Cato Networks Knowledge Base

Creating the Data Control Policy

  • Updated

This article discusses how to use the Application Control screen to configure the Data Loss Prevention (DLP) Data Control policy for your account.

Overview of the Data Control Policy

The Data Control policy lets you define rules to inspect how data and content is transferred and moved within and outside of your organization. The Application Control screen now supports two types of rules: CASB App Control and DLP Data Control. The Data Control rules contain additional settings for content inspection, including:

  • File Attributes - Supports over 40 different file types in a variety of categories including: Microsoft Office, executables, and source code. In addition, you can refine the rule to only match a specific range of file sizes.

  • DLP Content Profiles - These profiles can define content inspection based on over 350 data types in over 30 countries and languages, including: PII, financial, and medical data

The Application Control policy is an ordered rulebase that lets you define activities for applications and the required criteria for categories. Each rule defines one application or one category. Once a rule matches the traffic, the lower priority rules (below the matching rule) are not applied to the traffic.

The final rule in the rulebase is an implicit ANY ANY allow rule, so if a connection does not match a rule, then it is allowed by the final implicit rule.

Prerequisites

  • Data Control rules require that TLS Inspection is enabled to inspect the content.

    • Cato's granular TLS Inspection policy lets you create rules that will only inspect the traffic that is relevant for a Data Control rule.

  • The Application Control policy is included in the CASB license. Enabling Data Control rules in the Application Control policy also requires the DLP license.

    For more about purchasing the above licenses, please contact your Cato representative.

Known Limitations

  • The file size limit for content inspection is between 1KB and 20MB. Events for files outside of this limit show the verdict bypassed due to size

  • The DLP engine bypasses a file if inspection takes longer than 10 seconds.

  • These apps aren't supported for content inspection with Data Control rules:

    • Bitbucket

    • GitHub

    • Google Drive

    • WhatsApp

Understanding DLP in the Application Control Rulebase

Use Data Control rules in the Application Control screen to implement your company's DLP policy and define the content that is blocked by the security stack in the Cato Cloud. This section describes the fields and settings that are specific to Data Control rules. For more information rules and settings that are also relevant to App Control rules, see Managing the Application Control Policy.

Data_Control_Rules_-_Callouts.png

Item

Description

1

Enable or disable the App Control rules in the policy

2

Enable or disable the Data Control rules in the policy

3

Create a new App Control or Data Control rule

4

Icon that shows the type of rule:

  • Data_Control_Icon.png Data Control rule

  • App_Control_Icon.png App Control rule

5

Criteria column shows the DLP Content Profiles that match this rule

The DLP Content Profiles are configured in Security > DLP Configuration

Data Control Rule Settings

A Data Control rule has the following sections:

  • General - Name and severity that you choose to assign to the rule. Also lets you enable or disable the rule.

  • Application - Predefined application or category that matches this rule.

  • Activities - For Data Control rules, the activities are simplified to make it easier to implement the DLP policy. Select if the rule is for upstream and/or downstream traffic.

    • For applications, select the matching activity that the action is applied to.

      Note

      Note: For application rules, you must enable TLS Inspection to inspect the traffic that matches the rule.

    • For categories, select the matching criteria that the action is applied to.

    You must define an activity for each rule.

  • File Attributes - Define the type of content and file size for the data that matches this rule, and if there is an AND or OR relationship between the items.

    • Content Type - The drop-down menu shows all the supported file Content Types with file extensions and examples

    • Content Size - The DLP engine can inspect between 1KB and 20MB of content for each connection

  • DLP Profiles - The DLP engine can identify over 350 data types, see Creating DLP Content Profiles. You can configure the profile with an an AND or OR relationship between the data types.

  • Access Methods - Requirements for the user agents on hosts and devices that can connect to your account.

  • Source - Source of the traffic for this rule.

    For more about Source items for a rule, see What is the Cato WAN Firewall?.

  • Time - Define the time period when the rule is active.

  • Actions - Apply the specified action to traffic that matches the rule. Also define the tracking options for events and email notifications.

Configuring Data Control Rules

Create a new Data Control rule and configure the rule's settings to implement the DLP Data Control policy for your organization.

The Time options define the time range that the rule is enabled. You can configure custom options for a rule, or choose the default working hours that are defined for the account.

To create a new Data Control rule:

  1. From the navigation menu, select Security > Application Control.

  2. Make sure that the Data Control is enabled (green is enabled, grey is disabled).

  3. Click New > Data Control Rule.

    The Data Control Rule panel opens.

  4. Expand the General section and configure these settings:

    1. Enter a Name for the rule.

    2. Enable or disable the rule using the slider (green is enabled, grey is disabled).

    3. Select the Severity.

      The Severity is used in the events and monitoring analytics for this rule.

  5. In the Application section, select Any Application, or you can choose to limit the content inspection to a specific application or category.

  6. Expand the Activities section, and configure these settings:

    1. Click Add Activity and select the item for the rule.

    2. When there are multiple items in the Activities section, in the Satisfy drop-down menu, define the relationship between the items:

      • any (OR) - If any of the items match the traffic, then the rule is applied

      • all (AND) - If all of the items match the traffic, then the rule is applied

  7. In the File Attributes section, you can choose to only inspect content for specific file types and file sizes.

    If you don't configure any File Attribute settings, then all supported file types and sizes are inspected.

    1. Click Add File Attribute and select Content Type or Content Size.

    2. Define the settings for the File Attribute item.

    3. For multiple items, define the relationship between the items (see above 6b).

  8. In the DLP Profiles section, you can add existing Content Inspection profiles and define the data types that match this rule.

    If there are multiple DLP Profiles for a rule, there is an AND relationship between them.

  9. Expand the Access Methods section, and define the user agent requirements.

    If there are multiple items, there is an AND relationship between them.

  10. Expand the Source section and select one or more objects for the traffic source for this rule (or you can enter an IP address).

    Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

  11. (Optional) Expand the Time section, and define when the rule is active.

    Select No time constraint to set the rule as always active.

  12. Expand the Actions section, and configure these settings:

    1. Select the Action for this rule. The options are Allow, Block, and Monitor.

    2. (Optional) Configure Track options to generate Event and Email Notifications and set the time when the rule is active. For more information, see: Working with Email Notifications for the Account.

  13. Click Apply, and then click Save.

Analyzing Data Control Events

The Events screen shows all the Data Control events for your account. These Security events are the Sub Type, Apps Security.

You can learn more about using the Events screen here.

These are the fields that uniquely related to Application Control:

Field Name

Description

DLP Profiles

DLP Content Profiles that matched this connection

File Name

Name of the file that was scanned by the DLP engine

File Size

Size of the file (in bytes) that was scanned by the DLP engine

File Type

File content type (such as Archive or Microsoft Office)

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.