Configuring DLP Policy Rules with Evaluate All Rules Mode Enabled

Experience Center Help
Policies
Internet & SaaS
Data Protection
Data Loss Prevention
Configuring DLP Policy Rules with Evaluate All Rules Mode Enabled

Experience Center

Configuring DLP Policy Rules with Evaluate All Rules Mode Enabled

This article applies only to organizations with Evaluate All Rules mode enabled. To access this feature, contact your Zscaler Account team.

By default, the Zscaler service evaluates inline Data Loss Prevention (DLP) policy rules according to rule order, with evaluation stopping at the first match. However, if Evaluate All Rules mode is enabled for your organization, you can instead have the Zscaler service evaluate all rules, enforcing the rule with the most restrictive action. Evaluate All Rules mode uses rule order only when multiple rules with the same action are matched. In that case, rule order determines which policy rule is triggered.

You must first delete all existing inline DLP rules before you change the way the Zscaler service evaluates rules. To learn more, see Configuring DLP Advanced Settings.

With Evaluate All Rules mode enabled for your organization, you first set how the Zscaler service evaluates inline DLP rules on the DLP Advanced Settings page (Policies > Data Protection > Common Resources > Advanced Settings).

See image.

You then configure your policy rules based on that setting:

Configuring a DLP policy rule to evaluate all rules
When you configure the Zscaler service to evaluate all rules, you have the ability to create exception rules, which are child rules that allow you to exclude specific users or groups in your organization that must perform tasks as part of a necessary workflow that might otherwise violate inline DLP policy. There is not a limit to the number of exception rules that you can assign to each parent rule. As you configure rules, you also specify whether each rule uses Zscaler DLP engines or a third-party DLP solution.
To configure a DLP policy rule to evaluate all rules:
- 1. Configure DLP dictionaries and engines, if necessary. Use DLP dictionaries and engines as they are or modify them to suit your needs. You can also create custom dictionaries or engines. Skip this step if you don't want to modify or create custom DLP dictionaries and engines.
- 2. Configure DLP notification templates if you want to email notifications to your organization's auditor when your users' transactions violate DLP policy rules.
- 3. Configure ICAP servers if you want to forward information about transactions that violate DLP policy to your third-party solution. Skip this step if you don't have a third-party DLP solution or if you don't want to forward content.
- 4. Define your policy rules.
  To define your policy rules:
  1. Go to Policies > Data Protection > Policy > Inline Controls > Data Loss Prevention.
  2. Click Add DLP Rule.
  3. In the Add DLP Rule window:
    Enter the following DLP Rule attributes:
    Rule Order: This field is configurable, but rule order is not enforced for parent rules when the Zscaler service is configured to evaluate all rules.
    Severity: Select the severity of the violation from the drop-down menu (i.e., High, Medium, Low, or Information).
    Rule Name: Enter a unique name for the DLP rule or use the default name.
    Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order, the Zscaler service skips it and moves to the next rule.
    Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Labels.
    Define the following Criteria:
    Content Matching: Select Select DLP Engines to select up to 4 engines. You can also search for DLP engines. If you select None, then the Zscaler service doesn't use DLP engines to scan the content; instead, the service functions as a filter, only flagging content based on the criteria you specify.
    The Match Only option takes effect for both Allow and Block rule actions. You can select Match Only to configure how engines must trigger in order for the service to take action. To learn more, see DLP Policy Configuration Example: Match Only.
    If Match Only is deselected, only one of the engines is required to trigger in order for the service to take action.
    For example, suppose you create two DLP rules:
    Rule 1: Uses the PCI engine, the Match Only option selected, and a Block rule action.
    Rule 2: Uses the PII engine and a Block rule action.
    With Match Only deselected, if a transaction triggers only the PCI engine, then Rule 1 is triggered.
    If Match Only is selected, all engines are required to trigger in order for the service to take action, and the transaction must not match any other engines from different rules.
    For example, suppose you have the same two DLP rules as in the earlier example:
    Rule 1: Uses the PCI engine, the Match Only option selected, and a Block rule action.
    Rule 2: Uses the PII engine and a Block rule action.
    With Match Only selected, if a transaction triggers both the PCI and PII engines, then Rule 2 is triggered.
    The Zscaler DLP engines support files up to 400 MB and can scan the first 100 MB of the extracted text. The maximum size also applies to files extracted from archive files.
    Inspect HTTP GET Query Parameters: You can configure DLP rules to inspect HTTP GET Query Parameters for the following URL categories: Generative AI and ML Applications, Safe Search Engines, Translation Tools, Web Search, and User-Defined Custom URL Categories. To enable, choose Enable for HTTP GET Query Parameters, then select a URL category from the drop-down menu. To learn more, see Configuring DLP Advanced Settings.
