Configure DLP Custom Rule

You can use a DLP custom rule to scan your network traffic for special phrases that are specific to your organization. This allows you to customize your DLP configuration beyond the predefined rules to better help you monitor and control the transmission of sensitive documents and messages outside of your network.

For example, many organizations use security classifications for documents and email messages. If the document or message is considered highly sensitive, it can contain special text that indicates that it is confidential and should not be communicated outside of your networks. The first line or header of a document or email message can include the classification text such as the phrase Classification: Confidential. You can use these classifications with a DLP custom rule to monitor your network traffic and make sure that sensitive documents and messages that contain these phrases do not leave your network.

The custom rule can contain multiple words and phrases that you want to monitor or control. You can then configure a DLP sensor to detect the custom rule and enable the DLP sensor for a policy.

Custom rules have these limitations:

  • You can only create one custom rule within the DLP configuration.
  • A phrase or word only needs to be detected once to trigger the custom rule. There is no weight configuration for a custom rule.
  • Each phrase can be up to 127 characters in length. Long phrase lengths can impact system performance.
  • The number of phrases in your custom rule can impact system performance. WatchGuard recommends that you use a maximum of 15 phrases within a custom rule.
  • Phrases must consist of Unicode characters in the Basic Multilingual Plane (BMP) only. The BMP is the first 65,536 characters in Unicode and consists of most major language character sets.
  • Only simple text matches are performed. Regular expressions are not supported.
  • Text matches are case-insensitive.

Add a Custom Rule

To add a custom rule:

  1. Select Subscription Services > Data Loss Prevention.
    The Data Loss Prevention dialog box appears.
  2. Select the Custom Rule tab.
  3. In the Rule name text box, type a descriptive name for the custom rule.
    The name can be up to 43 characters in length.
  4. In the List of phrases text box, type one or more words or phrases with a maximum of one phrase per line.

Screen shot of the Data Loss Prevention page, Policies tab

DLP Custom Rule in Fireware Web UI

Screen shot of the Data Loss Prevention dialog box, Custom Rule tab

DLP Custom Rule in Policy Manager

  1. Save your configuration.

Add a Custom Rule to a DLP Sensor

In the settings for a DLP sensor, you can enable a custom rule that contains the phrases to monitor and control. Then, you can enable the DLP sensor for each policy.

  1. On the Sensors tab, configure the DLP sensors.
    For more information, see Configure DLP Sensors.
  2. On the Policies tab, select which DLP sensor to use for each policy.
    For more information, see Configure DLP for Policies.

Screen shot of the Data Loss Prevention page, DLP Wizard with custom rule

DLP Rules in Fireware Web UI

Screen shot of the Data Loss Prevention dialog box, DLP Wizard with custom rule

DLP Rules in Policy Manager

See Also

About Data Loss Prevention