Creating a recipient pattern exception to avoid HTTP/HTTPS monitoring of a URL that consists of an IP address.
search cancel

Creating a recipient pattern exception to avoid HTTP/HTTPS monitoring of a URL that consists of an IP address.

book

Article ID: 248733

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Using the DLP Endpoint Agent we wanted to block file uploads to a subset of IPs, specifically the ones in the following subnet:

                IPv4 Address:    192.168.1.1

                Subnet Mask:     255.255.0.0

We added them to a Recipient Pattern, in the IP Addresses field, with the following pattern:

192.168.*.*

During testing we found out that the policy didn’t trigger when uploading to the following URL:

                https://192.168.111.20/ui/#/host/storage/datastores/...

We also tried each IP address (no wildcards) as the pattern but the same issue arose.

Environment

Release : 15.8

Component : Default-Sym

Cause

In the case of monitoring a web page you will always need to add either the domain or IP address in the URL field.

Adding the IP address to the IP field does not apply to the HTTP/HTTPS monitoring in the browser. 

Resolution

To exclude specific internal URLs containing an IP address add the IP address to the Endpoint - Agent Configuration in the Channel Filters tab under the Filter by Network Properties - Domain Filters: HTTP/HTTPS field.

The minus (-) is to ignore and the (+) is to include, asterisk (*) is the wildcard for anything. Comma is used as a separator.  

You only need to add -192.168.*.*,+* like this which which will instruct the Endpoint Agent not to monitor any HTTPS/HTTP traffic going to the URL 192.168.x.x subnets and monitor everything else.

We need to add the ,+* at the end to ensure everything else is still monitored. 

image.png

Adding the filter here is a better solution than adding it at the policy level because it is immediately excluded and the policy is not evaluated therefore the performance is improved on the Endpoint as it is less computationally expensive on the system resources. 

Additional Information

It's currently not possible to use a wildcard in the URL domain field. We currently have an open feature request for this ability as follows: 

Ref: DLP-12612 - Sender email and recipient email/URL patterns should support wildcard (*) for WSS, NPW, NPE, Cloud Email, Endpoint

If you would like to add your organisation to this request please contact the Broadcom Support Team. 

Powered by Wolken Software