Troubleshoot Data Loss Prevention
In each user-defined DLP sensor, you can change the settings that control how DLP scans content, and what action to take if content cannot be scanned.
DLP Resource Usage
Data Loss Prevention inspects all traffic for each connection that matches specific patterns.
Some DLP rules are very resource-intensive. If you enable many sensors and rules, the performance of your Firebox device can be noticeably affected. Each DLP sensor requires additional space in memory, and the number of DLP rules that are configured on each sensor also impacts the amount of memory used by the device. Only select those rules that are appropriate for your region and the use case that is relevant to your industry. This will also help to minimize any potential false positives.
On smaller devices such as the Firebox T10, and XTM 25 or 26, WatchGuard recommends that you use no more than one or two sensors, and each sensor should not contain more than 6 DLP rules. For larger devices you can configure a larger number of sensors.
You can also control the resource usage with Scan Limits. For more information, see About DLP Scan Limits.
Suggested DLP Configuration
Enable DLP in these proxy actions that handle outbound traffic:
- SMTP Proxy to scan email messages and attachments.
- FTP Proxy can scan content in uploaded files by users.
- HTTP Proxy to scan posts by users to remote sites. (The HTTPS Proxy requires content inspection, and you must select an HTTP Proxy with DLP enabled to scan inspected content.)
Test the DLP Configuration
To confirm that Data Loss Prevention is working correctly, you can attempt to send data that will trigger a configured sensor.
If you need to prevent the transmission of confidential client or patient records, you can test by creating simulated records with the format you use and attempt to send these by email or to an HTTP site.
Many DLP rules have a threshold minimum which must be met before the content is a DLP violation. This prevents against false positives. For more details on the threshold for each rule, review the DLP Rules on the WatchGuard Security Portal.
Alternatively, you can use this test data set with the PCI Audit sensor or create a sensor with the rule National identification numbers with qualifying terms [Global] enabled.
- Social insurance number 1234
- Social insurance number 2345
- Social insurance number 3456
- Social insurance number 4567
- Social insurance number 5678
To troubleshoot DLP issues, you must examine the logs related to the proxy policy on which you have configured a Data Loss Prevention sensor.
Cannot perform DLP Scan
In some cases, a configuration or software error will cause Data Loss Prevention scans to fail. Make sure your Firebox device is configured with a valid DNS server and review the Data Loss Prevention settings on your device.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 62398 80 msg="ProxyAllow: HTTP Cannot perform DLP Scan" proxy_act="HTTP-Client.1" dlp_sensor="sample_dlp_test" error="Cannot Perform DLP scanning" (HTTP-proxy-00)
By default, DLP will allow content to pass when this error occurs.
DLP Object Unscannable
This log message indicates that Data Loss Prevention is unable to scan a file and specifies the reason. This error occurs if the file is encrypted.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40608 80 msg="ProxyAllow: HTTP DLP Object Unscannable" proxy_act="HTTP-Client.2" dlp_sensor="PCI Audit Sensor.1" error="unscannable object (File was encrypted)" host="100.100.100.11" path="/password-protected.zip" (HTTP-proxy-00)
DLP Object Too Large
This log message indicates that Data Loss Prevention did not scan a file because it exceeded the configured maximum DLP scan limit. The default limit is 1024 kilobytes.
Allow 2-optional 0-External tcp 192.168.53.92 172.16.10.14 8902 80 msg="ProxyAllow: HTTP DLP Object Too Large" proxy_act="HTTP-Client.1" dlp_sensor="DLPSensor.1" error="DLP scan limit exceeded" (HTTP-proxy-00)