ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Which takes precedence in a policy - the rule or the exclusion?
Article ID: 160708
Updated On:
Products
Data Loss Prevention Network Monitor
Data Loss Prevention Network Prevent for Email
Data Loss Prevention Enforce
Data Loss Prevention Network Discover
Data Loss Prevention Network Prevent for Web
Issue/Introduction
Which takes precedence (aka which do we do first) in a policy - the rule or the exclusion?
For example:
Policy A:
Keyword rule: Looking for "batman"
Exclusion: Exclude all US trafficA message comes in from the US containing the keyword.
Does DLP find the message and then dismiss it, or does DLP dismiss it prior to looking for the keyword?
Resolution
The following order precedence takes place depending on the DLP version utilized:
- 9.x and below: We execute based on the performance of the rule type. In the example given, "all US traffic" = sender / recipient exception = faster than keyword = exception is executed first. However, If you had a sender rule and a keyword exception, the sender rule would be executed first, then the keyword exception.
- 10.x and higher: It works as in earlier versions, but in addition it optimizes and groups rule- and exception-execution as well as contains other performance improvements.
The match count etc. should not be influenced by the order in which these are executed.
Feedback
Yes
No
Powered by
