Defining Network Agent Policy Actions

On the Add Policy: Step 4: Action screen, select the Transmission Scope:

Only transmissions outside the local area network is the recommended setting. Select this if you want DLP to inspect only data transmitted outside the LAN.
All transmissions enables DLP to inspect all data transmitted outside the local machine.

“Network” is the company network, including traffic to standard private IP addresses:

A: 10.0.0.0~10.255.255.255
B:172.16.0.0~172.31.255.255
C:192.168.0.0~192.168.255.255

Only transmissions outside the local area network includes only private IP address ranges, including 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. However, if a destination IP address is a private IP address but is listed in Global Exceptions on the Monitored Targets list, DLP considers it as outside the LAN.

Note that DLP approves private IP ranges by default. Even if you use a 10.0.0.0/24 network for your LAN, the private IP addresses 172.16.x.x, 192.168.x.x and every other 10.x.x.x IP are also approved by default. Subnet boundary checking is not currently supported.

Note

When DLP checks for incidents, DLP complies with the settings of your Monitored Targets, Non-monitored Targets, and Transmission Scope. When these settings conflict, Monitored Targets is the first priority for DLP checking, followed by Non-monitored Targets. The last priority is Transmission Scope checking.

In other words, the destination listed in Monitored Targets will always be an incident source even if the destination is a local machine or within the LAN boundary. If the destination is not on the Monitored Targets list and is on the Non-monitored Targets list, the destination is in compliance and no checking will occur. If the destination is not in the Monitored Targets or Non-monitored Targets lists, DLP determines if the destination does not comply with the Transmission Scope setting.

Transmission Scope impacts network-related channels: SMB, FTP, HTTP, and IM. The impact to the IM channel traffic is for File Transfer only (since the message channel is always sent out to the global IM server with an IP outside the company network).

Transmission Scope also impacts Email channels with some differences. For Email (SMTP), when Transmission Scope is set to Only transmissions outside the local area network, DLP only scans email in which recipients are not in the internal email domain. You can configure the internal email domains at Administration → Global Exceptions.

Specify the System Actions for DLP Network Monitor to take if an incident is triggered.

If you select Record data, the network agent automatically encrypts the forensic data with a predefined password and securely uploads the data to the DLP server. The default password for encrypted files is 12345678. It is recommended that you change this password at Administration → Agent Configuration → Agent Settings.

WARNING

Record data uploads files to the DLP server which could occupy too much hard disk space. Trend Micro highly recommends that you only record highly sensitive information.

Click Finish to save the policy.

The network agent policy appears on the Policy List.

On the Policy List, click the Status icon to disable or enable the policy.

Click Deploy Now. DLP deploys all enabled policies in the list to the agents.

Click the up or down arrows in the Order column to change the policy priority. When multiple policies are triggered in an incident, DLP executes the most strict rules. However, when matching block and encryption actions, DLP takes actions based on order. The lowest number has the highest priority and is executed first.

Moving the mouse over a policy name displays a snapshot of the policy content.

Note

The DLP server waits an interval of one minute for each policy deployment. If you continually click Deploy Now, DLP waits one minute and redeploys the policies. In this case, Deploy Now is disabled after one minute and a message displays, “Policies have been deployed.”

$('#title').html($('meta[name=description]').attr('content'));