Overview
Versa Data Loss Prevention (DLP) is a security enforcement component integrated into the Versa SASE (Secure Access Service Edge) platform. It helps organizations to prevent sensitive information from leaving the enterprise by inspecting traffic and content in real time.
Versa DLP works inline with Versa SSE traffic flows, allowing content inspection and policy enforcement directly at the network layer without requiring separate DLP appliances.
Sensitive Data Detection Capabilities
Versa DLP can identify and control the transfer of:
- Credit Card Information (PCI)
- Personally Identifiable Information (PII)
- Social Security Numbers (SSN)
- Healthcare and Medical Data
- Passport Numbers
- Bank Account Information
- Source Code
- Custom Keywords
- Custom Data Patterns
Supported Deployment Model
Traffic passes through the Versa gateway where DLP inspection and enforcement are performed before traffic reaches its destination.
Software Requirements
Minimum Versions
| Component | Version |
|---|---|
| Versa VOS | 22.1.x or later |
| Versa Director | 22.1.x or later |
Recommended
- Latest SPACK (Security Package)
- Latest RTU Updates
Prerequisites Checklist
Before enabling DLP, verify the following:
| Item | Verification |
|---|---|
| License | DLP license installed and valid |
| Profile Creation | DLP profile created with active rules |
| Policy Mapping | DLP profile attached to security policy |
| SSL Decryption | Enabled for HTTPS traffic |
| Rule Activation | Rule activation set to true |
| Traffic Match | Traffic matches correct policy rule |
| Direction | Upload/Download/Both configured correctly |
| File Types | File types match inspection requirements |
| Context | Attachment and/or Body selected |
| Protocol Scope | HTTP configured (HTTPS after decryption) |
| Exit-on-First-Match | Rule ordering verified |
| Bypass Check | dlp-flow-bypass-cnt not increasing |
| Logs | Verify DLP logs in Analytics |
Supported File Types
Versa DLP supports inspection of the following file types:
| Category | File Types |
|---|---|
| Documents | doc, docx, pdf, rtf, txt |
| Spreadsheets | xls, xlsx, csv |
| Presentations | ppt, pptx |
| Source Code | c, cpp, py, php, pl, sh |
| Images | jpeg, png, bmp, gif, tif |
| Web/Data | html, xml, json |
| Archives | zip, gzip, gz, tar, xz, rar, 7zip |
| Certificates/Keys | pgp, pem, ppk |
| Others | visio, vsf, any |
Configuration
Step 1 – Enable SSL Decryption
DLP cannot inspect encrypted HTTPS traffic unless SSL decryption is enabled.
Sample CLI:
set orgs org-services <Org-name> security profiles decrypt Forward decrypt-profile-type ssl-forward-proxy
set orgs org-services <Org-name> security profiles decrypt Forward certificate Versa-CA
set orgs org-services <Org-name> security decryption-policies SSL-DLP rules R1 set action decrypt
set orgs org-services <Org-name> security decryption-policies SSL-DLP rules R1 set decryption-profile Forward
Step 2 – Create a Data Protection Rule
Example: Detect Aadhaar and PAN numbers.
set orgs org-services <org-name> security profiles dlp data-protection custom-data-profiles AADHAR-PAN expressions INDIA_AADHAAR_INDIVIDUAL predefined-data-pattern INDIA_AADHAAR_INDIVIDUAL
set orgs org-services <org-name> security profiles dlp data-protection custom-data-profiles AADHAR-PAN expressions INDIA_PAN_INDIVIDUAL predefined-data-pattern INDIA_PAN_INDIVIDUAL
set orgs org-services <org-name> security profiles dlp data-protection custom-data-profiles AADHAR-PAN boolean-operation "INDIA_AADHAAR_INDIVIDUAL OR INDIA_PAN_INDIVIDUAL"
Step 3 – Create a DLP Profile
Example Configuration
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 exit-on-first-rule-match disabled
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN activation true
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN match protocol [ HTTP ]
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN match direction both
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN match file-type [ doc docx msoffice pdf png txt ]
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN match context [ Attachment Body ]
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN match content-analysis enable true
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN match content-analysis userdefined-data-profile AADHAR-PAN
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN set action block
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN set logging enabled
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN set email-profile SSE-Profile
