Configuring Policies Using Zscaler DLP Engines


Configuring Policies Using Zscaler DLP Engines

Watch a video about Data Loss Prevention, including how to configure a policy using Zscaler DLP engines

You can use Zscaler's DLP engines to detect data, allow or block transactions, and notify your organization's auditor when a user's transaction triggers a DLP rule. If your organization has a third-party DLP solution, Zscaler can forward information about transactions that trigger DLP policy to your third-party solution via secure Internet Content Adaptation Protocol (ICAP). However, Zscaler does not take ICAP responses from your DLP solution. Zscaler only monitors or blocks content according to the policy you configure, then forwards information about transactions so that your organization can take necessary remediation steps.

The maximum file size Zscaler DLP engines can scan is 100 MB. The maximum size applies also to files extracted archive files.

To configure a DLP policy using a Zscaler DLP Engine:

  1. Configure DLP dictionaries and engines, if necessary. Use DLP dictionaries and engines as they are or modify them to suit your needs. You can also create custom dictionaries or engines. Skip this step if you don't want to modify or create custom DLP dictionaries and engines.
  2. Configure DLP notification templates if you want to email notifications to your organization's auditor when your users' transactions violate DLP policy rules.
  3. Configure ICAP servers if you want to forward information about transactions that violate DLP policy to your third-party solution. Skip this step if you don't have a third-party DLP solution or if you don't want to forward content.
  4. Define your policy rules.

To define your policy rules:

  1. Go to Policy > Data Loss Prevention.
  2. Click Add and select Zscaler DLP Engine.
  3. In the Add DLP Rule window:
    1. Enter following DLP Rule attributes:
  • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Ranking, then the assigned Admin Rank determines the Rule Order values you can select.
  • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned Admin Rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
  • Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order, the service skips it and moves to the next rule.
  1. Define the following Criteria:
  • DLP Engines: Select Any to choose all DLP engines for this rule, or select any number of engines. You can search for DLP engines or click the Add icon to create a new DLP engine. Only one of the engines is required to trigger in order for the service to take action. However, all of the dictionaries in a given engine must trigger for an engine to trigger.
  • URL Categories: Select Any to apply the rule to all URL categories, or select any number of URL categories. You can search for URL categories or click the Add icon to create a new URL category. You can create DLP policy rules that apply just to content being sent to specific URL categories. For example, you can create a rule that blocks credit card numbers from being sent to web sites in the Adult Material URL category.


Conversely, you can create rules to exempt some sites from a rule that blocks content. For example, an organization needs to protect its source code generally, but still allow the content to be sent to certain authorized sites. To achieve this, the organization can create one rule that blocks all outbound source code and create another rule that allows outbound source code to a specific URL category that includes the authorized URLs.

  • Cloud Applications: Select Any to apply the rule to all cloud applications, or select any number of cloud applications. You can also search for applications. You can create DLP policy rules that apply just to content being sent to specific cloud applications. For example, you can create a rule that blocks offensive content from being posted to Facebook.


Conversely, you can create rules that allow specific kinds of content to certain applications. For example, you can have a rule that blocks the release of financial information generally and create another rule that exempts financial information being sent to an application like Salesforce.

  • File Type: From the drop down menu, choose the file types for the rule. You can create DLP policy rules that apply just to content being sent via specific file types. Policies that reference Zscaler's DLP engines support different file types than policies that reference external DLP engines. Zscaler DLP engines can scan files of up to 100 MB. For an archived file, the size of individual files when decompressed can also be a maximum of 100 MB.
  • Minimum Data Size: Enter the minimum size requirement that data must meet before the DLP rule applies. The default minimum data size, 0 KB, means there is no minimum data size requirement.
  • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the Policy for Unauthenticated Traffic, you can also select Special Users or specific types of unauthenticated users to apply this rule to. You can search for users or click the Add icon to add a new user.
  • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
  • Departments: Select Any to apply the rule to all departments, or select up to 8 departments. If you've enabled the Policy for Unauthenticated Traffic, you can select Special Departments in order to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.

Any rule that applies to unauthenticated traffic must apply to all Groups and Departments. So, if you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.

    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
    • Protocols: Select the protocols to which the rule applies.
      • HTTP: Data transactions and file uploads from HTTP websites.
      • HTTPS: Data transactions and file uploads from HTTP websites encrypted by TLS/SSL.
      • Native FTP: Data transactions and file uploads from native FTP servers. (Requires the Cloud Firewall subscription.)
    1. For ICAP Server, complete one of the following tasks:
    • If you don't have a third-party DLP solution or don't want to forward content, leave the field as None.
    • If you want to forward the transactions captured by this policy rule to an on-premise ICAP server:
      1. Select the applicable server from the drop down menu. You must configure your ICAP servers in order to complete this step.
      2. Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.


    Otherwise, the information that Zscaler sends to your solution regarding a particular rule violation will not appear in your on-premise solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premise DLP solution must also block credit card numbers, but needn't match the URL category criteria.

    1. Select the Action for the rule. You can Allow or Block transactions that match the rule. If you select Allow, the service allows and logs the transaction. If you select Block, the service blocks and logs the transaction.
    2. (Optional) Configure an email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
      1. For Auditor Type, select whether the auditor is from a Hosted database or External to your organization.
      2. Select the Auditor:
        • If the auditor is from a hosted database, select or search for the auditor.
        • If the auditor is external, enter the auditor’s email address.
      3. Select a Notification Template, if you configured one. You can also search for a notification template or click the Add icon to add a new notification template.
    3. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
    4. Click Save and activate the change.

    See an example policy rule using predefined Zscaler DLP engines.

    To learn how to use external DLP engines to detect data and also forward information about the data to your third-party DLP solution, see Configuring Policies Using External DLP Engines.

    Screenshot of a rule using predefined Zscaler DLP engines