    To select a user-defined custom URL category from the drop-down menu, go to the DLP Advanced Settings page (Policies > Data Protection > Common Resources > Advanced Settings) and select a User-Defined URL.
    See image.
    Close
    Source IP Groups: Select Any to apply the rule to all source IP groups, or select any number of source IP groups. You can also search for source IP groups or click the Add icon to add a new source IP group.
    URL Categories: Select Any to apply the rule to all URL categories, or select any number of URL categories. You can search for URL categories or click the Add icon to create a new URL category. You can create DLP policy rules that apply to only content being sent to specific URL categories. For example, you can create a rule that blocks credit card numbers from being sent to websites in the Adult Material URL category.
    You can also select custom TLD categories from this field.
    Conversely, you can create DLP policy rules to exempt some sites from a rule that blocks content. For example, an organization must protect its source code generally, but still allow the content to be sent to certain authorized sites. To achieve this, the organization can create one rule that blocks all outbound source code and create another rule that allows outbound source code to a specific URL category that includes the authorized URLs.
    If you want to exempt a specific website or custom URL category from DLP evaluation, you must add the website or URL category to the Cloud Apps & URL Exceptions for DLP list. To learn more, see Configuring DLP Advanced Settings.
    Cloud Applications: Select Any to apply the rule to all cloud applications, or select any number of cloud applications. You can also search for applications. You can create DLP policy rules that apply to only content being sent to specific cloud applications. For example, you can create a rule that blocks offensive content from being posted to Facebook.
    By default, this field displays the first 100 cloud applications. The subsequent 100 cloud applications are displayed when you click the Click to see more link at the bottom of the list. You can repeat this process to view the remaining cloud applications.
    See image.
    Close
    Conversely, you can create DLP policy rules that allow specific kinds of content to certain applications. For example, you can have a rule that blocks the release of financial information generally and create another rule that exempts financial information being sent to an application like Salesforce.
    If you want to exempt a specific cloud application from DLP evaluation, you must add the cloud application to the Cloud Apps & URL Exceptions for DLP list. To learn more, see Configuring DLP Advanced Settings.
    The DLP policy applies AND logic to the URL Categories and Cloud Applications fields when inspecting your organization's traffic. In order for a DLP rule to trigger, the Zscaler service must detect the rule’s selected URL categories and cloud applications in a transaction.
    Email Recipient Domain Profiles (Gmail and Outlook): Choose Include to apply the rule only to the selected domain profiles, or choose Exclude to apply the rule to all other domain profiles and not selected domain profiles. You can select up to 8 domain profiles, and you can search for domain profiles.
    Cloud Application Instances: Select the cloud application instances to which the rule applies. You can select a maximum of 8 instances per rule.
    The cloud application instance appears only if its parent application is selected as the cloud application.
    Application Segment: Select Any to apply the rule to all application segments, or select up to 255 application segments. You can also search for application segments.
    The list displays only those application segments that have the Source IP Anchor option enabled. To learn more, see Understanding Source IP Anchoring.
    File Type: From the drop-down menu, choose the file types for the rule. You can create DLP policy rules that apply just to content being sent via specific file types. Policies that reference Zscaler DLP engines support different file types than policies that reference external DLP engines. Zscaler DLP engines can scan files of up to 100 MB. For an archived file, the size of individual files when decompressed can also be a maximum of 100 MB.
    Minimum Data Size: Enter the minimum size requirement that data must meet before the DLP rule applies. The default minimum data size, 0 KB, means there is no minimum data size requirement.
    Users: You can specify how the DLP rule applies to your users.
    Choose Include to apply the rule to selected users and no other users. From the drop-down menu, choose Any to apply the rule to all users or select up to 4 users.
    Choose Exclude to apply the rule to all other users and not selected users. You can select up to 256 users.
    When selecting users, you can search for users or click the Add icon to add a new user. If you’ve enabled the Policy for Unauthenticated Traffic, you can also select Special Users to apply this rule to all unauthenticated users or select specific types of unauthenticated users.
    Groups: You can specify how the DLP rule applies to your groups.
    Choose Include to apply the rule to selected groups and no other groups. From the drop-down menu, choose Any to apply the rule to all groups or select up to 8 groups.
    Choose Exclude to apply the rule to all other groups and not selected groups. You can select up to 256 groups.
    When selecting groups, you can search for groups or click the Add icon to add a new group.
    Departments: You can specify how the DLP rule applies to your departments.
    Choose Include to apply the rule to selected departments and no other departments. From the drop-down menu, choose Any to apply the rule to all departments or select up to 8 departments.
    Choose Exclude to apply the rule to all other departments and not selected departments. You can select up to 256 departments.
