About Data Loss Prevention
The Data Loss Prevention (DLP) service enables you to detect, monitor, and prevent accidental unauthorized transmission of confidential information outside your network or across network boundaries. The DLP service includes built-in auditing sensors that you can use to monitor compliance with HIPAA or PCI information security requirements. You can also create custom DLP sensors to detect data that matches other content control rules, or create a custom rule to search for specific phrases in network traffic. The included DLP reports help you to evaluate and demonstrate employee compliance with your organization's information security policies.
DLP uses content control rules to identify sensitive content. When DLP identifies content that matches enabled DLP content control rules, the content is treated as a DLP violation. You can choose what action the WatchGuard device takes for DLP violations in email and non-email traffic. You can also configure DLP to take different actions based on the source and destination of the traffic.
DLP Rules Set
Firebox T10, T15, T30, T35, T50, T55, T70, M200, M300, XTM 2, 3, and 5 Series devices use the standard (optimized) set of DLP content control rules. All other device models use the full enterprise set.
DLP Text Extraction and File Types
DLP can extract and scan text from these file types:
- Email message body and attached text files
- Adobe PDF, RTF
- Microsoft PowerPoint 2000, 2003, 2007, 2010, 2013, 2016
- Microsoft Excel 2000, 2003, 2007, 2010, 2013, 2016
- Microsoft Word 2000, 2003, 2007, 2010, 2013, 2016
- Microsoft Project 2000, 2003, 2007, 2010, 2013, 2016
- Microsoft Visio 2000, 2003, 2007, 2010, 2013, 2016
- Microsoft Outlook .MSG
- Microsoft Outlook Express .EML
- OpenOffice Calc
- LibreOffice Calc
- OpenOffice Impress
- OpenOffice Writer
- LibreOffice Impress
- LibreOffice Writer
DLP does not scan files that have been added to the File Exceptions list. For more information, see Configure File Exceptions.
Text extraction is supported on Firebox T35, T35-W, T55, T55-W, T70, M Series, FireboxV, Firebox Cloud, XTM 5 Series, XTM 8 Series, XTM 800 Series, XTM 1050, XTM 1500 Series, XTM 2050, and XTM 2500 Series devices.
DLP on Firebox T10, T15, T30, T50, XTM 2 Series, and XTM 3 Series devices does not include text extraction. Without text extraction, DLP scans the email message body and text files, but has a limited ability to read text from other file types.
Add the DLP Upgrade
DLP is a subscription service. To enable DLP on your WatchGuard device, you must:
About DLP and Proxy Policies
You can enable DLP for the WatchGuard SMTP, FTP, HTTP, and HTTPS proxy policies.
To use DLP with an HTTPS proxy policy, you must enable Content Inspection in the HTTPS proxy action.
DLP scans different types of traffic according to which proxy policies you use it with:
- SMTP proxy — DLP scans content in email messages and attachments.
- HTTP and HTTPS proxy — DLP scans HTTP and HTTPS posts.
- FTP proxy — DLP scans content in uploaded files.
If Gateway AntiVirus and DLP are both enabled for the same policy, the Gateway AntiVirus scan result action takes precedence over the DLP action.
About DLP False Positives
DLP looks for content that matches the patterns in the DLP content control rules you select. It is possible that a DLP rule could falsely identify unrelated content that contains similar data as a DLP violation. For example, the rule to match US social security numbers looks for occurrences of 9 digit numbers. Other types of data could also match this pattern, and falsely trigger a DLP violation.