Rule Exceptions

In some cases, you can create exceptions to a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the DLP policy.

For example, a public health clinic that must comply with the Health Insurance Portability and Accountability Act (HIPAA), does not allow patient records to leave the clinic's closed network. However, the clinic works with a specific social worker in a city office, who must have the records on hand for the patients' benefit. As the clinic's Security Administrator, you create an exception to the rule, it allows to send this data type to the specific email address. To improve this case, in the exception you can include a secondary data type, for example, a Dictionary of patient names who signed a waiver for the social worker to see their records. Thus, with one rule, you ensure that the social worker's office gets only the records that the social worker is allowed to see. DLP prevents anyone from distribution of the records to unauthorized email addresses. It ensures that no employee of the clinic deals with personal requests to send the records to unauthorized destination - it is simply impossible to do.

To create an exception to a DLP rule:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens and shows the DLP tab.

  2. Right-click the Exceptions column of the rule and select Edit.

    The Exceptions for Rule window opens.

  3. Click New Exception.

    The original rule parameters appear in the table.

  4. Make the changes to the parameters to define the exception.

  5. Click Save and then close SmartDashboard.

  6. In SmartConsole, install the policy.

You can define a combination of Data Types for an exception: "allow this data if it comes with the second type of data".

To specify complex Data Types for exceptions:

  1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Policy.

  3. In the Data column of the exception, click the plus button.

  4. In the new window, select the Data Types to add to the DLP exception.

  5. Click OK.

You can define an Exception to apply to data that comes from a specific user, group, or network: "allow this type of data if it comes from this person".

To specify Exceptions based on sender:

  1. In the Source column, click the plus button or right-click and select Add.

    The list of senders includes all defined users, user groups, networks, gateways, and nodes. If you make any selection, the default My Organization is removed.

  2. Select the objects that define the source from which this data should be allowed.

    If My Organization is the Source, you can right-click and select Edit. This opens the My Organization window, in which you can change the definition of your internal organization. This definition is changed for all of DLP, not just this rule.

You can define an Exception to apply to data that is to be sent to specific user, group, or network: "allow this type of data if it is being sent to this person".

To specify Exceptions based on destination:

  1. In the Destination column, click the plus button.

    The list of recipients includes all defined users, user groups, networks, gateways, and nodes. If you make any selection, the default Outside My Org (anything that is not in My Organization) is removed.

  2. Select the objects that define the destination to which this data should be allowed.

You can define an Exception to apply to data that is transmitted over a specific protocol: "allow this data if it is being sent over this protocol".

To specify Exceptions based on protocol:

  1. In the Protocol column, click the plus button.

    The list of protocols includes DLP supported protocols. If you make any selection, the default Any is removed.

  2. Select the protocols through which this data should be allowed.