How to use IPs with Data Protection.cloud

book

Article ID: 179203

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

 

Resolution

Introduction

 A useful data element to use when working Data Protection (DP) policies is the IP. You may have the need to restrict or register emails based on their origin. Or even create exclusions to policies based on IPs or IPs ranges.Currently DP doesn't offer a native IP condition, so we'll be using regex instead.

Before you start

 Our IP condition will be using regular expressions. In Symantec.cloud, DP regular expression engine supports Java 7 based expressions.

Important: When writing regular expressions, test the expressions to ensure that they works as you intend. Use the following pages to test your regular expressions:

Symantec recommends that you check the Oracle Summary of Regex Constructs for instructions on syntax. Ensure that you check the case insensitive option.

Syntax:
. (dot)
a
a|b
[abx-z]
a+
a{4,8}
\w
\b
Any character except newline
The character a
a or b
One character of: a, b, or the range x-z
One or more a's
Between (inclusive) 4 and 8 a's
A word character (same as [_a-zA-Z0-9])
Word boundary
\
ab
a*
a?
a{4.EN_US}
a{9,}
\d
Escapes a special character
The string ab
0 or more a's
Zero or one a's
Exactly 4 a's
9 or more a's
A digit (same as [0-9])

Condition implementation

  1. Log in to the Symantec.cloud console.
  2. Navigate to Services > Data Protection.
  3. Start a new Data Protection policy or find an existing policy which requires a IP based condition
  4. Add a new Rule, or locate an existing rule that aligns with your policy logic
  5. Add a new condition - Content Regular Expression List  
    • Click on "Create a new Regular Expression List"
      • Name your condition
      • IPs will be added one per line with the following format: \b123\.123\.123\.123\b
         
        Important Notes/Rules:
        1. Because we are using a regex list, we need to escape the "." (dot) with a "\" (backslash), as the dot represents any character except the new line within the regex system
        2. For IPs where the 1st byte is a number between 0 and 99, add the following before and after the IP: \b
        3. For IPs where the 4th byte is a number between 0 and 25, add the following before and after the IP: \b
        4. To add comments to IPs, add the following regex after the IP: (?:Your Comment Here)?
         
        Examples:
        A) Valid IP: 123.23.80.1
        1. In regex the IP is 123\.23\.80\.1. But because the 4th byte is between 0 and 25, we need to add \b, making it \b123\.23\.80\.1\b. Otherwise it would match 123.23.80.1, 123.23.80.10 to .19, 123.23.80.100 to 123.23.80.199, which isn't the desired result.
         
        2. To add an IP with a comment, have the IP instead added as follows \b123\.23\.80\.1\b(?:IP from ABC)?
         
        B) Valid IP Range: 195.168.1.0/23
        1. An IP range can be converted to regex using the following free tool: http://www.analyticsmarket.com/freetools/ipregex. Replace the symbols ^ and $ in the resulting expression with \b. If you need to know the starting and ending of a given IP range you can use http://jodies.de/ipcalc.
         
        Use IP Calculator to get first IP Address: 195.168.0.1 and the last IP Address: 195.168.1.254 of the range.
         
        Use IP to Regex to get it converted, which results in (DO NOT use this syntax):

        ^195\.168\.(0\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|(([0-1])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))|1\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-4])))$

        But, we need to swap ^ $ with \b, so the expression we will use is (DO use this syntax):

        \b195\.168\.(0\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|(([0-1])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))|1\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-4])))\b

         Or, if you would like to add it with a comment:

        \b195\.168\.(0\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|(([0-1])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))|1\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-4])))\b(?:IP Range from ABC)?
         
    • Adjust the condition options as per your policy logic, positive match or exception. 
  6. Review your choices and save the policy.