|
Note: .doc and .xls files are getting blocked as expected.
Configuration:
config dlp filepattern
edit 1
set name "FRAN"
config entries
edit "msoffice"
set filter-type type
set file-type msoffice
next
edit "msofficex"
set filter-type type
set file-type msofficex
next
end
next
end
config dlp profile
edit "DLP-MonitorOnly"
set feature-set proxy
config rule
edit 1
set name "TEST"
set proto http-get http-post ftp
set file-type 1 ---------------> Refers to the DLP file pattern above.
set action block
next
end
next
end
config firewall policy
edit 1
set name "DLP-BLOCK"
set srcintf "LAN"
set dstintf "WAN"
set action accept
set srcaddr "LAN_Subnet"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"
set dlp-profile "DLP-MonitorOnly"
set logtraffic all
set nat enable
next
end
Performing the scanunit debugs while reproducing the issue shows that the actual content is embedded in document.xml:
diagnose sys scanunit debug all
diagnose sys scanunit debug level verbose
diagnose debug console timestamp enable
diagnose debug enable
su 7858 job 11 DLP: done archive level 1 scan 'word/document.xml' result 0
su 7858 job 11 DLP: start archive level 1 scan 'word/_rels/document.xml.rels'
su 7858 job 11 DLP: scanning file 'word/_rels/document.xml.rels' type 8 len 1351 buffer-type xml decoded 0 archive_is_blocked 0 checking 1 of 1 rules
su 7858 job 11 DLP: Matching rule 0
su 7858 job 11 DLP: file type no match. ------------------------------> File type not matching refers to *docx.
su 7858 job 11 DLP: file_scan no match found.
In order to fix the issue, a new config in the DLP file pattern should be added.
config dlp filepattern
edit 1
set name "FRAN"
config entries
edit "*.xml"
next
end
next
Related article:
Technical Tip: Configure Data Leak/Loss Prevention (DLP)
|