    When selecting departments, you can search for groups or click the Add icon to add a new department. If you’ve enabled the Policy for Unauthenticated Traffic, you can also select Special Departments to apply this rule to all unauthenticated transactions.
    Any rule that applies to unauthenticated traffic must apply to all Groups and Departments. So, if you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.
    The DLP policy applies OR logic to the Users, Groups, and Departments fields when inspecting your organization’s traffic. In order for the DLP rule to trigger, the Zscaler service must detect at least one of the rule’s selected users, groups, or departments.
    User Risk Profile: Select the user risk score levels to which the rule applies. Selecting no value ignores this criterion in the policy evaluation.
    Users are assigned a risk score based on their browsing activities. A range of risk scores is grouped as a risk score level.
    By default, the following user risk score levels are available:
    Low: Level with user risk scores ranging from 0 to 29
    Medium: Level with user risk scores ranging from 30 to 59
    High: Level with user risk scores ranging from 60 to 79
    Critical: Level with user risk scores ranging from 80 to 100
    Contact Zscaler Support to customize the user risk score range of these levels for your organization.
    Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location.
    Location Groups: Select Any to apply the rule to all location groups, or select up to 32 location groups. You can also search for a location group.
    Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
    Protocols: Select the protocols to which the rule applies.
    HTTP: Data transactions and file uploads from HTTP websites.
    HTTPS: Data transactions and file uploads from HTTP websites encrypted by TLS/SSL.
    Native FTP: Data transactions and file uploads from native FTP servers.
    Workload Groups: Select up to 8 workload groups for which you want to apply the rule. You can also search for a workload group. Selecting None ignores workload groups when the policy is evaluated.
    Inspect Downloads: Enable this option to allow DLP inspection for content downloaded from specific cloud apps. If this option is enabled, you must also choose Any for URL Categories and at least one cloud app for Cloud Application. If disabled, the DLP rule only applies to content being sent to cloud apps.
  4. (Optional) For DLP Incident Receiver, complete one of the following tasks:
    If you don't have a third-party DLP solution or don't want to forward content, leave the following Zscaler Incident Receiver or ICAP Receiver field as None.
    If you want to forward the transactions captured by this policy rule to a DLP incident receiver:
    For Incident Receiver, select whether the DLP incident receiver is an ICAP receiver or a Zscaler Incident Receiver.
    Select the applicable ICAP Receiver or Zscaler Incident Receiver from the drop-down menu. You must configure your ICAP receivers or Zscaler Incident Receivers in order to complete this step.
    Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
    Otherwise, the information that Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.
  5. Select the Action for the rule:
    Allow: The service allows and logs the transaction.
    Block: The service blocks and logs the transaction.
    Confirm: Users can justify the transaction to continue, or cancel the transaction altogether; in both cases, the service logs the transaction accordingly.
    If the confirmation message times out without the end user taking action, the Zscaler service automatically cancels the transaction. To learn more, see Configuring User Confirmation Notification Templates.
  6. (Optional) Define the following Notification settings:
    Configure an email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
    Email Auditor Type: Select whether the auditor is from a Hosted database or External to your organization.
    Select the Auditor:
    Email Auditor: If the auditor is from a hosted database, select or search for the auditor.
    Auditor Email Address: If the auditor is external, enter the auditor’s email address.
    Email Notification Template: Select a notification template from the drop-down menu.
    Configure the end user notification (EUN) for the rule. The type of EUN messages that appear on the endpoint depends on the Action configured for the rule.
    End User Notification: Select Show to show an EUN message on endpoints when content triggers the DLP policy rule, or select Hide if you don't want an EUN message to appear.
    Custom Message: Select Default to use the default EUN message configured for inline web DLP, or select a custom EUN message from the drop-down menu. You can also search for custom messages or click the Add icon to add a new custom message.
  7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
  8. Click Save and activate the change.
  For example, if a policy rule using predefined Zscaler DLP engines is configured as shown in the following image, the Zscaler service blocks all the files that:
  - Contain medical information
  - Are over 1000 KB in size
  - Are being sent by users in the Operations group through Gmail
  The Zscaler service sends an email notification regarding the policy violation to your organization's auditor but doesn't forward information to an incident receiver.
  See image.
  Close
  Close
- (Optional) 5. Define exception rules.
  Exception rules are child rules that allow you to exclude specific users or groups in your organization who must perform tasks as part of a necessary workflow that might otherwise violate inline DLP policy. There is not a limit to the number of exception rules that you can assign to each parent rule.
  To define an exception rule:
  1. Go to Policies > Data Protection > Policy > Inline Controls > Data Loss Prevention.
  2. Find an existing inline DLP rule in the list and click the Add Exception Rule icon. The Add DLP Exception Rule window appears.
