DLP Rule Actions

For each DLP rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that you create for a Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade., you also define what action is to be taken if the rule matches a transmission.

Action

Description

Detect

The transmission is passed. The event is logged, and you can review and analyze it in the Logs & Monitor view. The data and the email itself, or the properties of the transmission if not email, are saved in storage for future reference.

You can notify Data Owners of the event. This is true for all the next actions as well.

Inform User

The transmission is passed, but the incident is logged and the user is notified.

Ask User

The transmission is held until the user verifies that it should be sent. A notification, usually with a remediation link to the Self Incident Handling portal, is sent to the user. The user decides whether the transmission should be completed or not. The decision itself is logged in the Logs & Monitor Logs view under the User Response category.

Administrators with full permissions or with the View/Release/Discard DLP messages permission can also decide whether the transmission should be completed or not from the Logs & Monitor view. This can be useful in the event that a user is not available to make sure if it should be sent.

Prevent

The data transmission is blocked.

>	Best Practice - Check Point does not recommend using the Prevent action as a first choice. The action may prove disruptive. To improve the accuracy of rule matches, set rules to Prevent only when you have tested them with the less strict actions over a reasonable amount of time.

Watermark

Tracks outgoing Microsoft Office documents (Word, Excel, or PowerPoint files from Office 2007 and higher) by adding visible watermarks or invisible encrypted text.

By default, all rules are created without a watermark action.
Watermarks can be created and edited without having to apply them.
Once a watermark object is created, it can be reused in multiple rules.

Note - If data matches multiple rules, the rule of the most restrictive action is applied. The order from most restrictive to least is: Prevent, Ask User, Inform User, Detect.

Managing Rules in Detect

The Detect action is set to rules by default because it is the least disruptive of the action options. When Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. discovers a transmission containing protected data, an incident is logged in the Logs & Monitor Logs view and other logging actions (if any) are taken.

You might want to leave all your rules in Detect at first. Then you can review the logs and decide which rules are needed according to your organization's actions. This could save you and your users a lot of time and make your explanations of what they need to know and what to do much more specific to their needs.