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN set threat-type dlp_exfilteration_in_content_analysis
set orgs org-services <org-name> security profiles dlp dlp-profiles DLP-R1 rules AADHAR-PAN set threat-severity critical
Step 4 – Apply DLP Profile to Security Policy
set orgs org-services <org-name> security access-policies Default-Policy rules Allow-All match source user user-type known
set orgs org-services <org-name> security access-policies Default-Policy rules Allow-All set security-profile dlp user-defined-dlp-profile DLP-R1
set orgs org-services <org-name> security access-policies Default-Policy rules Allow-All set action allow
set orgs org-services <org-name>E security access-policies Default-Policy rules Allow-All set lef profile-default true
set orgs org-services <org-name> security access-policies Default-Policy rules Allow-All set lef event end
Supported Applications
Versa DLP supports inspection of traffic for:
- Box
- DLP_apps
- Dropbox_download
- Dropbox_upload
- Dropbox_upload_download
- Dropbox
- Github
- Gmail
- Gmail_basic
- Gmail_chat
- Gmail_drive
- Gmail_mobile
- Google_docs
- Google_photos
- Gsuite
- Gtalk
- Microsoft
- MS_teams
- My_Yahoo
- office365
- Onedrive
- Outlook
- Owa
- Salesforce
- Salesforce_chatter
- Service Now
- Sharepoint
- Sharepoint_document
- Sharepoint_online
- Slack
- Teamspeak
- Teamspeak_v3
- Yahoo
- Ymail_classic
- Ymail2
Troubleshooting
Verify DLP Profile Statistics
Command:
cli> show orgs org-services <ORG> security profiles dlp statistics userdefined-profile <profile-name>
security profiles dlp statistics userdefined-profile DLP-R1
dlp-profile-hit-cnt 29016
dlp-file-type-match-cnt 788
dlp-content-found-in-header 0
dlp-content-found-in-body 0
dlp-content-found-in-payload 0
dlp-content-analysis-predef-profile-match-cnt 0
dlp-content-analysis-custom-profile-match-cnt 0
dlp-content-analysis-predef-pattern-match-cnt 0
dlp-content-analysis-custom-pattern-match-cnt 0
dlp-file-size-exceed-cnt 0
dlp-file-name-match-cnt 0
dlp-file-hash-match-cnt 0
dlp-file-permission-match-cnt 0
dlp-file-watermark-match-cnt 0
dlp-file-label-match-cnt 0
dlp-edm-predef-pattern-match-cnt 0
dlp-edm-custom-pattern-match-cnt 0
dlp-edm-boolean-operation-match-cnt 0
dlp-edm-boolean-operation-fail-cnt 0
dlp-fingerprint-threshold-match-cnt 0
dlp-fingerprint-threshold-not-match-cnt 0
dlp-ocr-predef-pattern-match-cnt 0
dlp-ocr-custom-pattern-match-cnt 0
dlp-proximity-analysis-match-cnt 0
dlp-proximity-analysis-fail-cnt 0
dlp-exclude-file-cnt 0
dlp-keyword-match-cnt 50
dlp-regex-match-cnt 0
dlp-machine-learning-match-cnt 0
dlp-user-activity-rule-match-cnt 0
dlp-flow-bypass-cnt 0
dlp-file-type-mismatch-cnt 0
dlp-action-allow-cnt 0
dlp-action-alert-cnt 2878
dlp-action-reject-cnt 0
dlp-action-block-cnt 0
dlp-action-quarantine-cnt 0
dlp-action-redaction-cnt 0
dlp-action-post-cnt 0
dlp-action-justification-cnt 0
dlp-default-action-cnt 1476
dlp-action-set-label-cnt 0
dlp-action-remove-label-cnt 0
dlp-action-tokenization-cnt 0
dlp-action-encrypt-cnt 0
dlp-action-cloud-upload-cnt 0
dlp-action-cloud-upload-fail-cnt 0
dlp-file-cache-miss-cnt 1476
dlp-file-cache-hit-cnt 1402
dlp-range-cache-miss-cnt 0
dlp-range-cache-hit-cnt 0
dlp-cloud-req-sent-cnt 0
dlp-cloud-resp-rcvd-cnt 0
dlp-cloud-reputation-hit-cnt 0
dlp-cloud-reputation-miss-cnt 0
dlp-cloud-reputation-upload-cnt 0
dlp-cloud-null-resp-rcvd-cnt 0
Flows
Protocol Scanned
--------- -------
http 2878
ftp 0
smtp 0
imap 0
pop3 0
mapi 0
smb 0
Scan
File Type Count
-------------- --------
Unknown 578
c 0
doc 0
docx 0
xml 72
cpp 0
php 0
class 0
msoffice 0
pdf 0
pl 0
ppt 0
pptx 0
rtf 0
sh 0
xls 0
txt 840
xlsx 0
html 4
visio 0
jpeg 19
png 34
bmp 0
gif 133
tif 6
pgp 0
csv 0
zip 1
gzip 0
tar 0
xz 0
vsf 0
pem 0
ppk 0
rar 0
7zip 0
py 0
gz 0
json 922
any 0
Important Counters
| Counter | Description |
|---|---|
| dlp-profile-hit-cnt | Total traffic matching DLP profile |
| dlp-file-type-match-cnt | Files matching configured types |
| dlp-keyword-match-cnt | Keyword detections |
| dlp-regex-match-cnt | Regex detections |
| dlp-action-alert-cnt | Alert actions triggered |
| dlp-action-block-cnt | Block actions triggered |
| dlp-default-action-cnt | Default action applied |
| dlp-flow-bypass-cnt | Scanning bypassed |
| dlp-file-cache-hit-cnt | Cache hits |
| dlp-file-cache-miss-cnt | Cache misses |
Flow Statistics
Shows how many files were scanned per protocol:
Protocol Scanned
--------- -------
http 2878
ftp 0
smtp 0
imap 0
File-Type Statistics
Displays scan count per file type:
txt 840
json 922
jpeg 19
png 34
gif 133
xml 72
Useful for validating whether uploaded content is actually being inspected.
