How do I monitor or block outbound content by data size?

There may be cases in which you want to leverage Zscaler’s DLP policy to monitor or block specific types of outbound content by data size, without scanning for specific data within the content. For example, you may want to block outbound image files (such as GIF or JPEG), but only those that exceed a certain data size. (In Zscaler’s File Type Control module, you can set policy to block image files, but you cannot specify data size.)

In such a scenario, you can leverage the External DLP Engine policy option. When configuring the policy, you can simply specify the criteria Zscaler uses for monitoring or blocking content, but refrain from specifying an ICAP server. Zscaler will monitor or block outbound content based on the criteria you specify, but will not send content to any external DLP engines.

See below for more on configuring this policy option. For an overview of other available DLP policy configuration options, see Overview: Data Loss Prevetion (DLP).

Configuring rules for this scenario involve the following steps:

  1. Configure your DLP notification templates if you want to email notifications to your organization's auditor when DLP rules are applied to users' content.
  2. Define your policy rules.

DPR2

  1. Go to Policy > Web > Data Loss Prevention.
  2. Click Add and select External DLP Engine to create a new rule. Note, no content will be sent to external DLP engines in this configuration.
  3. Enter the DLP rule attributes:
    • Rule Order
      Each time you create a new rule, the service assigns it a number, which increments by one every time a new rule is added. This determines the order in which the service evaluates the rules in a policy. The service evaluates rules in ascending numerical order; therefore, it starts with Rule 1, then with Rule 2, and so on. You can edit a rule to change its order in the policy.
    • Admin Rank
      This option appears if you enabled the Admin Ranking feature in the Advanced Settings page. Learn more about Admin Ranking.
    • Status  
      A rule’s status can be Enabled or Disabled. An enabled rule is actively enforced. A disabled rule is not actively enforced; neither does it lose its place in the Rule Order scheme. The service simply skips it and moves to the next rule.
  4. Define the criteria.
    • DLP Engines: This field is prepopulated with “External DLP Engine." Again, no content will be sent to external DLP engines in this configuration.
    • URL Categories: You can choose to apply the rule to data being sent to specific URL categories. Select Any to apply the rule to all URL categories, or select any number of URL categories. You can also click the Add icon to create a custom URL category.
    • Cloud Applications: You can choose to apply the rule to data being sent to specific cloud applications. Select Any to apply the rule to all cloud applications, or select any number of cloud applications
    • Outbound Data: Choose Select File Types if you want to select the file types the rule applies to, or All if you want the rule to apply to all outbound data, regardless of file type.  
    • File Type (applicable only if you choose Select File Types): Select the file types you want the rule to apply to. You can select any number of file types and also search for file types.
    • Data Size: Enter the data size a file must exceed in order for the rule to apply. For example, if you enter 100, the rule applies only if a file exceeds 100 KB. The default minimum data size, 0 KB, means that the rule applies to files of any size.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. Keep in mind that to apply the rule to unauthenticated traffic, you must apply this rule to all locations. You can also click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can also click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. Keep in mind that to apply the rule to unauthenticated traffic, you must apply this rule to all locations. You can also click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also click the Add icon to add a new location. Keep in mind that to apply this rule to unauthenticated traffic, you must select Any to apply the rule to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also click the Add icon to add a new time interval.
  5. ICAP Servers: Leave the selection as None.
  6. Data Traffic: Select Allow or Block for the rule.
    • Allow: The service allows and logs the transaction.
    • Block: The service blocks and logs the transaction.  
  7. Auditor Type: If you want to send an auditor a notification when this rule triggers, select one of the following:
    • Hosted: Select this option if the auditor is from a hosted database in your organization. In the Auditor field below, select an auditor.
    • External: Select this option if the auditor is external to your organization. In Auditor Email Address, enter the auditor’s email address.
  8. Notification Template: Select a template from the menu. You must have already configured your notification templates (in Task B above).
  9. Description: Optionally, enter additional notes or information. The description cannot exceed 10240 characters.
  10. Click Save and activate the change.