  3. In the Add DLP Exception Rule window:
    Enter the following DLP Exception Rule attributes:
    Rule Order: All parent rules are evaluated. If multiple rules match, the rule with the most restrictive action and highest rule order is applied. Exception rule evaluation stops at the first match, and an exception replaces a parent rule upon match.
    Severity: Select the severity of the violation from the drop-down menu (i.e., High, Medium, Low, or Information).
    Parent Rule Name: This field is inherited from the parent rule and cannot be changed.
    Exception Rule Name: Enter a unique name for the DLP exception rule or use the default name.
    Rule Status: An enabled exception rule is actively enforced. A disabled exception rule is not actively enforced but does not lose its place in the Rule Order, the Zscaler service skips it and moves to the next exception rule.
    Rule Label: Rule labels cannot be configured for exception rules.
    Define the following Criteria:
    Content Matching: Select Select DLP Engines to select up to 4 engines. You can also search for DLP engines. If you select None, then the Zscaler service doesn't use DLP engines to scan the content; instead, the service functions as a filter, only flagging content based on the criteria you specify.
    The Match Only option takes effect for both Allow and Block rule actions. You can select Match Only to configure how engines must trigger in order for the service to take action. To learn more, see DLP Policy Configuration Example: Match Only.
    If Match Only is deselected, only one of the engines is required to trigger in order for the service to take action.
    For example, suppose you create two DLP exception rules:
    Rule 1: Uses the PCI engine, the Match Only option selected, and a Block rule action.
    Rule 2: Uses the PII engine and a Block rule action.
    With Match Only deselected, if a transaction triggers only the PCI engine, then Rule 1 is triggered.
    If Match Only is selected, all engines are required to trigger in order for the service to take action, and the transaction must not match any other engines from different rules.
    For example, suppose you have the same two DLP exception rules as in the earlier example:
    Rule 1: Uses the PCI engine, the Match Only option selected, and a Block rule action.
    Rule 2: Uses the PII engine and a Block rule action.
    With Match Only selected, if a transaction triggers both the PCI and PII engines, then Rule 2 is triggered.
    The Zscaler DLP engines support files up to 400 MB and can scan the first 100 MB of the extracted text. The maximum size also applies to files extracted from archive files.
    Inspect HTTP GET Query Parameters: You can configure DLP rules to inspect HTTP GET Query Parameters for the following URL categories: Generative AI and ML Applications, Safe Search Engines, Translation Tools, Web Search, and User-Defined Custom URL Categories. To enable, choose Enable for HTTP GET Query Parameters, then select a URL category from the drop-down menu. To learn more, see Configuring DLP Advanced Settings.
    To select a user-defined custom URL category from the drop-down menu, go to the DLP Advanced Settings page (Policies > Data Protection > Common Resources > Advanced Settings) and select a User-Defined URL.
    See image.
    Close
    Source IP Groups: Select Any to apply the rule to all source IP groups, or select any number of source IP groups. You can also search for source IP groups or click the Add icon to add a new source IP group.
    URL Categories: Select Any to apply the rule to all URL categories, or select any number of URL categories. You can search for URL categories or click the Add icon to create a new URL category. You can create DLP policy rules that apply to only content being sent to specific URL categories. For example, you can create an exception rule that blocks credit card numbers from being sent to web sites in the Adult Material URL category.
    You can also select custom TLD categories from this field.
    Conversely, you can create DLP policy rules to exempt some sites from a rule that blocks content. For example, an organization must protect its source code generally, but still allow the content to be sent to certain authorized sites. To achieve this, the organization can create one rule that blocks all outbound source code and create another rule that allows outbound source code to a specific URL category that includes the authorized URLs.
    If you want to exempt a specific website or custom URL category from DLP evaluation, you must add the website or URL category to the Cloud Apps & URL Exceptions for DLP list. To learn more, see Configuring DLP Advanced Settings.
    Cloud Applications: Select Any to apply the exception rule to all cloud applications, or select any number of cloud applications. You can also search for applications. You can create DLP policy rules that apply to only content being sent to specific cloud applications. For example, you can create a rule that blocks offensive content from being posted to Facebook.
    By default, this field displays the first 100 cloud applications. The subsequent 100 cloud applications are displayed when you click the Click to see more link at the bottom of the list. You can repeat this process to view the remaining cloud applications.
    See image.
    Close
    Conversely, you can create DLP policy rules that allow specific kinds of content to certain applications. For example, you can have a rule that blocks the release of financial information generally and create another rule that exempts financial information being sent to an application like Salesforce.
    If you want to exempt a specific cloud application from DLP evaluation, you must add the cloud application to the Cloud Apps & URL Exceptions for DLP list. To learn more, see Configuring DLP Advanced Settings.
