How do I configure a policy to bypass Zscaler's DLP engines and forward content to on-premise DLP?

This article provides instructions on configuring policy rules to bypass Zscaler's DLP engines and forward content to external DLP engines using secure ICAP. In this scenario, the Zscaler service does not scan the content with its DLP engines but functions as a filter, only forwarding content based on specific criteria you specify so that your organization can perform analysis as necessary.

To configure a policy to bypass Zscaler DLP engines and forward content to external DLP engines via ICAP, you must complete the following tasks in the order below:

A.  Configure your DLP notification templates if you want to email notifications to your organization's auditor when DLP rules are triggered by users' content.

B.  Configure the ICAP servers to which you want to forward content.

C.  Define your policy rules.

Defining Policy Rules

To add a rule:

  1. Go to Policy > Web > Data Loss Prevention.
  2. Click Add and select External DLP Engine to create a new rule.
  3. Enter the DLP rule attributes:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria.
    • DLP Engines: Since your on-premise DLP engine conducts the actual scanning of content, this field is prepopulated with “External DLP Engine” and cannot be modified. In this scenario, the Zscaler service does not scan the content with its DLP engines but functions as a filter, only forwarding content based on specific criteria specify.
    • URL Categories: Select Any to apply the rule to all URL categories, or select any number of URL categories. You can search for URL categories or click the Add icon to create a new URL category. With this option, you can have Zscaler forward content being sent to specific URL categories (for example, content going to websites in the Adult Material URL category).
    • Cloud Applications: Select Any to apply the rule to all cloud applications, or select any number of cloud applications. You can also search for applications. With this option, you can have Zscaler forward content being sent to specific cloud applications (Facebook, for example).
    • Outbound Data: Choose Select File Types if you want to select the file types the rule applies to, or All if you want the rule to apply to all outbound data, regardless of file type.  
    • File Type (applicable only if you choose Select File Types): Select the file types you want the rule to apply to. You can select any number of file types and also search for file types.
    • Data Size: Enter the data size a file must exceed in order for the rule to apply. For example, if you enter 100, the rule applies only if a file exceeds 100 KB. The default minimum data size, 0 KB, means that the rule applies to files of any size.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Select the action for the rule.
    • You can Allow or Block transactions that match the criteria in the rule (specified URL categories, cloud applications, file type, and minimum data size). If you select Allow, the service will allow but log the transaction, and if you select Block, the service will block and log the transaction.
  6. Configure an email notification for the rule. If you do not select an auditor and notification template, a notification will not be sent for this rule.
    • Select whether the auditor is from a hosted database or external.
    • Select the auditor:
      • If the auditor is from the hosted database, select or search for the auditor.
      • If the auditor is external, enter the auditor’s email address.
    • Select a Notification Template, if you configured one. You can also search for a notification template or click the Add icon to add a new notification template. Read more about configuring your notification templates. 
  7. To forward content captured by this rule to an ICAP server:
    1. If you want to forward the transactions captured by this policy rule to an on-premise ICAP server:
      1. Select the applicable server from the dropdown menu. (You must have configured your ICAP servers in order to complete this step.)
      2. Ensure that in your on-premise DLP solution, you have configured a policy rule that detects the same file type as the rule you configure here. For example, if you configure an External DLP rule in the admin portal that specifies PDFs as a file type criteria, you must also configure a rule in your on-premise DLP solution that specifies PDFs as a file type. Otherwise, the information that the Zscaler service sends to your on-premise solution regarding a particular rule violation will not appear in your on-premise solution dashboard.
        Note, however, that the rules need not correspond exactly in other criteria. For example, an External DLP rule in the admin portal blocks PDFs going to a specific URL category. The rule in your on-premise DLP solution must also block PDFs, but it need not specify the same URL category as an additional criteria.
  8. Optionally, enter a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  9. Click Save and activate the change.

To learn how to use Zscaler's DLP engines to detect data and also forward content to external DLP engines, see How do I configure rules for Zscaler's DLP engines?

For an overview of all available DLP policy configuration options, click here.