Enforce DLP for NPA Browser Access Private Apps

Prerequisites

To successfully configure DLP for Browser Access Private App(s) in a policy, the following prerequisites must be met:

• Ensure you have a Publisher already configured.
• Confirm that a SAML reverse proxy IdP is set up for Private Apps.
• Verify that there is a Browser Access app requiring DLP enforcement configured. Note that only HTTP and HTTPS protocols are supported for DLP.
• DLP for NPA Browser Access must be activated through a feature flag.
  This is currently a Controlled GA feature. Contact your Sales Representative or Support to enable this feature.

Use Cases

The primary objective is to implement Data Loss Prevention (DLP) controls for private applications accessed via NPA Browser Access.

Configuring DLP ensures the safeguarding of private applications that often contain highly-sensitive information accessed by employees, partners, or both. The goal is to protect confidential data by effectively enabling DLP controls through well-defined policies.

Here are some examples of DLP controls:

• Block the downloading and uploading of confidential information (GDPR & PCI) while allowing the download of non-confidential documents, including the use of machine learning for screenshot detection.
• Prevent the posting of confidential information to a web server.

Create a DLP Policy for NPA Browser Access Private Apps

Policy creation is explained in Create a Real-time Protection Policy for Browser Access to Private Apps.

1. Go to Policies > Real-time Protection > New Policy and select DLP.
2. For Destination, choose the Browser Access-enabled Private App(s) that require DLP to be applied.
3. For Profile & Action, select Add Profile followed by the DLP Profile. A pop-up will appear prompting you to choose the relevant activities. When finished, click Proceed.
   
4. Select the Activities to be included in the criteria, such as Download, Upload, and FormPost.
5. Apply the DLP Profile(s) based on your specific requirements. There is an optional configuration available to select the corresponding action for each profile.

   An example policy:

   

Additional Notes

• DLP for NPA utilizes the Universal Connector for activity detection. The supported activities for Browser Access Private Apps with DLP include Upload, Download, and FormPost. The Universal Connector provides best-effort activity detection.
• There is a known issue with Browser Access Private Apps created prior to R123 which may cause a DLP policy to not match. To resolve this issue, either recreate the app, or modify and save it to initiate a re-sync.
• The events for DLP will be logged under Network Events, Alerts, and Incidents, depending on the action taken.
• Private App Tags are not supported in the DLP Policy for NPA Browser Access Private Apps.
• Only HTTP and HTTPS protocols are supported for DLP Policy with NPA Browser Access Private Apps.
• Note that AnyApp Browser Access Apps (RDP/SSH) are not supported. If such a configuration is attempted, a warning message will appear.
• LFS (Large Files Support) is not available for the DLP Policy with NPA Browser Access Private Apps. The default limit for supported scanning file sizes is set at under 16 MB.
• Transaction events will not be generated for Browser Access DLP traffic, even if transaction events are enabled for web traffic.
• NPA Browser Access Private Apps leveraging websockets will be bypassed from DLP inspection.
• DLP for NPA Browser Access is not supported for tenants hosted in China and the Kingdom of Saudi Arabia MPs.
• The fallback actions configurable under Advanced File Scanning for DLP can be extended to NPA Browser Access Private Apps as well.
• When setting up multiple Browser Access Private Apps that share the same hostname but different ports, it is required to include all apps under one DLP policy. Please review the example below for a workaround.

  Example
  Private App 1: My-http-app1

  • Hostname: myapp.acmegizmo.com
  • Port: 80

  Private App 2: My-https-app2

  • Hostname: myapp.acmegizmo.com
  • Port: 443

  DLP Policy: A policy name My-app-DLP-Policy is specifically configured to apply only to My-http-app1, i.e., for port 80.

  Limitation: In this scenario, both private apps share the same hostname, myapp.acmegizmo.com, but operate on different ports: 80 for My-http-app1, and 443 for My-https-app2. The DLP policy is currently set only for port 80, which presents a potential limitation. With such a configuration, there is a possibility that the intended application (My-http-app1 on port 80) may not be correctly identified for DLP, potentially resulting in the policy failing to match the intended traffic.

  Workaround: To mitigate this issue, it is recommended to configure the DLP Policy My-app-DLP-Policy with both applications: My-http-app1 (port 80) and My-https-app2 (port 443).