Custom Policy Wizard - Destination

Administrator Help | Forcepoint DLP | Version 8.5.x

Related topics:

Rule Wizard - Finish

What can I protect?

Use the Destination page of the custom policy wizard to select possible destinations for data protected by this rule.

The Destination page varies based on subscription. You may see:

Standard Forcepoint DLP options

Forcepoint Web Security mode

Forcepoint Email Security mode

For information on the file sizes that are support for the various destination channels, see the File Size Limits technical reference.


	Tip For help using the Select Items screen that appears when you edit any policy option, see Selecting items to include or exclude in a policy.

Standard Forcepoint DLP options

Select Network Email to monitor email going through the network or a supported cloud infrastructure such as Microsoft Azure. By default, email is analyzed on all network destinations.

Click Edit to select the destinations (such as computers, policies, or domains) this policy should analyze.

Click Direction to select the traffic to monitor: inbound, outbound, internal, or all 3.

Although Forcepoint Email Security will analyze all 3 directions, Forcepoint DLP Email Gateway will analyze only outbound traffic.

Protectors monitor all traffic directed to them. All transactions are regarded as outbound.

Select Endpoint Email to monitor email on endpoint machines (requires Forcepoint DLP Endpoint). By default, email is analyzed on all endpoint destinations.

Click Edit to select the domains this policy should analyze.

If Forcepoint DLP is integrated with Forcepoint Email Security, click Direction to select the traffic to monitor: outbound (default) or internal. Inbound email cannot be monitored on endpoints.

The selected direction must have been configured under Settings > General > Endpoint > Email Domains to analyze endpoint email traffic.

For a complete list of endpoint email applications that Forcepoint DLP supports, see Forcepoint DLP Endpoint endpoint applications.

Select CASB Service to analyze files sent to supported cloud applications.

This option is available only when the CASB service is enabled on the Settings > General > Services page.

Select Mobile Email to monitor email sent to users' mobile devices, then select whose devices to monitor. It is possible to select user directory entries (users and groups), business units, or custom users. By default, all users' email is analyzed when it is being synchronized to mobile devices.

Click Edit to select the users to monitor.

Select Web to prevent or monitor users posting sensitive data to networks, domains, business units, URL categories, directory entries, countries, or custom computers via any of the following web channels:


FTP	file transfer sites
Chat	instant messenger applications
Plain text	unformatted textual content
HTTP	websites, blogs, and forums via HTTP
HTTPS	websites, blogs, and forums via secure HTTP
Endpoint HTTP	websites, blogs, and forums accessed by endpoint machines over HTTP
Endpoint HTTPS	websites, blogs, and forums accessed by endpoint machines over HTTPS

By default, posts to all web destinations are analyzed.

Click Edit to select the destinations to analyze.

Note that several SaaS domains are excluded from analysis by default. Optionally, exclude more domains or remove domains from the exclusion list. You can also customize the list of resources that are excluded from web policies by default. For more information, see Business Units.

Click Channels to select or deselect individual Web channels.

For a complete list of endpoint browsers supported by Forcepoint DLP, see Selecting endpoint destination channels to monitor.

Select Cloud Services (enabled by default) to analyze content that is sent to cloud services, such as Microsoft OneDrive for Business or Box.

Select Endpoint Printing to analyze files that endpoint users send to printers. (Requires Forcepoint DLP Endpoint.)

To select the printers to analyze click Edit.

Select Endpoint Application to analyze content that is being cut, copied, pasted, or otherwise handled by users on endpoint applications.

To select the application groups to analyze, click Edit.

Not all operations (cut, copy, paste, etc.) relate to all applications. The operations that are monitored are specified for each group.

Note that if you choose All activities on the rule's condition page and choose an online application here, you are requesting to monitor all content that is downloaded to endpoints. The same is true if you specify the Download operation in the online application group, then select this group.

To prevent the system from analyzing content that is cached on the endpoint, the following occurs:

When files are saved to the browser's cache folders, the crawler analyzes only .exe, .csv, .xls/xlsx, .pdf, .txt, .mht, and .doc/.docx files.

When files are saved to any other local folder, it analyzes all file types.

For a list of applications that the system supports out of the box, see Forcepoint DLP Endpoint Applications. You can also add custom applications.

Note: The list you create here is overridden by trusted application settings you configured under Resources > Endpoint Applications. Groups that are trusted on that page are not enforced even if they are included in the policy.

Select Endpoint Removable Media to analyze media such as thumb drives, external hard drives, and other USB devices on endpoint machines. By default, all removable media is included.

To select the media to analyze, click Edit.

For a complete list of supported endpoint removable devices, see Selecting endpoint destination channels to monitor.

Linux-based endpoints cannot share removable media devices through NFS.

10.

Select Endpoint LAN to analyze endpoint file copy over LANs. By default, outbound traffic for all networks is covered—that is, traffic going from the endpoint to all LANs.

Endpoint LAN control is applicable to Windows file sharing only.

To select a network to analyze, click Edit.

Specify a list of allowed destination IP addresses or hostnames for LAN copy.

Users may connect to a destination machine using the hostname, IP address, or mapped drive, for example. Forcepoint DLP does not resolve the multiple names for a single destination. To block or allow access to a machine, specify each of the identifiers a user might specify: for example, FQDN, hostname, mapped drive, and so on. Alternatively, always block or allow access using hostname and require users to use hostname.

Data from an endpoint client can be intercepted.

If access to the LAN requires user credentials, files larger than 10 MB are handled as huge files which are only searched for file size, file name, and binary fingerprint. Files smaller than 10 MB are fully analyzed. The huge file limit for other channels is 100 MB.

Forcepoint Web Security mode

By default, web channels are analyzed on all destinations. For Forcepoint Web Security, this includes:

FTP includes FTP-over-HTTP.

Web includes websites, blogs, and forums via HTTP and HTTPS.

Click Edit to select the destinations to analyze.

Forcepoint Email Security mode

By default, all network email is analyzed in all directions: outbound, inbound, and internal.

Click Edit to select the email destination to analyze.