Netskope Global Technical Success (GTS)
Use Case - DLP - How to block Zip files via File Type Control
Netskope Cloud Version - 113
Objective
Blocking Zip files using a file profile within a DLP profile.
Prerequisite
Netskope SWG/CASB and Netskope standard/advanced inline DLP license is required.
Context
By configuring a file profile within a DLP policy, you can effectively block the transfer of ZIP files across your network or endpoints. This approach allows you to identify and restrict compressed files based on their format, ensuring sensitive data isn't compressed and shared without authorization. It's a key method for preventing data leakage while maintaining control over file transfers.
Do You Know?
- Netskope DLP can leverage the File profile capabilities to detect specific files.
- Incidents are generated for each file/sub-file that matches DLP profiles.
- The DLP service has an internal limit of generating only 50 incidents for a given request.
- Zip files are not supported in a RTP file type constraint:
https://docs.netskope.com/en/supported-file-types-for-detection/
DLP Netskope doc starting point:
https://docs.netskope.com/en/data-loss-prevention/
Use Case
Step 1: Create a file profile
Go to Netskope UI>> Policies >> Profiles >> File >> New File Profile.
Click on File Type >> click the magnifying glass for archive and compressed files
At file Types search “Zip archive” and mark the checkbox, and click next.
Add a profile name and a description. Click Save and apply changes.
Step 2: Create DLP profile
Go to Netskope UI >> Policies >> Profiles >> DLP >> New Profile.
Select the file type created at step 1 and mark matches at match type, click Next.
Leave empty the “Rule | Classification” section and click next.
Add a profile name and click save.
Step 3: Create a real time protection policy to block Zip files.
Go to Netskope UI >> Policies >> Real Time Protection Policies >> DLP
Select the application and activities you want to use to test the rule, in this case we are using google Drive and upload action.
Select the DLP profile created in step 2 and set the action block.
Verification
Select a Zip File and upload the file to the application we use to test the DLP rule.
The below message will pop-up blocking the action.
Review the policy alert details at SkopeIT:
Netskope UI >> SkopeIT >> Alerts >> Click the magnifying glass to check details.
Review the DLP incident:
Netskope UI >> Incidents >> DLP >> access the incident details, clicking the object name.
Note: as we are using a DLP profile, every time the policy is triggered you will get an SkopeIT event and an Incident event.
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
