Configure DLP Scan Settings
In each user-defined DLP sensor, you can change the settings that control how DLP scans content, and what action to take if content cannot be scanned.
The DLP sensor settings you can configure control:
- How much of a file or object to scan (the scan limit)
- What action to take if content cannot be scanned for each of these reasons:
- the size of the content exceeds the scan limit
- a scan error occurred
- the content is password protected
If you enable DLP and Gateway AntiVirus for the same proxy action, the larger configured scan limit is used for both services.
The actions you can configure in the settings are:
- Allow — Allows the connection or email
- Drop — Denies the request and drops the connection. No information is sent to the source of the content.
- Block — Denies the request, drops the connection, and adds the IP address of the content source to the Blocked Sites list.
- Remove (email only) — Removes the email attachment that cannot be scanned
- Quarantine (email only) — Quarantines the email message. For more information on the Quarantine Server, go to About the Quarantine Server.
- Deny (email only) — Denies the request and drops the connection. A notification is sent to the source of the content.
- Lock (email only) — Locks the attachment. This is a good option for files that cannot be scanned by the Firebox. A file that is locked cannot be opened easily by the user. Only the administrator can unlock an attachment locked by DLP. For more information about how to unlock a file, go to Unlock a File Locked by DLP.
To configure scan settings for a DLP sensor:
- Select Subscription Services > Data Loss Prevention.
- Select a user-defined DLP sensor, and click Edit.
- Select the Settings tab.
DLP Settings tab in Policy Manager
- In the limit scanning to first text box, type the file scan limit.
If a file is larger than this size, DLP scans only the first part of the file, up to the limit. - In the When content exceeds scan limit section, select the action the Firebox takes if the size of a file to be scanned exceeds the scan limit.
- In the When content is detected in email drop-down list, select the action to take for email .
- In the When content is detected in non-email traffic drop--down list, select the action to take for non-email traffic.
- In the When a scan error occurs section, select the action the Firebox takes when it cannot scan a file due to a scan error.
- In the When content is detected in email drop-down list, select the action to take for email.
- In the When content is detected in non-email traffic drop--down list, select the action to take for non-email traffic.
Attachments that cannot be scanned include binhex-encoded messages, certain encrypted files, or files that use a type of compression that DLP does not support, such as password-protected Zip files.
- In the When password protected section, select the action the Firebox takes when it cannot scan a file because it is password protected.
- In the When content is detected in email drop-down list, select the action to take for email.
- In the When content is detected in non-email traffic drop--down list, select the action to take for non-email traffic.
- To create log messages for each type of action, select the Log check box in the section for the action.
- To trigger an alarm for each type of action, select the Alarm check box in the section for the action.