Complete rules of the Data Loss Prevention (DLP) with ICAP for Cloud rule set

When working with the complete rules of the Data Loss Prevention (DLP) with ICAP for Cloud rule set, all rules and rule elements of this rule set can be viewed and configured.

Library rule set – Data Loss Prevention (DLP) with ICAP for Cloud
Criteria — URL.Host does not equal “ ” AND Cycle.TopName equals "Request" AND InTheCloud equals true
Cycles — Requests (and IM), Embedded Objects

The rule set criteria specifies that the rule set applies if all of these criteria match:

  • A host name can be found for a URL that is sent in a request to the appliance.
  • The processing cycle that is currently performed is the request cycle.
  • The rule set is applicable for cloud use

The rule set contains the following rules.

Skip requests that do not carry information
Body.Size equals 0 AND ListOfString.IsEmpty(URL.Parameters) equals true –> Stop Rule Set
The rule uses the Body.Size property to check whether a request has a body that is empty. It also uses the ListOfString.IsEmpty property to check whether a request has URL parameters.
If one of the two parts of this criteria is matched, processing of the rule set stops and the request is not forwarded to the ICAP server.
Skip body that is greater than 50 MB
Body.Size greater than 52428800 –> Stop Rule Set
The rule uses the Body.Size property to check whether the body of a request does not exceed 50 MB. If it does, processing of the rule set stops and the request is not forwarded to the ICAP server.
In the rule set criteria, the size of a request body that must not be exceeded is specified in bytes.
Skip all GET requests
Command.Name equals GET –> Stop Rule Set
The rule uses the Command.Name property to check whether the command that is sent with a request is GET. If it is, processing of the rule set stops and the request is not forwarded to the ICAP server.
This rule is not enabled by default.
Store original authentication method
Always –> ContinueSet User-Defined.Original.Method = Authentication.Method
The rule event always sets the name of the currently used authentication method as the value of a user-defined property to store it, so it can be restored after this name has temporarily been replaced with "NTLM".
Set authentication method to "NTLM" (for ICAP compatibility)
Authentication.Method does not equal "NTLM" AND Authentication.Method does not equal "LDAP" AND Authentication.Method does not equal "Radius" –> ContinueSet Authentication.Method = "NTLM"
The rule uses the Authentication.Method property to check whether the authentication method that is currently in use is NTLM, LDAP or Radius. These methods are compatible with using ICAP in a DLP configuration.
If a different method is used, which would not be compatible, the rule event replaces this method with "NTLM" by setting the value of Authentication.Method accordingly.
Call ReqMod server
ICAP.ReqMod.Satisfaction<ReqMod> equals true –> Stop Cycle
When a request has passed filtering according to the first two rules of the rule set, it is forwarded to the ICAP server. If this has been done, the value of the ICAP.ReqMod.Satisfaction property is true.
The rule checks whether this is the case for a request and if it is, stops processing the current cycle, as no more processing of the rules in this cycle is required after forwarding a request to the ICAP server.
Restore original authentication method
Always –> ContinueSet Authentication.Method = User-Defined.Original.Method
The rule event always sets the name that was stored using the user-defined property to the value of the Authentication.Method property. The name of the authentication method is this way restored to its original value.
The rule is only processed if the proceeding rule, which stops processing the remaining rules in the cycle, has not applied.
This means no ICAP communication is performed and the original authentication method, which might not be ICAP-compatible, can be used again.