Referrer Allow Rule Not Working

  • 21 October 2023
  • 0 replies
  • 72 views

I have a Real Time Protection DLP rule that is blocking uploads to unauthorized cloud storage sites. This rule hit when a user uploaded an invoice to a platform we use, Divvy. Divvy's storage is backed by S3. As such, the event shows that there was an Upload action on S3, with the referrer being https://app.divvy.co.

 

As this platform is trusted and will be in frequent use, I want to whitelist these actions. As such, I:

  • created a HTTP Header policy, designating that I want to check the Referrer header, and set the value to https://app.divvy.co
  • created a RTP policy above the the existing DLP policy that is blocking (well, alerting the user on) the upload. The policy allows Upload to S3 if the referrer matches the one I created above.
    NOTE: The Allow policy, while above the Block policy, is in a different policy group. I don't think this matters, but figured it was worth stating.

 

Of course - you know where this is going. The action continues to be alerted on, despite the explicit allow. I have added screenshots to demonstrate the policies, placement, and alert. Any guidance is helpful, as it seems to me this should be working, so I am left thinking I have a fundamental misunderstanding of how the policies function.


0 replies

Be the first to reply!

Reply