Creating the Data Control Policy

This article discusses how to use the Application Control screen to configure the Data Loss Prevention (DLP) Data Control policy for your account.

Overview of the Data Control Policy

The Data Control policy lets you define rules to inspect how data and content is transferred and moved within and outside of your organization. The Application Control screen now supports two types of rules: CASB App Control and DLP Data Control. The Data Control rules contain additional settings for content inspection, including:

  • File Attributes - Supports over 40 different file types in a variety of categories including: Microsoft Office, executables, and source code. In addition, you can refine the rule to only match a specific range of file sizes, or configure the rule to match encrypted files.

  • DLP Content Profiles - These profiles can define content inspection based on over 350 data types in over 30 countries and languages, including: PII, financial, and medical data

The Application Control policy is an ordered rulebase that lets you define activities for applications and the required criteria for categories. Each rule defines one application or one category. Once a rule matches the traffic, the lower priority rules (below the matching rule) are not applied to the traffic.

The final rule in the rulebase is an implicit ANY ANY allow rule, so if a connection does not match a rule, then it is allowed by the final implicit rule.

DLP Protection for Encrypted Files

The DLP engine has the ability to identify and block files encrypted with a password. This can help secure your information by preventing users from uploading or downloading sensitive data hidden in password-protected files. The DLP engine doesn't scan the contents of the encrypted file, but identifies it as encrypted and applies the relevant rule action. Since the engine doesn't scan the file content, the rule action is applied to all encrypted files regardless of any content profiles configured in the rule. You can define rules to allow or block encrypted files, according to the needs of your organization.

The encrypted files detected by the DLP engine include password-protected files of the following types: Word, Excel, PowerPoint, ZIP, and PDF


  • Data Control rules require that TLS Inspection is enabled to inspect the content.

    • Cato's granular TLS Inspection policy lets you create rules that will only inspect the traffic that is relevant for a Data Control rule.

  • The Application Control policy is included in the CASB license. Enabling Data Control rules in the Application Control policy also requires the DLP license.

    For more about purchasing the above licenses, please contact your Cato representative.

Known Limitations

  • The file size limit for content inspection is between 1KB and 20MB. Events for files outside of this limit show the verdict bypassed due to size

  • The DLP engine bypasses a file if inspection takes longer than 10 seconds.

  • These apps aren't supported for content inspection with Data Control rules:

    • Bitbucket

    • GitHub

    • Google Drive

    • WhatsApp

Understanding DLP in the Application Control Rulebase

Use Data Control rules in the Application Control screen to implement your company's DLP policy and define the content that is blocked by the security stack in the Cato Cloud. This section describes the fields and settings that are specific to Data Control rules. For more information about rules and settings that are also relevant to App Control rules, see Managing the Application Control Policy.





Enable or disable the App Control rules in the policy


Enable or disable the Data Control rules in the policy


Create a new App Control or Data Control rule


Icon that shows the type of rule:

  • Data_Control_Icon.png Data Control rule

  • App_Control_Icon.png App Control rule


Criteria column shows the DLP Content Profiles that match this rule

The DLP Content Profiles are configured in Security > DLP Configuration

Data Control Rule Settings

A Data Control rule has the following sections:

  • General - Name and severity that you choose to assign to the rule. Also lets you enable or disable the rule.

  • Application - Predefined application, category, custom application, or Sanctioned App that matches this rule. Only supported apps appear in the list of predefined applications.

  • Activities - For Data Control rules, the activities are simplified to make it easier to implement the DLP policy. Select if the rule is for upstream and/or downstream traffic.

    • For applications, select the matching activity that the action is applied to.


      Note: For application rules, you must enable TLS Inspection to inspect the traffic that matches the rule.

    • For categories, select the matching criteria that the action is applied to.

    You must define an activity for each rule.

  • File Attributes - Define the type of content and file size for the data that matches this rule, and if there is an AND or OR relationship between the items.

    • Content Type - The drop-down menu shows all the supported file Content Types with file extensions and examples

    • Content Size - The DLP engine can inspect between 1KB and 20MB of content for each connection

    • Content Encrypted - The rule action is applied to all encrypted files. The content of encrypted files can't be scanned by the DLP engine.
  • DLP Profiles - The DLP engine can identify over 350 data types, see Creating DLP Content Profiles. You can configure the profile with an AND or OR relationship between the data types.

