Configuring Global Exceptions Parent topic

Use the Global Exceptions screen to change global DLP behavior for monitored and non-monitored targets, as well as internal email domains.
  1. Navigate to Administration > Agent Configuration > Global Exceptions.
  2. Type the global exceptions for digital asset scanning.

    Global Exceptions

    Global Exception
    Description
    Non-monitored Targets
    Specify destinations outside your network where an endpoint is permitted to send sensitive data. DLP will not check sensitive data sent through this network service.
    Define each target by:
    • IP address or address range
    • Host name
    • FQDN
    • Network address and subnet mask, such as 10.1.1.1/32
    To target specific channels, include the default or company-defined port numbers for those channels. For example, port 21 is typically for FTP traffic, port 80 for HTTP, and port 443 for HTTPS. Use a colon to separate the target from the port numbers.
    You can also include port ranges. To include all ports, ignore the port range.
    Examples of targets with port numbers and port ranges:
    • 10.1.1.1:80
    • host:5-20
    • host.domain.com:20
    • 10.1.1.1/32:20
    For the subnet mask, DLP only supports a classless inter-domain routing (CIDR) type port. That means that you can only type a number like 24 instead of 255.255.255.0.
    Separate targets with commas.
    Monitored Targets
    Specify destinations inside your network that do not have total clearance. DLP checks traffic but does not block content unless you specify blocking as the policy action.
    Define each target by:
    • IP address or address range
    • Host name
    • FQDN
    • Network address and subnet mask, such as 10.1.1.1/32
    To target specific channels, include the default or company-defined port numbers for those channels. For example, port 21 is typically for FTP traffic, port 80 for HTTP, and port 443 for HTTPS. Use a colon to separate the target from the port numbers.
    You can also include port ranges. To include all ports, ignore the port range.
    Examples of targets with port numbers and port ranges:
    • 10.1.1.1:80
    • host:5-20
    • host.domain.com:20
    • 10.1.1.1/32:20
    For the subnet mask, DLP only supports a classless inter-domain routing (CIDR) type port. That means that you can only type a number like 24 instead of 255.255.255.0.
    Separate targets with commas.
    Note
    Note
    If the global exceptions and transmission scope settings conflict, DLP recognizes the following priorities, in order of highest priority to lowest:
    Monitored Targets > Non-monitored Targets > Transmission Scope
    Internal Email Domains
    Type all internal email domains to help DLP determine the email to monitor.
    DLP checks the transmission scope, which you need to configure when specifying actions for a policy. DLP automatically monitors email traffic when:
    • Transmission scope is set to “All transmissions”; or
    • Transmission scope is set to “Only transmissions outside the local area network” AND the recipient is not in the list of Internal Email Domains
    Specify domains using any of the following formats, separating multiple domains with commas:
    • X400 format, such as /O=Trend/OU=USA, /O=Trend/OU=China
    • Email domains, such as example.com
  3. Click Save.