VSMD Verification Commands
vsm-vcsn0>show dlp rules-hit-tbl
Rule hit action counters
Rule Name:DLP-R1
block (2) reject (0) quarantine (0) encrypt_upload (0) encrypt (0) redaction (0) alert (0) allow (0) justify (0) post (0)
Interpretation
- Block = 2
- Two files matched DLP rules and were blocked.
- No alerts or quarantine actions occurred.
vsm-vcsn0> show dlp config list dlp-profile <org-name>
-------------------------------------------------------------------------
dlp_profile ID dlp_profile Name
-------------------------------------------------------------------------
0 DLP-R1
1 INDIA-DLP
2 Versa_Content_Analysis
Confirms profiles loaded in the dataplane.
vsm-vcsn0> show vsf session dlp brief
Handle TNT WT QoS Proto SIP DIP SPort DPort -->Pkts <--Pkts -->Drops <--Drops application
------------ --- -- --- ----- --------------- --------------- ----- ----- ------- ------- -------- -------- ---------------
0x209c354 3 1 6 192.168.192.14 142.250.206.3 54255 443 18 10 0 0 gstatic/(predef)
0x209c3b1 3 1 6 192.168.192.14 142.251.221.101 58257 443 1127 767 0 0 Google Mail(gmail)/(predef)
0x209c3c8 3 1 6 192.168.192.14 142.251.221.101 51175 443 2947 1396 0 0 Google Mail(gmail)/(predef)
0x209c3ca 3 1 6 192.168.192.14 142.251.221.101 54539 443 3019 1717 4 10 Google Mail(gmail)/(predef)
0x209c3cb 3 1 6 192.168.192.14 142.251.221.101 62325 443 3406 2236 0 0 Google Mail(gmail)/(predef)
0x209c3cc 3 1 6 192.168.192.14 142.251.221.101 56599 443 634 666 4 10 Google Mail(gmail)/(predef)
0x209c3eb 3 1 6 192.168.192.14 142.251.223.163 58575 443 127 179 0 0 Google Mail(gmail)/(predef)
0x209c3ed 3 1 6 192.168.192.14 142.251.151.119 51141 443 86 54 0 0 google/(predef)
0x209c3f4 3 1 6 192.168.192.14 142.250.77.129 49800 443 21 19 0 0 google_photos/(predef)
0x209c403 3 1 6 192.168.192.14 142.251.223.14 59151 443 197 230 0 0 Google Mail(gmail)/(predef)
0x209c407 3 1 6 192.168.192.14 142.251.223.14 57945 443 23 22 0 0 Google Mail(gmail)/(predef)
Displays:
- Source IP
- Destination IP
- Protocol
- Application
- Packet Counts
- Drops
- Session State
Useful for confirming live traffic is undergoing DLP inspection.
