Configure DLP Sensors

To detect data that matches specific content categories you can create DLP sensors. You apply a DLP sensor to one or more policies to monitor or enforce adherence to your organization's information security policy. Each DLP sensor contains rules, actions, and settings.

When you first start to use the Data Loss Prevention service, we recommend that you configure the DLP sensor to allow content that matches the selected content control rules, and to send a log message when a DLP violation is detected. This enables you to monitor the activity on your network before you configure DLP to drop, block, or quarantine content that matches the rules configured in the DLP sensor. For more information, see Monitor DLP Activity.

DLP and Device Performance

When enabled, the Data Loss Prevention service adds more scanning load and consumes additional memory on your appliance. Some DLP rules are very resource-intensive. If you enable many sensors and rules, the performance of the device could be noticeably affected. Each DLP sensor requires additional space in memory, and the number of DLP rules that are configured on each sensor also impacts the amount of memory used by the appliance. Only select those rules that are appropriate for your region and the use case that is relevant to your industry. This will also help to minimize any potential false positives.

On the XTM 25/26, WatchGuard recommends that you use no more than one or two sensors, and each sensor should not contain more than 6 DLP rules.

Rules

For each sensor, you select which of the predefined content control or custom rules to enable. A content control rule is a set of conditions that describes content that the rule can identify in a file. The content control rules are based on the DLP signature set, and are updated over time as the DLP signatures are updated. Custom rules are rules you create to search for phrases specific to your organization.

Each content control rule has four properties.

Name

For each rule, the rule name briefly describes the type of data the rule identifies. Some rules look for a single type of data, such as telephone numbers, or social security numbers. Other rules look for a combination of related data, such as credit card numbers near personally identifiable information.

Region

Each rule applies to a specific region. Some types of data are only applicable to a specific region. Other types of data are formatted differently in different regions. For example, there are several driver's license rules for different regions. If a rule can identify the specified data type for multiple regions, the region is set to Global. You can filter the rules list by region.

Category

For each rule, the category describes which general type of data the rule can identify.

Quantity

Each content control rule has an associated quantity value, that is a measure of the weighted number of matches the rule must find in a scanned object in order to trigger a DLP violation. You can look up the quantity values for each rule on the WatchGuard Security Portal.

For information, see Look Up DLP Rules on the Security Portal.

You cannot modify the default quantity of matches for DLP rules in your configuration.

Actions

For each sensor you define actions to take if the sensor detects content that matches the rules enabled in the sensor. You specify one action to take for content detected in email traffic, and another action to take for content detected in non-email traffic.

Actions for email traffic:

Recipients cannot see or manage messages quarantined due to a DLP violation. Only the administrator can manage messages quarantined by DLP.

Actions for non-email traffic:

By default, a DLP sensor contains one DLP action, which applies to scanned content from all sources and destinations. You can configure multiple actions for the same DLP sensor. This enables you to configure different actions based on the source or destination of the traffic. For each action, you can also configure whether to generate a log message and whether to send an alarm when the sensor detects content that matches the enabled rules in the sensor.

Settings

In the DLP settings, you can set the scan limit, and configure the actions to take if content cannot be scanned for any of these reasons:

For each of these three conditions, you can set different actions for content detected in email and non-email traffic.

Sensor Types

DLP includes two sensor types: built-in sensors, and user-defined sensors. The built-in sensors enable the content rules related to compliance with HIPAA  (the Health Insurance Portability and Accountability Act) and PCI (Payment Card Industry) information security standards. The built-in sensors are configured to allow all traffic, and to create a log message each time they detect content that matches the content control rules.The built-in sensors do not block any content, even if the content cannot be scanned.

The two built-in sensors are:

You cannot edit or delete the built-in sensors, but you can clone them, and edit the clone.

Any sensor you create is a user-defined sensor. To create a user-defined sensor, you can clone an existing sensor or add a new one. When you configure a sensor, you select the content control and custom rules, actions, and settings that make sense for your organization.

Add a Sensor

When you add a DLP sensor, the Data Loss Prevention Wizard helps you to create the sensor, and apply it to proxy policies. The wizard shows different pages depending on whether you already have proxy policies in your configuration. If you do not, the wizard helps you create one or more proxy policies.

To add a DLP sensor:

  1. Select Subscription Services > Data Loss Prevention.
    The Data Loss Prevention dialog box appears.
  2. In the Sensors tab, click Add.
    The Data Loss Prevention Wizard starts.

Screen shot of the Data Loss Prevention Wizard Welcome page

  1. In the Name text box, edit the name of the sensor.
  2. (Optional) In the Description text box, type a description for this sensor.
  3. Click Next.
    A list of configured FTP, SMTP, HTTP, and HTTPS proxy policies appears. If your configuration does not include any policies that support DLP, the wizard skips this step.

