This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Phillip-83
Participant
‎2024-05-19 04:17 AM

DLP blade is not working as expected


Hi everyone,

I'm setting up DLP Blade for POC at the customer (OpenServer - R81.20) but seems like it's not working correctly.
Here is the Policy: 

fdf.png


So when the client behind the gateway tries to upload files: 

Some sites working get log and alert email: Gmail, LinkedIn, Onedrive,...

log.png


Some sites are not working (no DLP log, just normal traffic log): Google Drive, Facebook, Telegram,...

lognot.png

Other Blade I set the default configuration so I don't think it's a conflict.
Have I configured something wrong? 

Please help me.. 

Thank you so much.

0 Kudos
10 Replies
Lesley
Advisor
‎2024-05-19 07:43 AM

Are you doing HTTPS inspection on this traffic?

The logs shows UDP 443 that is encryped.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Phillip-83
Participant
‎2024-05-19 11:35 PM
In response to Lesley

Https inspection already done: 
httpsip.png

I did install cert on client, in GG Drive website, that show https inspection cert: 

cert.png

0 Kudos
Lesley
Advisor
‎2024-05-20 05:09 AM
In response to Phillip-83

That is good! UDP 443 cannot be inspected and would be best to block. As others already posted. I can see you have done this now.

Further info about this is listed here: https://support.checkpoint.com/results/sk/sk111754

Could it maybe be a character / language issue? If I see your screenshots 🙂

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_DataLossPrevention_AdminGuid...

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-05-19 08:18 AM

Are you blocking QUIC traffic in your environment?

CCSM R77/R80/ELITE
Phillip-83
Participant
‎2024-05-19 11:41 PM
In response to Chris_Atkinson

quicblock.png

I'm testing with allow *any all, and block only quic UDP-443 in FW Layer, but DLP on GG Drive, Facebook,... still not working:

drive test.png

the_rock
Legend
Legend
‎2024-05-19 11:44 PM
In response to Phillip-83

Does zdebug show anything for the IP site resolves to?

fw ctz zdebug + drop | grep x.x.x.x

Just put the ip address after grep

Andy

0 Kudos
Phillip-83
Participant
‎2024-05-20 12:12 AM
In response to the_rock

When i'm trying upload to drive: 

drip.png

run command I saw it's not dropping anything: 

cli.png

 

0 Kudos
the_rock
Legend
Legend
‎2024-05-19 06:13 PM

As Chris said, QUIC can definitely be the issue.

0 Kudos
Binhn
Employee
Employee
‎2024-05-20 12:17 AM
In response to the_rock

Hi the_rock, do we support to do the DLP Policy for native applications such as Google Driver, Telegram, Dropbox...? 

0 Kudos
the_rock
Legend
Legend
‎2024-05-20 12:23 AM
In response to Binhn

You may want to ask internally as well, but Im pretty sure you do support it.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events