http://192.168.22.33/public/customers.txt
serveruser
ServerP@ssword#

    4. Save the changes in the file and close it.

  3. Create the Data Type in SmartDashboard:

    1. In SmartConsole, from the left navigation panel, click Manage & Settings.

    2. In the top left section, click Blades.

    3. In the Data Loss Prevention section, click Configure in SmartDashboard.

    4. SmartDashboard opens the Data Loss Prevention tab.

    5. In the left pane, click Data Types.

    6. From the top toolbar, click New.

    7. The Data Type Wizard opens.

    8. On the Data Representation page:

      1. Enter a name for the new data type.

      2. At the bottom, select Advanced and from the drop-down list, select Words from a dictionary.

      3. Click Next.

    9. On the Dictionary page:

      1. In the Upload a dictionary field, browse to and select the *.dyn_dict file.

      2. In the Threshold section, configure the number of terms that must be in the content for the DLP Gateway to match the Data Type to a DLP rule.

        Best Practice - First, set this to the highest reasonable value, and then lower it after you audit the Logs & Events logs.

        For example, if the dictionary is a list of employee names, do not set the threshold to 1 because it catches every email that has a signature. Instead, set the threshold value to half the number of users and the corresponding DLP rule to Detect. If after about a week the rule catches no data, lower the threshold and check again. When the rule begins to detect this information that is sent out, set it to Ask User to make the users explain why they send this information outside before they do so. With this information, you can create a usable, reasonable, and accurate enforcement of the corporate policy.

      3. Click Next.

    10. On the Finished Data Type Wizard page:

      1. If you want to open this Data Type object to configure more settings, select the checkbox Configure additional Data Type properties after clicking Finish.

      2. Click Finish.

    11. In the left pane, click Policy and configure the applicable rules that use this Data Type.

    12. Save the changes in SmartDashboard (in the top left corner, click the diskette icon).

    13. Close SmartDashboard.

  4. Configure the parameters in the $DLPDIR/config/dlp.conf file:

    1. Connect to the command line on the DLP Gateway / each DLP Cluster MemberClosed Security Gateway that is part of a cluster..

    2. Log in to the Expert mode.

    3. Back up the current $DLPDIR/config/dlp.conf file:

      cp -v $DLPDIR/config/dlp.conf{,_BKP}

    4. Edit the current $DLPDIR/config/dlp.conf file:

      vi $DLPDIR/config/dlp.conf

    5. Go to this section:

      :engine (

    6. Go to this sub-section:

      :dynamic_dt (

    7. Configure the values for these parameters:

      :dynamic_dt (
        ...
        :enable_dynamic_updates (1)
        :update_interval_in_min (60)
        :passwords_are_obscured (0)
        ...
)

      Parameters:

      Parameter Description

      enable_dynamic_updates

      Enables or disables the feature:

      • 1 - enabled

      • 0 - disabled

      update_interval_in_min

      Specifies the timeout (in minutes) for running the agents.

      The default is 60 minutes.

      The DLP Gateway runs agents periodically to create the file marking files (a file with file names and their sizes) based on the value of the "update_interval_in_min" parameter.

      To run the agents manually, run the "fwdlp -run_agents" command in the Expert mode on the DLP Gateway / each DLP ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member.

      The agents run one time, 5 minutes after each policy installation. The next run time is based on the value of the update_interval_in_min parameter.

      To make sure the DLP Gateway / each DLP Cluster Member uses the configured interval, you can examine the $DLPDIR/log/dlpe.log file.

      passwords_are_obscured

      Enables or disables the support for obscured passwords:

      • 1 - enabled

      • 0 - disabled (default)

      If it is necessary to configure obscured passwords, contact Check Point Support.

    8. Save the changes in the file and exit the editor.

  5. In SmartConsole, install the Access Control Policy.

Message attributes refer to these properties of the message:

  • The total message size, in kilobytes

  • Number of attachments

  • Total number of words in the message

To create a Data Type for message attributes:

  1. In SmartConsole, from the left navigation panel, click Manage & Settings.

  2. In the top left section, click Blades.

  3. In the Data Loss Prevention section, click Configure in SmartDashboard.

  4. SmartDashboard opens the Data Loss Prevention tab.

  5. In the left pane, click Data Types.

  6. From the top toolbar, click New.

  7. The Data Type Wizard opens.

  8. On the Data Representation page:

    1. Enter a name for the new data type.

    2. At the bottom, select Advanced and from the drop-down list, select Message Attributes.

    3. Click Next.

  9. On the Specify Message Attributes page:

    Note - For a message to match this Data Type, it must match all the criteria - the size and the number of attachments and the number of words. If the message fails to match one of the criteria, it fails to match this Data Type.

