Which takes precedence in a policy - the rule or the exclusion?
book
Article ID: 160708
calendar_today
Updated On:
Products
Data Loss Prevention Network MonitorData Loss Prevention Network Prevent for EmailData Loss Prevention EnforceData Loss Prevention Network DiscoverData Loss Prevention Network Prevent for Web
Issue/Introduction
Which takes precedence (aka which do we do first) in a policy - the rule or the exclusion?
For example:
Policy A:
Keyword rule: Looking for "batman" Exclusion: Exclude all US traffic
A message comes in from the US containing the keyword.
Does DLP find the message and then dismiss it, or does DLP dismiss it prior to looking for the keyword?
Resolution
The following order precedence takes place depending on the DLP version utilized:
9.x and below: We execute based on the performance of the rule type. In the example given, "all US traffic" = sender / recipient exception = faster than keyword = exception is executed first. However, If you had a sender rule and a keyword exception, the sender rule would be executed first, then the keyword exception.
10.x and higher: It works as in earlier versions, but in addition it optimizes and groups rule- and exception-execution as well as contains other performance improvements.
The match count etc. should not be influenced by the order in which these are executed.