Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Common DLP policies

The following in-line DLP policies are commonly used to secure data in uploaded and downloaded files.

​​ Log uploads/downloads

The Allow action functions as an implicit logger, providing visibility into where your sensitive data is going without impacting the end user experience. The following example scans for your enabled Financial Information profile entries when users upload or download data to file sharing apps.

Policy name
Log Financial Information file sharing
SelectorOperatorValue
DLP ProfileinFinancial Information
Content CategoryinFile Sharing
Action
Allow

​​ Block file types

Block the upload or download of files based on their type.

SelectorOperatorValueLogicAction
Upload File TypeinMicrosoft Office Word Document (docx)AndBlock
Download File TypeinPDF (pdf)

​​ Block uploads/downloads for specific users

You can configure access on a per-user or group basis by adding identity-based conditions to your policies. The following example blocks only contractors from uploading/downloading Financial Information to file sharing apps.

Policy name
Block Financial Information file sharing for contractors
SelectorOperatorValue
DLP ProfileinFinancial Information
Content CategoryinFile Sharing
User Group NamesinContractors
Action
Block

​​ Exclude Android applications

Many Android applications (such as Google Drive) use certificate pinning, which is incompatible with Gateway inspection. If needed, you can create a Do Not Inspect policy so that the app can continue to function on Android:

  1. Set up an OS version device posture check that checks for the Android operating system.

  2. Create the following HTTP policy in Gateway:

    Policy name
    Do not DLP Google Drive on Android
    SelectorOperatorValue
    Passed Device Posture ChecksinOS Version Android
    ApplicationinGoogle Drive
    Action
    Do Not Inspect

Android users can now use the app, but the app traffic will bypass DLP scanning.

​​ Exclude specific sites

In your DLP logs, you may find that certain sites are a common source of noise. To exempt these sites from DLP scanning:

  1. Create a list of hostnames or URLs.

  2. Exclude the list from your DLP policy as shown in the example below:

    Policy name
    Block Financial Information uploads to Google Drive
    SelectorOperatorValue
    DLP ProfileinFinancial Information
    ApplicationinGoogle Drive
    Domainnot in listDo not DLP - SSN
    Action
    Block