Cato Networks Knowledge Base

DLP Troubleshooting

  • Updated

Issue

Complications with Data Loss Prevention (DLP) policies can cause unexpected results, leading to potential security risks.

This might be due to configuration that doesn't align with the requirements, or inaccurately defined custom data type or profile.

This article will delve into these specific issues, providing guidance on how to troubleshoot these common problems to ensure that your data control rules are working as expected and sensitive data remains secure.

Initial Assessment Using Events

Filtering for Data Loss Prevention (DLP) events using Events can be achieved by setting the "Apps Security" preset:

preset.png

Events that are associated with a data control rules will include insightful fields such as the DLP Profiles that were triggered, matched Data Types, file attributes and more.

This will allow you to understand what is currently being triggered, and further ask yourself 'Are the results in line with what I expected according to my configuration?'

Troubleshooting DLP

Common requirements: When troubleshooting Data Loss Prevention (DLP) not working as expected, it's crucial to ensure that the Application Control configurations, where the data control policies are defined, are aligned with the prerequisites:

  • File Size: Minimum file size is 1KB and the maximum is 20MB.
    • This threshold is calculated on the HTTP request/response where the file is transferred. In some cases, when uploading / downloading, the HTTP request/response from the server would be compressed, leaving files larger than 1KB still not reaching the threshold in their compressed format.

    • This can be confirmed by generating a HAR file, and identifying the relevant HTTP GET/POST request. Examine the 'Headers' section, specifically the 'Content-Length' header, which indicates the size of the HTTP body in bytes:Screenshot

  • Image, audio, video, and binary files are not supported.

  • Extra caution needs to be exercised when matching the JAR file using the Content Type because a .JAR file can either be a Zip archive or a Java archive (JAR) file. Refer to Data Control Rule Doesn't Work on JAR File When Match By Source Code for more details.

  • TLS inspection must be enabled and active on traffic that is expected to be scanned.
    • Specific OS types (Android, Linux, Unknown OS's) are not TLS inspected.
    • Native client applications are not TLS inspected - TLS inspection only triggers on web applications (due to certificate pinning concerns).
    • Make sure your Internet firewall policy contains two rules with a high priority (near the top of the rule-base) to block QUIC and GQUIC, as TLS inspection can not work on this type of traffic:


      To verify that a certain request is or is not using the QUIC protocol, generate a HAR file and inspect the "Protocol" column on the relevant POST/GET request. If a request is using QUIC, it will be listed as "h3", "http/2+quic/46" or similar: mceclip0.png

  • Data Control Rules are only supported for "Cloud Application". The full list of what CATO defines as "Cloud Applications" can be found under "Monitoring -> App Catalog" filtered for "Type: Cloud Application"

Validation Tools:

  1. Validating Regular Expressions: When using custom Data Type with regex, the regex tester box becomes an invaluable asset. It allows you to test your regex patterns and validate their accuracy. It's always advisable to test your patterns here first to avoid unwanted results in the DLP system.

DLP Validator Tool: Validating Data Types with a Test File is an essential and helpful step in the troubleshooting process. It provides a hands-on way to validate DLP rules against real-world data, serving as an effective method for identifying and rectifying issues.

An example of successfully validating a keyword Data Type on a .csv file:

scan-work.png


The "Export Extracted Text" Option can be useful for examining the parsed textual data of the file as was scanned by the DLP engine:

export-text-show.png

For example, verifying sensitivity labels IDs attached to a document are detected can be done by reviewing the .txt file generated by the "Export Extracted Text" option. Below is the textual result of parsing a .docx containing an MIP label: mip-example.png

- Please reach out to Cato Support for more details, if required

 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.