    The DLP policy applies AND logic to the URL Categories and Cloud Applications fields when inspecting your organization's traffic. In order for a DLP exception rule to trigger, the Zscaler service must detect the rule’s selected URL categories and cloud applications in a transaction.
    Email Recipient Domain Profiles (Gmail and Outlook): Choose Include to apply the rule only to the selected domain profiles, or choose Exclude to apply the rule to all other domain profiles and not selected domain profiles. You can select up to 8 domain profiles, and you can search for domain profiles.
    Cloud Application Instances: Select the cloud application instances to which the exception rule applies. You can select a maximum of 8 instances per exception rule.
    The cloud application instance appears only if its parent application is selected as the cloud application.
    Application Segment: Select Any to apply the exception rule to all application segments, or select up to 255 application segments. You can also search for application segments.
    The list displays only those application segments that have the Source IP Anchor option enabled. To learn more, see Understanding Source IP Anchoring.
    File Type: From the drop-down menu, choose the file types for the exception rule. You can create DLP policy rules that apply just to content being sent via specific file types. Policies that reference Zscaler DLP engines support different file types than policies that reference external DLP engines. Zscaler DLP engines can scan files of up to 100 MB. For an archived file, the size of individual files when decompressed can also be a maximum of 100 MB.
    Minimum Data Size: Enter the minimum size requirement that data must meet before the DLP exception rule applies. The default minimum data size, 0 KB, means there is no minimum data size requirement.
    Users: You can specify how the DLP exception rule applies to your users.
    Choose Include to apply the exception rule to selected users and no other users. From the drop-down menu, choose Any to apply the rule to all users or select up to 4 users.
    Choose Exclude to apply the exception rule to all other users and not selected users. You can select up to 256 users.
    When selecting users, you can search for users or click the Add icon to add a new user. If you’ve enabled the Policy for Unauthenticated Traffic, you can also select Special Users to apply this rule to all unauthenticated users or select specific types of unauthenticated users.
    Groups: You can specify how the DLP exception rule applies to your groups.
    Choose Include to apply the exception rule to selected groups and no other groups. From the drop-down menu, choose Any to apply the rule to all groups or select up to 8 groups.
    Choose Exclude to apply the exception rule to all other groups and not selected groups. You can select up to 256 groups.
    When selecting groups, you can search for groups or click the Add icon to add a new group.
    Departments: You can specify how the DLP exception rule applies to your departments.
    Choose Include to apply the exception rule to selected departments and no other departments. From the drop-down menu, choose Any to apply the rule to all departments or select up to 8 departments.
    Choose Exclude to apply the exception rule to all other departments and not selected departments. You can select up to 256 departments.
    When selecting departments, you can search for groups or click the Add icon to add a new department. If you’ve enabled the Policy for Unauthenticated Traffic, you can also select Special Departments to apply this rule to all unauthenticated transactions.
    Any rule that applies to unauthenticated traffic must apply to all Groups and Departments. So, if you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.
    The DLP policy applies OR logic to the Users, Groups, and Departments fields when inspecting your organization’s traffic. In order for the DLP exception rule to trigger, the Zscaler service must detect at least one of the rule’s selected users, groups, or departments.
    User Risk Profile: Select the user risk score levels to which the exception rule applies. Selecting no value ignores this criterion in the policy evaluation.
    Users are assigned a risk score based on their browsing activities. A range of risk scores is grouped as a risk score level.
    By default, the following user risk score levels are available:
    Low: Level with user risk scores ranging from 0 to 29
    Medium: Level with user risk scores ranging from 30 to 59
    High: Level with user risk scores ranging from 60 to 79
    Critical: Level with user risk scores ranging from 80 to 100
    Contact Zscaler Support to customize the user risk score range of these levels for your organization.
    Locations: Select Any to apply the exception rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location.
    Location Groups: Select Any to apply the exception rule to all location groups, or select up to 32 location groups. You can also search for a location group.
    Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
    Protocols: Select the protocols to which the exception rule applies.
    HTTP: Data transactions and file uploads from HTTP websites.
    HTTPS: Data transactions and file uploads from HTTP websites encrypted by TLS/SSL.
    Native FTP: Data transactions and file uploads from native FTP servers.
    Workload Groups: Select up to 8 workload groups for which you want to apply the rule. You can also search for a workload group. Selecting None ignores workload groups when the policy is evaluated.
    Inspect Downloads: Enable this option to allow DLP inspection for content downloaded from specific cloud apps. If this option is enabled, you must also choose Any for URL Categories and at least one cloud app for Cloud Application. If disabled, the DLP exception rule only applies to content being sent to cloud apps.