Screen shot of the Data Loss Prevention Wizard, Policies page

  1. To enable Data Loss Prevention for a policy, select the check box adjacent to any policy that does not already have Data Loss Prevention enabled.
  2. Click Next.
    If your configuration does not already include an HTTP, FTP or SMTP proxy policy, the wizard asks if you want to create new proxy policies. If your configuration already includes all of the proxy policy types supported by DLP, the wizard skips this step.

Screen  shot of the Data Loss Prevention Wizard, Create new policies page

  1. Select the check box adjacent to each policy you want the wizard to create.
  2. Click Next.
    The list of content control rules appears.

Screen shot of the Data Loss Prevention wizard, Rules page

  1. In the list of rules, select the check box for each content control rule or custom rule you want to enable for this sensor.
    There are several ways you can change the list view to find the rules you want to enable:
  1. Click Next.
    The Actions settings appear.

Screen shot of the Data Loss Prevention Wizard, Actions page

  1. From the When content is detected in email drop-down list, select the action to take when content in an email message matches the enabled rules in this sensor.
  2. From the When content is detected in non-email traffic drop-down list, select the action to take when content in non-email traffic matches the enabled rules in this sensor.
  3. To trigger an alarm when this sensor detects content, select the Alarm check box.
  4. To create log messages when this sensor detects content, select the Log check box.
  5. Click Next.
  6. Click Finish to close the wizard.
    The new sensor appears in the Sensors tab in the Data Loss Prevention dialog box.

Clone a Sensor

To make a copy of an existing sensor, you clone it. This creates another user-created sensor that you can edit. To clone a sensor, select the sensor you want to copy, and click Clone. Then edit the sensor as described in the subsequent sections.

Edit a Sensor

You can edit any of the user-created sensors. To edit a sensor:

  1. Select Subscription Services > Data Loss Prevention.

    The Data Loss Prevention dialog box appears.
  2. In the Sensors tab, select a user-defined sensor, and click Edit.
    The Edit Data Loss Prevention Sensor dialog box appears.

Screen shot of the Data Loss Prevention, Rules tab

  1. In the Rules tab, select the check box for each content control or custom rule you want to enable for this sensor. Or clear the check box to disable an enabled rule.
    There are several ways you can change the list view to find the rules you want to enable:
  2. Edit the sensor actions and settings as described in the subsequent sections.

Add or Edit Sensor Actions

The first action in a new sensor applies to all traffic from any source to any destination. When you edit and add sensor actions, you can add multiple actions that each apply to traffic from different sources or to different destinations. For each action, you can set the source and the destination to one of these types:

To add or edit actions when you edit a sensor.

  1. Click the Actions tab.
    The list of actions enabled for this sensor appear.

Screen shot of the Edit Data Loss Prevention, Actions tab

  1. To add a new action, click Add.
    Or, to edit an existing action, select the action and click Edit.
    The Add Sensor Action Properties dialog box appears.

Screen shot of the Add Sensor Action Properties dialog box

  1. From the Source drop-down list, select the type of source address to define for this action.
  2. If you select a source other than Any, type the source address in the text box adjacent to the Source drop-down list.
  3. From the Destination drop-down list, select the type of destination address to define for this action.
  4. If you select a destination other than Any, type the destination address in the text box adjacent to the Destination drop-down list.
  5. From the When content is detected in email drop-down list, select the action to take when content in an email message matches the enabled rules in this sensor.
  6. From the When content is detected in non-email traffic drop-down list, select the action to take when content in non-email traffic matches the enabled rules in this sensor.
  7. To trigger an alarm when this sensor detects matching content, select the Alarm check box.
  8. To create log messages when this sensor detects matching content, select the Log check box.
  9. Click OK.
    The new action appears in the Actions tab for the sensor.

Reorder Sensor Actions

If you add more than one action to a DLP sensor, DLP uses the actions in priority order from the top down. If you add multiple sensor actions, make sure that the action that applies to a more specific source or destination appears higher in the list than an action that applies to a less specific source and destination. For example, if you use the DLP action that applies to traffic from any source to any destination, make sure that any other actions you add are higher in the list.

To change the order of actions in a DLP sensor:

  1. Click the Actions tab.
  2. Click the Source or Destination of the action you want to move.
  3. Click Move Up to move the selected action higher in the list.
  4. Click Move Down to move the selected action lower in the list.

Configure Sensor Scan Settings

In each user-defined DLP sensor, you can change the settings that control how DLP scans content, and what action to take if content cannot be scanned. To configure the scan settings, click the Settings tab.

For more information about these settings, see Configure DLP Scan Settings.

Delete a Sensor

To delete a sensor:

  1. Select Subscription Services > Data Loss Prevention.
  2. Select the sensor you want to delete.
  3. Click Remove.

You cannot delete the built-in sensors, or a sensor that is used by a policy.

See Also

About Data Loss Prevention

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base