  • Access Methods - Requirements for the user agents on hosts and devices that can connect to your account.

  • Source - Source of the traffic for this rule.
    You can set the ​Source​ to a ​Country​​ to create a rule that enforces traffic originating in that country, based on IP geolocation

    For more about Source items for a rule, see Understanding Source, Destination, App, and Category Objects for Rules.

  • Time - Define the time period when the rule is active.

  • Actions - Apply the specified action to traffic that matches the rule. Also define the tracking options for events and email notifications.

Configuring Data Control Rules

Create a new Data Control rule and configure the rule's settings to implement the DLP Data Control policy for your organization.

The Time options define the time range that the rule is enabled. You can configure custom options for a rule, or choose the default working hours that are defined for the account.

To create a new Data Control rule:

  1. From the navigation menu, select Security > Application Control.

  2. Make sure that the Data Control is enabled (green is enabled, grey is disabled).

  3. Click New > Data Control Rule.

    The Data Control Rule panel opens.

  4. Expand the General section and configure these settings:

    1. Enter a Name for the rule.

    2. Enable or disable the rule using the slider (green is enabled, grey is disabled).

    3. Select the Severity.

      The Severity is used in the events and monitoring analytics for this rule.

  5. In the Application section, select Any Application, or you can choose to limit the content inspection to a specific application or category.

  6. Expand the Activities section, and configure these settings:

    1. Click Add Activity and select the item for the rule.

    2. When there are multiple items in the Activities section, in the Satisfy drop-down menu, define the relationship between the items:

      • any (OR) - If any of the items match the traffic, then the rule is applied

      • all (AND) - If all of the items match the traffic, then the rule is applied

  7. In the File Attributes section, you can choose to only inspect content for specific file types and file sizes.

    If you don't configure any File Attribute settings, then all supported file types and sizes are inspected.

    1. Click Add File Attribute and select Content Type, Content Size, or Content Encrypted.

    2. Define the settings for the File Attribute item.

    3. For multiple items, define the relationship between the items (see above 6b).

  8. In the DLP Profiles section, you can add existing Content Inspection profiles and define the data types that match this rule.

    If there are multiple DLP Profiles for a rule, there is an AND relationship between them.

  9. Expand the Access Methods section, and define the user agent requirements.

    If there are multiple items, there is an AND relationship between them.

  10. Expand the Source section and select one or more objects for the traffic source for this rule (or you can enter an IP address).

    Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

  11. (Optional) Expand the Time section, and define when the rule is active.

    Select No time constraint to set the rule as always active.

  12. Expand the Actions section, and configure these settings:

    1. Select the Action for this rule. The options are Allow, Block, and Monitor.

    2. (Optional) Configure tracking options to generate Events and Send Notifications.
      For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.

  13. Click Apply, and then click Save.

Analyzing Data Control Events

The Events screen shows all the Data Control events for your account. These Security events are the Sub Type, Apps Security.

You can learn more about using the Events screen here.

These are the fields that uniquely related to Application Control:

Field Name


DLP Profiles

DLP Content Profiles that matched this connection

File Name

Name of the file that was scanned by the DLP engine

File Size

Size of the file (in bytes) that was scanned by the DLP engine

File Type

File content type (such as Archive or Microsoft Office)


User Notifications 

If an activity is blocked by a Data Control rule you can configure a notification to be displayed to the User, explaining which app was blocked and why.

Prerequisites for User Notifications

  • Supported from:
    • Windows Client v5.10 and higher
    • macOS Client v5.7 and higher
  • User must be connected remotely
  • Windows notifications must be enabled

Enabling User Notifications

You can enable users to receive system notifications if an activity is blocked by a Data Control rule.

To enable user notifications:

  1. From the navigation menu, select ​Access > Client Access > Security Policy Notifications​​.
  2. Select the ​Enable Security Policy User Notifications​​ checkbox.
  3. Click Save.
To enable user notifications:
To enable user notifications:

Was this article helpful?

5 out of 6 found this helpful


Add your comment