  4. (Optional) For DLP Incident Receiver, complete one of the following tasks:
    If you don't have a third-party DLP solution or don't want to forward content, leave the following Zscaler Incident Receiver or ICAP Receiver field as None.
    If you want to forward the transactions captured by this policy rule to a DLP incident receiver:
    For Incident Receiver, select whether the DLP incident receiver is an ICAP receiver or a Zscaler Incident Receiver.
    Select the applicable ICAP Receiver or Zscaler Incident Receiver from the drop-down menu. You must configure your ICAP receivers or Zscaler Incident Receivers in order to complete this step.
    Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the exception rule you configure here. For example, if you configure a Zscaler DLP exception rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
    Otherwise, the information that Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP exception rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.
  5. Select the Action for the rule:
    Allow: The service allows and logs the transaction.
    Block: The service blocks and logs the transaction.
    Confirm: Users can justify the transaction to continue, or cancel the transaction altogether; in both cases, the service logs the transaction accordingly.
    If the confirmation message times out without the end user taking action, the Zscaler service automatically cancels the transaction. To learn more, see Configuring User Confirmation Notification Templates.
  6. (Optional) Define the following Notification settings:
    Configure an email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
    Email Auditor Type: Select whether the auditor is from a Hosted database or External to your organization.
    Select the Auditor:
    Email Auditor: If the auditor is from a hosted database, select or search for the auditor.
    Auditor Email Address: If the auditor is external, enter the auditor’s email address.
    Email Notification Template: Select a notification template from the drop-down menu.
    Configure the end user notification (EUN) for the rule. The type of EUN messages that appear on the endpoint depends on the Action configured for the rule.
    End User Notification: Select Show to show an EUN message on endpoints when content triggers the DLP policy rule, or select Hide if you don't want an EUN message to appear.
    Custom Message: Select Default to use the default EUN message configured for inline web DLP, or select a custom EUN message from the drop-down menu. You can also search for custom messages or click the Add icon to add a new custom message.
  7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
  8. Click Save and activate the change.
  For example, for an exception rule using predefined Zscaler DLP engines configured as shown in the following image, the Zscaler service will allow all PDF files that:
  - Contain medical information
  - Are any size
  - Are sent via Gmail by members of the Service Admin Group
  See image.
  Close
  Close
Close
Configuring a DLP policy rule to use rule order
Configuring a DLP policy rule to use rule order when Evaluate All Rules mode is enabled for your organization fundamentally resembles default Zscaler behavior, in that the Zscaler service stops evaluating rules at the first match. The biggest difference is that you have a single option to create a DLP rule, instead of initially choosing between creating a DLP rule with content inspection or creating a DLP rule without content inspection. Additionally, unlike configuring a DLP policy rule to evaluate all rules, you do not have the option to create exception rules.
To configure a DLP policy rule to use rule order:
- 1. Configure DLP dictionaries and engines, if necessary. Use DLP dictionaries and engines as they are or modify them to suit your needs. You can also create custom dictionaries or engines. Skip this step if you don't want to modify or create custom DLP dictionaries and engines.
- 2. Configure DLP notification templates if you want to email notifications to your organization's auditor when your users' transactions violate DLP policy rules.
- 3. Configure ICAP servers if you want to forward information about transactions that violate DLP policy to your third-party solution. Skip this step if you don't have a third-party DLP solution or if you don't want to forward content.
- 4. Define your policy rules.
  To define your policy rules:
  1. Go to Policies > Data Protection > Policy > Inline Controls > Data Loss Prevention.
  2. Click Add DLP Rule.
  3. In the Add DLP Rule window:
    Enter the following DLP Rule attributes:
    Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Ranking, then the assigned Admin Rank determines the Rule Order values you can select.
    Severity: Select the severity of the violation from the drop-down menu (i.e., High, Medium, Low, or Information).
    Rule Name: Enter a unique name for the DLP rule or use the default name.
    Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order, the Zscaler service skips it and moves to the next rule.
    Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Labels.
    Define the following Criteria:
    Content Matching: Select Select DLP Engines to select up to 4 engines. You can also search for DLP engines. If you select None, then the Zscaler service doesn't use DLP engines to scan the content; instead, the service functions as a filter, only flagging content based on the criteria you specify.
    If deselected, only one of the engines is required to trigger in order for the service to take action.
    If selected, all engines are required to trigger in order for the service to take action, and the transaction must not match any other engines from different rules.
    For example, you create a DLP rule with the PCI engine and select the Match Only option. In this case, the rule does not trigger when a transaction triggers both the PCI and HIPAA engine. It only triggers when a transaction triggers only the PCI engine.
    The Zscaler DLP engines support files up to 400 MB and can scan the first 100 MB of the extracted text. The maximum size also applies to files extracted from archive files.
