Setting DLP Rule Tracking

A primary consideration for creating Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. rules is how to audit incidents.

In the rule base All rules configured in a given Security Policy. Synonym: Rulebase. of the Data Loss Prevention policy, the Track column offers these options:

Option	Meaning
Email	Sends an email to a configured recipient
Log	Records the incident in the Logs & Monitor view (All the other tracking options also log an incident).
Alert	Opens a pop-up window in the SmartView Monitor.
SNMP Trap	Sends an SNMP alert to the SNMP GUI. This uses the fwd process, to run the `internal_snmp_trap` script that sends an ID, the trap type, source port, community, and host name.
User Defined (alert)	Sends one of three possible customized alerts. The alerts are defined by the scripts specified in the main Menu > Global Properties > Log and Alert > Alert Commands. The alert process on the Log server runs the scripts.
Store Incident	Determines how the data should be stored and deleted (if at all). The options are: Yes Only as text Don't store (depending on other conditions) Delete

Store Incident

Store Incident tracking options determine how data that matches a DLP rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is stored (or not stored).

Available Options

Store Option

Meaning

Yes

Email data is stored as an .eml file
FTP data is stored in the .zip format.
HTTP
- Text entered onto a web page is saved as HTML and viewed in the default browser when the data is opened through a link in the Log Details window.
- An uploaded file is stored in the .zip format.

Note - For FTP and HTTP, only those elements of the message that violate DLP rules are stored.

Only as Text

Textual data extracted from the email (header and body) and the attachment is stored as HTML, but only those sections that triggered the violation.
FTP data is stored as HTML.
HTTP text entered onto a web page is saved as HTML and viewed in the default browser when the data is opened through a link in the Log Details window.

Note - For FTP and HTTP, only those elements of the message that violate DLP rules are shown in the HTML page which stores the information.

Don't Store

When the rule is matched, the incident is logged and the data deleted so that it cannot be viewed in the Logs & Monitor view.

Note - The deletion of the data can be prevented by other store options. If a scanned message matches a number of store incident options, the option with highest priority has precedence:

Delete - Priority 1
Yes - Priority 2
Only as Text - Priority 3
Don't Store - Priority 4

Delete

Logs the incident and immediately deletes the data. Select this example for sensitive data such as credit card numbers.

Note - If the email that contains the sensitive data also has an attachment that must be watermarked, the email is not deleted. The email is saved but you cannot view it with the Logs & Monitor view.

Resolving Store Incident Conflicts

If a scanned message matches a number of different DLP rules, and each rule has a different store option, the option with highest priority has precedence. For example, if an email matches these rules:

Rule	Store Incident Option	Priority
Rule_1	Only as text	3
Rule_2	Yes	2
Rule_3	Don't store	4

The store incident option related to Rule_2 has the highest priority. The DLP Gateway stores the data even though the email matched a rule (Rule_3) configured to delete the data.