DLP Rule Matching

The DLP rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. order does not matter. In this rule base All rules configured in a given Security Policy. Synonym: Rulebase., each transmission is checked against each rule.

Because the rule order does not matter, you can change the display of the DLP policy for your convenience.

• To show rules in a different order, click a column header. The rules are sorted by the selected column.

• To show rules in groups, select an option from the Grouping menu in Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. > Policy.

• To show or hide columns, right-click the policy column header and select an item.

• To change the arrangement of columns, drag a column to a new position.

If data matches a rule, and the rule has exceptions, the exceptions to a rule are checked. If the data matches any exception, DLP allows the transmission.

For example, consider a rule that captures emails containing more than fifteen employee names in the body of a message. If a user in the HR department sends a list of twenty employees to an outside address (such as their contractor), the email is allowed without incident logging or any Data Loss Prevention action taken - because the same rule has an exception that allows users in the HR group to send lists of employee names outside your organization.

If the data matches multiple rules, one with an exception and one without exceptions, the rule without exceptions is used.

If the data matches multiple rules, the most restrictive rule is applied.

For example, if a user sends an email with an attached unencrypted PDF, the email can match two rules. One rule is Detect: detect emails to an external destination that contain PDF files. A second rule is Ask User: delay emails with PDF files that are unencrypted, until the user specifies that it is good to send. This rule in addition informs the Marketing and Technical Communications manager that the PDF was released from the company to an external destination. For more information, see Setting and Managing Rules to Ask User.

In this case:

1. The email is quarantined.

2. The user gets a notification and has to make a decision relating to what to do.

3. The data owner gets a notification.

4. The rule violations (one for Detect and one for Ask User) are logged.