Debugging DLP
Enable Debug:
cli>configure
#set debug dlp all-flags level all
#commit
Logs will be saved under "/var/log/versa/versa-service.log"
Example:
2026-06-10 18:48:50.453 DEBUG [0x401] vs_dlp_scanner_dump_forensic_report:5490: forensic_report_name: /tmp/versa_hard_disk/common/rawFile_140688618066177_33_0_1.pdf.report
230970 2026-06-10 18:48:50.453 DEBUG [0x401] vs_dlp_scanner_create_forensic_data:5556: after report geenration forensic: US_PII_NAME_DOB_EMAIL_ADDRESS
230971
230972 zip phone
230973 10932 Bigge Rd
230974 igge Rd Menlo Park C
230975 Menlo Park CA 940
230976 08 496-7223
230977 4469 Sherman Street
230978 et Goff KS 664
230979 Oakland CA 946
230980 zip phone
230981 10932 Bigge Rd
230982 igge Rd Menlo Park C
230983 Menlo Park CA 940
230984 08 496-7223
230985 4469 Sherman Street
230986 et Goff KS 664
230987 Oakland CA 946
230988 zip phone
230989 10932 Bigge Rd
230990 igge Rd Menlo Park C
230991 Menlo Park CA 940
230992 08 496-7223
230993 4469 Sherman Street
230994 et Goff KS 664
230995 Oakland CA 946
230996
231000 2026-06-10 18:48:50.453 DEBUG [0x401] dlp_process_content_result:6103 [0x7ff3ee8400c0]: Pattern name = FULL_NAME
231001 2026-06-10 18:48:50.453 DEBUG [0x401] dlp_process_content_result:6103 [0x7ff3ee8400c0]: Pattern name = DATE_OF_BIRTH
231002 2026-06-10 18:48:50.453 DEBUG [0x401] dlp_process_content_result:6103 [0x7ff3ee8400c0]: Pattern name = EMAIL_ADDRESS
231003 2026-06-10 18:48:50.453 DEBUG [0x401] dlp_process_content_result:6110 [0x7ff3ee8400c0]: Rule 15 matched: US_PII_NAME_DOB_EMAIL_ADDRESS
Meaning:
- DLP identified:
- Full Name
- Date of Birth
- Email Address
and matched them against the predefined US-PII policy.
231049 2026-06-10 18:48:50.455 DEBUG [0x401] dlp_process_content:7065 [0x7ff3ee8400c0]: Rule # 0 matched: 1
231050 2026-06-10 18:48:50.455 DEBUG [0x401] dlp_get_rule_hit_action:7553 [0x7ff3ee8400c0]: Rule matched name: US_PII rule_index: 0 bitmap = 1
231051 2026-06-10 18:48:50.455 DEBUG [0x401] dlp_process_ms_file:8504 [0x7ff3ee8400c0]: rule_action = 1
231052 2026-06-10 18:48:50.455 DEBUG [0x401] dlp_hlpr_thread_cb:12682 [0x7ff3ee8400c0]: MS file process rule_action = 1
231053 2026-06-10 18:48:50.455 DEBUG [0x401] dlp_hlpr_thread_cb:12706 [0x7ff3ee8400c0]: Helper thread sending message to worker thread[HT(0)->WT(0)], scnr_st 0x7ff3ee8400c0
231054 2026-06-10 18:48:50.456 DEBUG [0x101] dlp_wt_result_cb:12066 [0x7ff3ee8400c0]: Worker thread received message from helper thread(HT->WT) scnnr_st 0x7ff3ee8400c0
231055 2026-06-10 18:48:50.456 DEBUG [0x101] dlp_scanner_scan_verdict_async:2163 [0x7ff3ee8400c0]: Rule US_PII action = 3 rule_match_bitmap = 0
231056 2026-06-10 18:48:50.456 DEBUG [0x101] dlp_scanner_scan_verdict_async:2211 [0x7ff3ee8400c0]: component_type = 14
231057 2026-06-10 18:48:50.456 DEBUG [0x101] dlp_scanner_scan_verdict_async:2222 [0x7ff3ee8400c0]: component_type = 14
231058 2026-06-10 18:48:50.456 DEBUG [0x101] dlp_scanner_scan_verdict_async:2222 [0x7ff3ee8400c0]: component_type = 14
231059 2026-06-10 18:48:50.456 DEBUG [0x101] dlp_scanner_scan_verdict_async:2222 [0x7ff3ee8400c0]: component_type = 14
231060 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7684 [0x7ff3ee8400c0]: Sending to Lef lef_profile_id = 65535
231061 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_get_threat_value:7603 [0x7ff3ee8400c0]: threat_type: dlp_exfilteration_in_content_analysis threat_severity: critical
231062 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7711 [0x7ff3ee8400c0]: Lef components -
231063 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7714 [0x7ff3ee8400c0]: Rule name : US_PII
231064 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7715 [0x7ff3ee8400c0]: match_str : US_PII_NAME_DOB_EMAIL_ADDRESS
231065 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7716 [0x7ff3ee8400c0]: profile_name : US_PII
231066 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7717 [0x7ff3ee8400c0]: pattern_name : FULL_NAME
231067 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7718 [0x7ff3ee8400c0]: match_component: ContentAnalysisMatch
231068 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7719 [0x7ff3ee8400c0]: filename : sample-data.pdf
231069 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7720 [0x7ff3ee8400c0]: appid : gmail
231070 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7723 [0x7ff3ee8400c0]: email_profile : SSE-Profile
231071 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7726 [0x7ff3ee8400c0]: action_profile :
231072 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7728 [0x7ff3ee8400c0]: threat_type : dlp_exfilteration_in_content_analysis
231073 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7730 [0x7ff3ee8400c0]: threat_severity: critical
231074 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7732 [0x7ff3ee8400c0]: forensic :
231075 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7734 [0x7ff3ee8400c0]: forensic prof :
231076 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7739 [0x7ff3ee8400c0]: url_category: web_based_email
231077 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_lef_export_log:226: dlp_threat_type: dlp_exfilteration_in_content_analysis
231078 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_lef_export_log:232: dlp_threat_severity: critical
231079 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_lef_export_log:391: Ret = 0
231080 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_lef_export_log:396: Exporting LEF DLP log successful.
