To detect data that matches specific content categories you can create DLP sensors. You apply a DLP sensor to one or more policies to monitor or enforce adherence to your organization's information security policy. Each DLP sensor contains rules, actions, and settings.
When you first start to use the Data Loss Prevention service, we recommend that you configure the DLP sensor to allow content that matches the selected content control rules, and to send a log message when a DLP violation is detected. This enables you to monitor the activity on your network before you configure DLP to drop, block, or quarantine content that matches the rules configured in the DLP sensor. For more information, see Monitor DLP Activity.
When enabled, the Data Loss Prevention service adds more scanning load and consumes additional memory on your appliance. Some DLP rules are very resource-intensive. If you enable many sensors and rules, the performance of the device could be noticeably affected. Each DLP sensor requires additional space in memory, and the number of DLP rules that are configured on each sensor also impacts the amount of memory used by the appliance. Only select those rules that are appropriate for your region and the use case that is relevant to your industry. This will also help to minimize any potential false positives.
On the XTM 25/26, WatchGuard recommends that you use no more than one or two sensors, and each sensor should not contain more than 6 DLP rules.
For each sensor, you select which of the predefined content control or custom rules to enable. A content control rule is a set of conditions that describes content that the rule can identify in a file. The content control rules are based on the DLP signature set, and are updated over time as the DLP signatures are updated. Custom rules are rules you create to search for phrases specific to your organization.
Each content control rule has four properties.
For each rule, the rule name briefly describes the type of data the rule identifies. Some rules look for a single type of data, such as telephone numbers, or social security numbers. Other rules look for a combination of related data, such as credit card numbers near personally identifiable information.
Each rule applies to a specific region. Some types of data are only applicable to a specific region. Other types of data are formatted differently in different regions. For example, there are several driver's license rules for different regions. If a rule can identify the specified data type for multiple regions, the region is set to Global. You can filter the rules list by region.
For each rule, the category describes which general type of data the rule can identify.
Each content control rule has an associated quantity value, that is a measure of the weighted number of matches the rule must find in a scanned object in order to trigger a DLP violation. You can look up the quantity values for each rule on the WatchGuard Security Portal.
For information, see Look Up DLP Rules on the Security Portal.
You cannot modify the default quantity of matches for DLP rules in your configuration.
For each sensor you define actions to take if the sensor detects content that matches the rules enabled in the sensor. You specify one action to take for content detected in email traffic, and another action to take for content detected in non-email traffic.
Actions for email traffic:
Recipients cannot see or manage messages quarantined due to a DLP violation. Only the administrator can manage messages quarantined by DLP.
Actions for non-email traffic:
By default, a DLP sensor contains one DLP action, which applies to scanned content from all sources and destinations. You can configure multiple actions for the same DLP sensor. This enables you to configure different actions based on the source or destination of the traffic. For each action, you can also configure whether to generate a log message and whether to send an alarm when the sensor detects content that matches the enabled rules in the sensor.
In the DLP settings, you can set the scan limit, and configure the actions to take if content cannot be scanned for any of these reasons:
For each of these three conditions, you can set different actions for content detected in email and non-email traffic.
DLP includes two sensor types: built-in sensors, and user-defined sensors. The built-in sensors enable the content rules related to compliance with HIPAA (the Health Insurance Portability and Accountability Act) and PCI (Payment Card Industry) information security standards. The built-in sensors are configured to allow all traffic, and to create a log message each time they detect content that matches the content control rules.The built-in sensors do not block any content, even if the content cannot be scanned.
The two built-in sensors are:
You cannot edit or delete the built-in sensors, but you can clone them, and edit the clone.
Any sensor you create is a user-defined sensor. To create a user-defined sensor, you can clone an existing sensor or add a new one. When you configure a sensor, you select the content control and custom rules, actions, and settings that make sense for your organization.
When you add a DLP sensor, the Data Loss Prevention Wizard helps you to create the sensor, and apply it to proxy policies. The wizard shows different pages depending on whether you already have proxy policies in your configuration. If you do not, the wizard helps you create one or more proxy policies.
To add a DLP sensor:
To make a copy of an existing sensor, you clone it. This creates another user-created sensor that you can edit. To clone a sensor, select the sensor you want to copy, and click Clone. Then edit the sensor as described in the subsequent sections.
You can edit any of the user-created sensors. To edit a sensor:
The first action in a new sensor applies to all traffic from any source to any destination. When you edit and add sensor actions, you can add multiple actions that each apply to traffic from different sources or to different destinations. For each action, you can set the source and the destination to one of these types:
To add or edit actions when you edit a sensor.
If you add more than one action to a DLP sensor, DLP uses the actions in priority order from the top down. If you add multiple sensor actions, make sure that the action that applies to a more specific source or destination appears higher in the list than an action that applies to a less specific source and destination. For example, if you use the DLP action that applies to traffic from any source to any destination, make sure that any other actions you add are higher in the list.
To change the order of actions in a DLP sensor:
In each user-defined DLP sensor, you can change the settings that control how DLP scans content, and what action to take if content cannot be scanned. To configure the scan settings, click the Settings tab.
For more information about these settings, see Configure DLP Scan Settings.
To delete a sensor:
You cannot delete the built-in sensors, or a sensor that is used by a policy.
About Data Loss Prevention