    1. Configure the Message Size:

      Define the size a message can have.

      Minimum value

      Maximum value

      Meaning

      Configured

      Configured

      Matches all messages whose size is within the specified range.

      Configured

      Not Configured

      Matches all messages whose size is greater than the minimum value.

      Not Configured

      Configured

      Matches all messages whose size is smaller than the maximum value.

    2. Configure the Number of Attachments:

      Define the number of attachments a message can have.

      Minimum value

      Maximum value

      Meaning

      Yes

      Yes

      Matches all messages with number of attachments that falls within the specified range.

      Yes

      Not Configured

      Matches all messages with more attachments than the specified minimum value.

      Not Configured

      Yes

      Matches all messages with fewer attachments than the specified maximum value.

    3. Configure the Total Number of Words in t he Message:

      Scan for a significant amount of text. If an email has a large binary file attached such as a graphic, and the email contains the words "your picture" the email might match the Size attribute but contain no text worth scanning. You need the email to match a DLP rule only if the email contains enough text that can conceivably result in data loss.

      Minimum value

      Maximum value

      Meaning

      Configured

      Configured

      Matches all messages whose word count falls within the specified range.

      Configured

      Not Configured

      Matches all messages whose word count is greater than the specified minimum value.

      Not Configured

      Configured

      Matches all messages whose word count is lower than the specified maximum value.

    4. Click Next.

  10. On the Finished Data Type Wizard page:

    1. If you want to open this Data Type object to configure more settings, select the checkbox Configure additional Data Type properties after clicking Finish.

    2. Click Finish.

  11. Save the changes in SmartDashboard (in the top left corner, click the diskette icon).

  12. Close SmartDashboard.

  13. In SmartConsole, install the Access Control Policy.

CPCode is a scripting language, similar to C or Perl, specifically for Intrusion Prevention Systems. If you are familiar with this language, you can create your own complex rules. Use CPCode data types to create dynamic definitions of data to protect, or to create data type representations with custom parameters.

For example, you can create a CPCode that checks for a date that is before a public release, allowing you to create rules that stop price list releases before that date, but pass them afterwards. Other common uses of CPCode include relations between rule parameters, such as recipients (match rule to email if sent to too many domains) and protocols (match rule to HTTP if it looks like a web mail).

Best Practice - If you write a CPCode function yourself, make sure it works it before you put it in production.

Example of a CPcode function:

func rule_1 {
  foreach $recipient inside global:DESTS {
    foreach $comp inside CPMPETITORS_DOMAIN {
      if( casesuffix( $recipient , $comp ) ) {
        set_message_to_user(cat("The mail is sent to " ,
        $recipient ,
        "which is a competitor's mail address."));
        set_track(TRACK_LOG);
        return quarantine();
      }
    }
  }
}

To create a Data Type representation of CPCode:

  1. Create a CPCode script file *.cpc.

    See the R77 versions CPcode DLP Reference Guide.

  2. In SmartConsole, from the left navigation panel, click Manage & Settings.

  3. In the top left section, click Blades.

  4. In the Data Loss Prevention section, click Configure in SmartDashboard.

  5. SmartDashboard opens the Data Loss Prevention tab.

  6. In the left pane, click Data Types.

  7. From the top toolbar, click New.

  8. The Data Type Wizard opens.

  9. On the Data Representation page:

    1. Enter a name for the new data type.

    2. At the bottom, select Advanced and from the drop-down list, select Custom CPcode match.

    3. Click Next.

  10. On the Upload CPcode files page:

    1. Click Add.

    2. Select the CPCode script file (*.cpc).

    3. Click Next.

  11. On the Finished Data Type Wizard page:

    1. If you want to open this Data Type object to configure more settings, select the checkbox Configure additional Data Type properties after clicking Finish.

    2. Click Finish.

  12. In the left pane, click Policy and configure the applicable rules that use this Data Type.

  13. Save the changes in SmartDashboard (in the top left corner, click the diskette icon).

  14. Close SmartDashboard.

  15. In SmartConsole, install the Access Control Policy.