topic DLP blade is not working as expected in Firewall and Security Management

DLP blade is not working as expected

Phillip-83 — Sun, 19 May 2024 11:17:00 GMT

Hi everyone,

I'm setting up DLP Blade for POC at the customer (OpenServer - R81.20) but seems like it's not working correctly.
Here is the Policy:

So when the client behind the gateway tries to upload files:

Some sites working get log and alert email: Gmail, LinkedIn, Onedrive,...

Some sites are not working (no DLP log, just normal traffic log): Google Drive, Facebook, Telegram,...

Other Blade I set the default configuration so I don't think it's a conflict.
Have I configured something wrong?

Please help me..

Thank you so much.

Re: DLP blade is not working as expected

Lesley — Sun, 19 May 2024 14:43:26 GMT

Are you doing HTTPS inspection on this traffic?

The logs shows UDP 443 that is encryped.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/HTTPS-Inspection.htm

Re: DLP blade is not working as expected

Chris_Atkinson — Sun, 19 May 2024 15:18:49 GMT

Are you blocking QUIC traffic in your environment?

Re: DLP blade is not working as expected

the_rock — Mon, 20 May 2024 01:13:11 GMT

As Chris said, QUIC can definitely be the issue.

Re: DLP blade is not working as expected

Phillip-83 — Mon, 20 May 2024 06:35:09 GMT

Https inspection already done:

I did install cert on client, in GG Drive website, that show https inspection cert:

Re: DLP blade is not working as expected

Phillip-83 — Mon, 20 May 2024 06:41:48 GMT

I'm testing with allow *any all, and block only quic UDP-443 in FW Layer, but DLP on GG Drive, Facebook,... still not working:

Re: DLP blade is not working as expected

the_rock — Mon, 20 May 2024 06:44:24 GMT

Does zdebug show anything for the IP site resolves to?

fw ctz zdebug + drop | grep x.x.x.x

Just put the ip address after grep

Andy

Re: DLP blade is not working as expected

Phillip-83 — Mon, 20 May 2024 07:12:23 GMT

When i'm trying upload to drive:

run command I saw it's not dropping anything:

Re: DLP blade is not working as expected

Binhn — Mon, 20 May 2024 07:17:05 GMT

Hi the_rock, do we support to do the DLP Policy for native applications such as Google Driver, Telegram, Dropbox...?

Re: DLP blade is not working as expected

the_rock — Mon, 20 May 2024 07:23:40 GMT

You may want to ask internally as well, but Im pretty sure you do support it.

Best,

Andy

Re: DLP blade is not working as expected

Lesley — Mon, 20 May 2024 12:09:21 GMT

That is good! UDP 443 cannot be inspected and would be best to block. As others already posted. I can see you have done this now.

Further info about this is listed here: https://support.checkpoint.com/results/sk/sk111754

Could it maybe be a character / language issue? If I see your screenshots 🙂

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_DataLossPrevention_AdminGuide/Content/Topics-DLPG/Regular-Expressions-and-Character-Sets.htm?TocPath=Regular%20Expressions%20and%20Character%20Sets%7CSupported%20Character%20Sets%7C_____0#Character_Types