How to block all HTTPS traffic, with the exception of traffic going to a local intranet cloud storage with DLP 14.5 Endpoint Prevent

book

Article ID: 184279

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Symantec Data Loss Prevention (DLP)
Endpoint Prevent

A customer needs to upload documents to a local HTTPS Open Source cloud storage (HTTPS://IPAddress/mycloud), but an Endpoint Prevent policy blocking HTTPS traffic will block the upload. That is HTTPS traffic has to be blocked but the one going to the Cloud storage host IP.

Cause

Administration Guide Documentation is not very clear on Domain filters (HTTPS) parameters format.

Environment

DLP 14.5, Endpoint Prevent 14.5, and Enforcer server 14.5

Resolution

Go to System-->Agents-->Agent Configuration and,

Enable all HTTPS traffic in the Web channel under the Agent Monitoring tab of the Agent configuration.

Under the Filter By Network Properties, in the Domain FIlters, HTTPS Input field add the following filter:

-IP*,+*,*

Where IP is the IP address where the local cloud is located (the minus sign means it won't be monitored) in the normal notation (e.g. 172.17.2.120), and the <+> sign and <*,*> asterisks assures the monitoring of all other HTTPS traffic.
Note: by not monitoring that IP address HTTPS traffic, a response rule to block data leaving on the protocol HTTPS won't apply to that local cloud storage as it is not being monitored. No exceptions for that IP are needed in the policy.