Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
940
Views
0
Helpful
1
Replies

OUTGOING MAIL POLICY FOR DLP POLICY CAUSES CRES TO STOP WORKING

Go to solution
Bighead81
Level 1
Level 1

‎04-01-2014 12:19 PM

I have created 10 policies using DLP policy manager. Created a content filter with 3 conditions and 1 action. Up until here it is configured correctly. Its when i create outgoing mail policy when things with cres cease to work.

 

I create 2 outgoing mail policies both below the encryption policy but above the default policy. The first is a policy with anti spam disabled, anti virus as all deliver, content filter as the new content filter name and the rest as disabled.

 

The second policy is where the dlp is implemented, again anti spam as disabled anti virus as above, content filter contains both content filters the one old one new and dlp ive assigned all the dlp policies created dlp policy manager,

 

The dlp policy works as it should be but prevents the cres from working. As soon as both outgoing mail policies are removed the cres works!!

The position of outgoing mail are correct. The test emails for cres are not case sensitive.

 

The content filter contains regex of (?!)\[Secure]\.*    The other actions are open and closed brackets.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jacqueline Fleming
Level 1
Level 1

‎04-01-2014 04:21 PM

  

I understand that once you create Outgoing Mail Policies, the Filters that handle CRES encryption based on Subject tagging stop working.  I also noted that you describe each feature as being on a different Outgoing Mail Policy, i.e.:

 

1 Encryption only

2 DLP only

 

I suspect the issue is related to which Outgoing Mail Policy is being matched for each message.  You see, it is a 'first match wins' style table.  I'll elaborate with an example:

 

1 User Group A has CRES Filter + 5 DLP Policies tailored for User Group A

2 User Group B has CRES Filter + 5 DLP Policies tailored for User Group B

 

- If Sender's address is declared in User Group A, User Group B will never be evaluated even if Recipients are in User Group B.

- If all Recipients are in User Group A, the settings for User Group B will be used even if the Sender is declared there.

- If an email is sent to Recipients from each group, the email will be split into two copies.  One copy will be processed based on Group A's configuration and sent to the Recipients on User Group A.  The other copy will use the settings for User Group B and deliver only to User Group B's matching Recipients.

 

The main takeaway for your specific situation is that the CRES Filter will only run if the email matches the policy where the CRES Filter is enabled.  I suggest checking which Outgoing Mail Policy was used on some emails that were missed and then see if that policy has the CRES Filter enabled.  You can check which policy was actually used by searching Tracking or the mail_logs to get message details.  Here is more info on that:

 

http://tools.cisco.com/squish/B23C7

 

I hope this helps! :)

 

- Jackie

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jacqueline Fleming
Level 1
Level 1

‎04-01-2014 04:21 PM

  

I understand that once you create Outgoing Mail Policies, the Filters that handle CRES encryption based on Subject tagging stop working.  I also noted that you describe each feature as being on a different Outgoing Mail Policy, i.e.:

 

1 Encryption only

2 DLP only

 

I suspect the issue is related to which Outgoing Mail Policy is being matched for each message.  You see, it is a 'first match wins' style table.  I'll elaborate with an example:

 

1 User Group A has CRES Filter + 5 DLP Policies tailored for User Group A

2 User Group B has CRES Filter + 5 DLP Policies tailored for User Group B

 

- If Sender's address is declared in User Group A, User Group B will never be evaluated even if Recipients are in User Group B.

- If all Recipients are in User Group A, the settings for User Group B will be used even if the Sender is declared there.

- If an email is sent to Recipients from each group, the email will be split into two copies.  One copy will be processed based on Group A's configuration and sent to the Recipients on User Group A.  The other copy will use the settings for User Group B and deliver only to User Group B's matching Recipients.

 

The main takeaway for your specific situation is that the CRES Filter will only run if the email matches the policy where the CRES Filter is enabled.  I suggest checking which Outgoing Mail Policy was used on some emails that were missed and then see if that policy has the CRES Filter enabled.  You can check which policy was actually used by searching Tracking or the mail_logs to get message details.  Here is more info on that:

 

http://tools.cisco.com/squish/B23C7

 

I hope this helps! :)

 

- Jackie

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents