DLP and Identity Awareness

Together with email notifications on SMTP DLP violations, you can configure notifications to be sent when the violation occurs using the FTP or HTTP protocols.

To send the email notifications:

1. Enable Identity Awareness.

2. In Data Loss Prevention Additional Settings Advanced > Email Notifications, select:

   • Web

   • FTP

When you select Web or FTP in the Email Notifications area, the Web and FTP options are also selected in the Learn User Actions area. This lets DLP learn how the user decides to manage a DLP incident and apply the same decision for subsequent messages (see Learning Mode).

Access Roles in the Source or Destination of a Rule

Access role objects can be used in the Source or Destination column of a DLP rule. The presence of access roles makes DLP user aware. The access role object identifies users, computers, and network locations as one object. You can select specified users, user groups, or user branches as the object.

Captive Portal redirection only applies to the HTTP and HTTPS protocols. Redirection occurs when the sender is unknown (the IP address does not map to no user in the AD) and the Action of the DLP rule is Identity Captive Portal and one of these conditions is also met:

1. No access role objects are in the Source or Destination column of the policy rule, but the Source and Destination do agree with the Source and Destination of the HTTP connection that the DLP Gateway examines.

2. The Source column of the DLP rule contains an access role.

With the redirection to the Captive Gaia Portal Web interface for the Check Point Gaia operating system., the DLP can:

• Identify unknown users and record their FTP and HTTP activity.

  Then you can align the identified users with access roles in the policy.

• Send notification emails for FTP and HTTP violations.

  Note - Captive Portal redirection occurs: To whatever data transferred in the message. Before the data payload of the connection is scanned for violation of a policy rule.

To Redirect HTTP traffic to the Captive Gaia Portal:

1. Right-click the Action and select Identity Captive Portal.

2. Select Redirect HTTP connections to an authentication Captive Portal.

3. Click OK.

   The Action column shows Identity Captive Portal.

If your organization uses an HTTP proxy server behind the gateway, the identities of users behind the proxy shows after you configure:

• The company proxy server to use an X-Forwarded-For HTTP Header.

• The DLP Gateway to use the X-Forward-For HTTP Header.

You can also configure the DLP Gateway to strip the X-Forward-For header in outgoing traffic. Without the header, internal IP addresses are not be shown in requests to the internet.

To use X-Forwarded-For HTTP header:

1. Configure your proxy server to use X-Forwarded-For HTTP Header.

2. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., on the Identity Awareness page of the DLP Gateway object, select Detect users located behind HTTP proxy using X-Forward-For header.

3. To configure the DLP Gateway to stop the X Forwarded-For header that shows internal IP addresses in requests to the Internet, select Hide X Forward-For header in outgoing traffic.

4. Install the policy.

These three rules show how Identity Awareness works with DLP:

Rule 1

In this rule:

• Access role objects are used in the Source column. This rule forbid a known user in the Finance department to send credit numbers outside of the organization. It does not forbid known users that are not listed in the access role to send credit card numbers outside of the organization.

• An unknown user (a computer with an IP address that is not mapped to no user in the Active Directory) who tries to send credit card numbers outside of the organization - This rule does not stop them.

• A user that is known but not part of the access role - This rule does not forbid them to send credit card numbers.

• Unknown sender is not redirected to the Captive Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal - No identification for unknown sender.

Rule 2

In this rule:

• Known users inside the organization no longer can send out credit card data, and receive email notification of the policy violation.

• Unknown users inside the organization that send out all types of data are directed to the Captive Gaia Portal for identification. When they are identified, DLP scans the data for a possible violation.

  Note - When you enable Identity Captive Gaia Portal on this rule, it means that HTTP or HTTPS connections that pass from inside to outside of the organization must identify with a user.

Rule 3

In this rule:

• A known user in the Finance department cannot anymore send credit numbers outside of the organization.

• An access role in the Source (plus Captive Gaia Portal in the Action column) means that for HTTP connections there is a redirect if the source user is unknown and the destination agrees with the destination that the policy specifies.

• A user that is known but not part of the access role is not:

  • Prevented from distribution of credit card numbers.

  • Redirected to the Captive Gaia Portal.