231081 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_send_log_to_lef:7684 [0x7ff3ee8400c0]: Sending to Lef lef_profile_id = 65535
231082 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_get_threat_value:7603 [0x7ff3ee8400c0]: threat_type: dlp_exfilteration_in_content_analysis threat_severity: critical
231119 2026-06-10 18:48:50.456 DEBUG [0x101] vs_dlp_lef_export_log:226: dlp_threat_type: dlp_exfilteration_in_content_analysis
231120 2026-06-10 18:48:50.457 DEBUG [0x101] vs_dlp_lef_export_log:232: dlp_threat_severity: critical
231121 2026-06-10 18:48:50.457 DEBUG [0x101] vs_dlp_lef_export_log:391: Ret = 0
231122 2026-06-10 18:48:50.457 DEBUG [0x101] vs_dlp_lef_export_log:396: Exporting LEF DLP log successful.
231123 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_scanner_scan_verdict_async:2288 [0x7ff3ee8400c0]: rule id = 0 dlp-action = block
231124 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_scanner_scan_verdict_async:2163 [0x7ff3ee8400c0]: Rule Source_Code action = 3 rule_match_bitmap = 0
231125 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_scanner_scan_verdict_async:2163 [0x7ff3ee8400c0]: Rule US_Financial action = 3 rule_match_bitmap = 0
231126 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_scanner_scan_verdict_async:2328 [0x7ff3ee8400c0]: action_bitmap = 9 action = block
231127 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_scanner_scan_verdict_async:2356 [0x7ff3ee8400c0]: dlp-action: block
231128 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_scanner_scan_verdict_async:2446 [0x7ff3ee8400c0]: vparse action = drop-session
231129 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_cache_save_file_hash:521: each entry size in cache obj = 104 data = 1528
231130 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_cache_save_file_hash:524 [0x7ff3ee8400c0]: component_type: 4000 thread_id: 0
231131 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_cache_update_entry:485 [0x7ff3ee8400c0]: scnr_st->dir = 1
231132 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_cache_update_entry:490 [0x7ff3ee8400c0]: Cache update done
231133 2026-06-10 18:48:50.457 DEBUG [0x101] dlp_cache_save_file_hash:536 [0x7ff3ee8400c0]: Cache write Done
Example:
Rule US_PII action = block
Meaning:
- Rule matched.
- Configured action is Block.
Rule Evaluation
LEF Log Export
Sending to Lef
profile_name : US_PII
filename : sample-data.pdf
appid : gmail
threat_severity : critical
Confirms:
- DLP event logged successfully.
- File transferred via Gmail.
- Severity marked Critical.
Final Verdict
dlp-action: block
vparse action = drop-session
Meaning:
- File upload/download was blocked.
- Session was terminated.
Common DLP Issues
| Issue | Verification |
|---|---|
| No DLP Hits | Verify traffic reaches policy |
| HTTPS Not Inspected | Check SSL decryption |
| Rules Not Triggering | Verify rule activation |
| Unsupported File Type | Confirm file type configuration |
| Wrong Direction | Check upload/download setting |
| Profile Not Applied | Verify policy attachment |
| Traffic Bypassed | Check dlp-flow-bypass-cnt |
| Logs Missing | Verify logging enabled |
Best Practices
- Always enable SSL decryption for HTTPS applications.
- Start with Alert mode before enabling Block.
- Enable logging on all DLP rules.
- Verify supported file types.
- Monitor profile statistics regularly.
- Use predefined patterns whenever possible.
- Validate rule order when
exit-on-first-rule-matchis enabled. - Review LEF logs to confirm enforcement actions.
Reference Link: