Which takes precedence in a policy - the rule or the exclusion?

book

Article ID: 160708

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce Data Loss Prevention Network Discover Data Loss Prevention Network Prevent for Web

Issue/Introduction

Which takes precedence (aka which do we do first) in a policy - the rule or the exclusion?

For example:

Policy A:

Keyword rule:  Looking for "batman"
Exclusion:  Exclude all US traffic

A message comes in from the US containing the keyword.

Does DLP find the message and then dismiss it, or does DLP dismiss it prior to looking for the keyword?

Resolution

The following order precedence takes place depending on the DLP version utilized:

  • 9.x and below: We execute based on the performance of the rule type. In the example given, "all US traffic" = sender / recipient exception = faster than keyword = exception is executed first. However, If you had a sender rule and a keyword exception, the sender rule would be executed first, then the keyword exception.
  • 10.x and higher: It works as in earlier versions, but in addition it optimizes and groups rule- and exception-execution as well as contains other performance improvements.

The match count etc. should not be influenced by the order in which these are executed.