When requests for web access are filtered on Secure Web Gateway, DLP scanning is included in the filtering process. You can configure that DLP scanning is bypassed based on media types as part of your web policy.
Media types that are typically configured to bypass DLP scanning are the different types of streaming media. To configure bypassing for them, you enter them in a bypass list. For other media types, for example, PowerPoint files, you need to use a workaround, as you cannot use the bypass list here.
In the following, more information is provided about configuring media types to bypass DLP scanning and how to use the workaround.
Why the Bypass List Does Not Work for Some Media Types
The filtering process on Secure Web Gateway is performed in different phases, which are referred to as cycles. When a request for web access comes in, the first cycle to be performed is the request cycle. The web policy rules that are configured for this cycle are then processed to find out whether they apply.
In the request cycle, a request is also passed on to DLP scanning. The bypass list is only evaluated, however, for the top-level part of the request. It is not evaluated for the following content sent with the request:
Content of the multipart/form-data type, for example, application/vnd-ms.powerpoint
- Content inside a container, such as an archive file or an embedded document, for example, a PDF file inside a PowerPoint file.
It could also be a document in a container-like format, for example, a .docx file that is a .zip file consisting of an XML part and the .docx file.
This means that even if you have entered, for example, the application/vnd-ms.powerpoint media type in the bypass list, DLP scanning will be performed on it.
Configuring Media Types to Bypass DLP Scanning Using the Bypass List
You can configure media types to bypass DLP scanning as part by entering them in a bypass list that is evaluated by a rule in the Web DLP rule set.
For media types that are not of the multipart/form-data type, nor inside a container, like archive files, embedded documents, and others, using this bypass list should work as expected.
For more information, see Configure Media Types to Bypass DLP Scanning Using the Bypass List.
Configuring Media Types to Bypass DLP Scanning Using a Workaround
When the bypass list you set up is evaluated in the request cycle of the filtering process on Secure Web Gateway, media types like, for example, application/vnd-ms.powerpoint, are not considered. DLP scanning is performed on them even if they are in the list.
To let these media types bypass DLP scanning, you can use the following workaround:
Copy (clone) an existing DLP classification to use it as starting point for creating a new classification
Add a condition to the new classification that excludes these media types from DLP scanning
- Configure the new classification for the DLP policy that you have included in your web policy
For more information, see Configure Media Types to Bypass DLP Scanning Using a Workaround.