    Inspect HTTP GET Query Parameters: You can configure DLP rules to inspect HTTP GET Query Parameters for the following URL categories: Generative AI and ML Applications, Safe Search Engines, Translation Tools, Web Search, and User-Defined Custom URL Categories. To enable, choose Enable for HTTP GET Query Parameters, then select a URL category from the drop-down menu. To learn more, see Configuring DLP Advanced Settings.
    To select a user-defined custom URL category from the drop-down menu, go to the DLP Advanced Settings page (Policies > Data Protection > Common Resources > Advanced Settings) and select a User-Defined URL.
    See image.
    Close
    Source IP Groups: Select Any to apply the rule to all source IP groups, or select any number of source IP groups. You can also search for source IP groups or click the Add icon to add a new source IP group.
    URL Categories: Select Any to apply the rule to all URL categories, or select any number of URL categories. You can search for URL categories or click the Add icon to create a new URL category. You can create DLP policy rules that apply to only content being sent to specific URL categories. For example, you can create a rule that blocks credit card numbers from being sent to web sites in the Adult Material URL category.
    You can also select custom TLD categories from this field.
    Conversely, you can create DLP policy rules to exempt some sites from a rule that blocks content. For example, an organization must protect its source code generally, but still allow the content to be sent to certain authorized sites. To achieve this, the organization can create one rule that blocks all outbound source code and create another rule that allows outbound source code to a specific URL category that includes the authorized URLs.
    If you want to exempt a specific website or custom URL category from DLP evaluation, you must add the website or URL category to the Cloud Apps & URL Exceptions for DLP list. To learn more, see Configuring DLP Advanced Settings.
    Cloud Applications: Select Any to apply the rule to all cloud applications, or select any number of cloud applications. You can also search for applications. You can create DLP policy rules that apply to only content being sent to specific cloud applications. For example, you can create a rule that blocks offensive content from being posted to Facebook.
    By default, this field displays the first 100 cloud applications. The subsequent 100 cloud applications are displayed when you click the Click to see more link at the bottom of the list. You can repeat this process to view the remaining cloud applications.
    See image.
    Close
    Conversely, you can create DLP policy rules that allow specific kinds of content to certain applications. For example, you can have a rule that blocks the release of financial information generally and create another rule that exempts financial information being sent to an application like Salesforce.
    If you want to exempt a specific cloud application from DLP evaluation, you must add the cloud application to the Cloud Apps & URL Exceptions for DLP list. To learn more, see Configuring DLP Advanced Settings.
    The DLP policy applies AND logic to the URL Categories and Cloud Applications fields when inspecting your organization's traffic. In order for a DLP rule to trigger, the Zscaler service must detect the rule’s selected URL categories and cloud applications in a transaction.
    Email Recipient Domain Profiles (Gmail and Outlook): Choose Include to apply the rule only to the selected domain profiles, or choose Exclude to apply the rule to all other domain profiles and not selected domain profiles. You can select up to 8 domain profiles, and you can search for domain profiles.
    Cloud Application Instances: Select the cloud application instances to which the rule applies. You can select a maximum of 8 instances per rule.
    The cloud application instance appears only if its parent application is selected as the cloud application.
    Application Segment: Select Any to apply the rule to all application segments, or select up to 255 application segments. You can also search for application segments.
    The list displays only those application segments that have the Source IP Anchor option enabled. To learn more, see Understanding Source IP Anchoring.
    File Type: From the drop-down menu, choose the file types for the rule. You can create DLP policy rules that apply just to content being sent via specific file types. Policies that reference Zscaler DLP engines support different file types than policies that reference external DLP engines. Zscaler DLP engines can scan files of up to 100 MB. For an archived file, the size of individual files when decompressed can also be a maximum of 100 MB.
    Minimum Data Size: Enter the minimum size requirement that data must meet before the DLP rule applies. The default minimum data size, 0 KB, means there is no minimum data size requirement.
    Users: You can specify how the DLP rule applies to your users.
    Choose Include to apply the rule to selected users and no other users. From the drop-down menu, choose Any to apply the rule to all users or select up to 4 users.
    Choose Exclude to apply the rule to all other users and not selected users. You can select up to 256 users.
    When selecting users, you can search for users or click the Add icon to add a new user. If you’ve enabled the Policy for Unauthenticated Traffic, you can also select Special Users to apply this rule to all unauthenticated users or select specific types of unauthenticated users.
    Groups: You can specify how the DLP rule applies to your groups.
    Choose Include to apply the rule to selected groups and no other groups. From the drop-down menu, choose Any to apply the rule to all groups or select up to 8 groups.
    Choose Exclude to apply the rule to all other groups and not selected groups. You can select up to 256 groups.
    When selecting groups, you can search for groups or click the Add icon to add a new group.
    Departments: You can specify how the DLP rule applies to your departments.
    Choose Include to apply the rule to selected departments and no other departments. From the drop-down menu, choose Any to apply the rule to all departments or select up to 8 departments.
    Choose Exclude to apply the rule to all other departments and not selected departments. You can select up to 256 departments.
    When selecting departments, you can search for groups or click the Add icon to add a new department. If you’ve enabled the Policy for Unauthenticated Traffic, you can also select Special Departments to apply this rule to all unauthenticated transactions.
    Any rule that applies to unauthenticated traffic must apply to all Groups and Departments. So, if you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.
    The DLP policy applies OR logic to the Users, Groups, and Departments fields when inspecting your organization’s traffic. In order for the DLP rule to trigger, the Zscaler service must detect at least one of the rule’s selected users, groups, or departments.
    User Risk Profile: Select the user risk score levels to which the rule applies. Selecting no value ignores this criterion in the policy evaluation.
    Users are assigned a risk score based on their browsing activities. A range of risk scores is grouped as a risk score level.
    By default, the following user risk score levels are available:
    Low: Level with user risk scores ranging from 0 to 29
    Medium: Level with user risk scores ranging from 30 to 59
    High: Level with user risk scores ranging from 60 to 79
    Critical: Level with user risk scores ranging from 80 to 100
    Contact Zscaler Support to customize the user risk score range of these levels for your organization.
    Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location.
    Location Groups: Select Any to apply the rule to all location groups, or select up to 32 location groups. You can also search for a location group.
    Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
    Protocols: Select the protocols to which the rule applies.
    HTTP: Data transactions and file uploads from HTTP websites.
    HTTPS: Data transactions and file uploads from HTTP websites encrypted by TLS/SSL.
    Native FTP: Data transactions and file uploads from native FTP servers.
    Workload Groups: Select up to 8 workload groups for which you want to apply the rule. You can also search for a workload group. Selecting None ignores workload groups when the policy is evaluated.
    Inspect Downloads: Enable this option to allow DLP inspection for content downloaded from specific cloud apps. If this option is enabled, you must also choose Any for URL Categories and at least one cloud app for Cloud Application. If disabled, the DLP rule only applies to content being sent to cloud apps.
  4. (Optional) For DLP Incident Receiver, complete one of the following tasks:
    If you don't have a third-party DLP solution or don't want to forward content, leave the following Zscaler Incident Receiver or ICAP Receiver field as None.
    If you want to forward the transactions captured by this policy rule to a DLP incident receiver:
    For Incident Receiver, select whether the DLP incident receiver is an ICAP receiver or a Zscaler Incident Receiver.
    Select the applicable ICAP Receiver or Zscaler Incident Receiver from the drop-down menu. You must configure your ICAP receivers or Zscaler Incident Receivers in order to complete this step.
    Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
    Otherwise, the information that Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.
  5. Select the Action for the rule:
    Allow: The service allows and logs the transaction.
    Block: The service blocks and logs the transaction.
    Confirm: Users can justify the transaction to continue, or cancel the transaction altogether; in both cases, the service logs the transaction accordingly.
    If the confirmation message times out without the end user taking action, the Zscaler service automatically cancels the transaction. To learn more, see Configuring User Confirmation Notification Templates.
  6. (Optional) Define the following Notification settings:
    Configure an email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
    Email Auditor Type: Select whether the auditor is from a Hosted database or External to your organization.
    Select the Auditor:
    Email Auditor: If the auditor is from a hosted database, select or search for the auditor.
    Auditor Email Address: If the auditor is external, enter the auditor’s email address.
    Email Notification Template: Select a notification template from the drop-down menu.
    Configure the end user notification (EUN) for the rule. The type of EUN messages that appear on the endpoint depends on the Action configured for the rule.
    End User Notification: Select Show to show an EUN message on endpoints when content triggers the DLP policy rule, or select Hide if you don't want an EUN message to appear.
    Custom Message: Select Default to use the default EUN message configured for inline web DLP, or select a custom EUN message from the drop-down menu. You can also search for custom messages or click the Add icon to add a new custom message.
  7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
  8. Click Save and activate the change.
  For example, if a policy rule using predefined Zscaler DLP engines is configured as shown in the following image, the Zscaler service blocks all the files that:
  - Contain medical information
  - Are over 1000 KB in size
  - Are being sent by users in the Operations group through Gmail
  The Zscaler service sends an email notification regarding the policy violation to your organization's auditor but doesn't forward information to an incident receiver.
  See image.
  Close
  Close
Close

Experience Center

Configuring DLP Policy Rules with Evaluate All Rules Mode Enabled

Related Articles