Network Data Loss Prevention Policy

The Network Access DLP governs the rules associated with the behavior of the Private Company Gateway (PCG). By default, Network Access is set to restricted, forcing all traffic emanating from within the Secure Enclave to use the PCG. For more information on the PCG go here. As with all DLP policies, this can be applied at the company level, group or to an individual user. In this article, we will cover the various options available within the Network Access DLP Policy

Unrestricted Network Access

When this setting is selected, applications running within the Secure Enclave will route their traffic to the user's personal internet connection. The traffic will not be encrypted or subject to web policy rules. 

Screenshot

Restricted Network Access

This setting is enabled, all traffic emanating from the Secure Enclave will be routed over the Private Company Gateway where it is protected and encrypted. 

Screenshot

Bypass Options

Domain

When Network access is restricted to the Secure Enclave, there may be a need to route traffic to certain domains outside of the Private Company Gateway. Some use case may include domains associated with VOIP or video applications to ensure optimal performance. To exclude a domain from routing over the PCG, follow the steps below.

  1. From the DLP Policy screen click Change to the right of Network access from the default policy or from within a group/user override.

    Annotation-Annotation

  2. Under Bypass options locate Domains.
  3. In the text box to the right, enter the domain you wish to exclude. 

    Annotation

  4. Click the Add button.

    Annotation

  5. Click Apply at the bottom right of the window.

    apply-no-ip.png

The table below details the correct syntax for the domain bypass option.

example.com Includes only the apex or root domain
*.example.com Includes all subdomains and excludes apex or root domain
*example.com Includes apex or root domain and subdomains

Network

For TCP traffic only. UDP traffic always routes over the PCG when the network is restricted.
Networks with traffic restricted to Venn are surrounded with red border.

When Network access is restricted to the Secure Enclave, there may be a need to route traffic to certain networks outside of the Private Company Gateway. Some use case may include a protected website that is accessible from a set a unique IPs distinct from the Private Company Gateway IPs. To exclude a subnet from routing over the PCG, follow the steps below.

  1. From the DLP Policy screen click Change to the right of Network access from the default policy or from within a group/user override.

    Annotation-Annotation

  2. Under Bypass options locate Networks.
  3. In the text box to the right, enter the subnet you wish to exclude. 
    • Option: Ensure the check the box Do not route traffic outside of Venn is marked if you intend to access the subnet using a supported VPN running inside of the Secure Enclave.

      Annotation

  4. Click the Add button.
    • Note: If you checked the box Do not route traffic outside of Venn the subnet will appear surrounded with a red border indicating that it will not be routed to the local host.

      Annotation-Annotation

  5. Click Apply at the bottom right of the window.

    netwrk1.png

Conferencing Apps

When Network access is restricted to the Secure Enclave, there may be a need to route web conferencing app traffic outside of the Private Company Gateway to enhance their performance. To exclude web conferencing app traffic from routing over the PCG, follow the steps below.

  1. From the DLP Policy screen click Change to the right of Network access from the default policy or from within a group/user override.

    Annotation-Annotation

  2. Under Bypass options locate Conferencing Apps.
  3. Check the box to the right of the option.
  4. Click Apply at the bottom right of the window.

Web conferencing app traffic is exclude based on process name. The process list is managed by Venn. If you need an additional process related to a web conferencing app excluded, please contact the support team.

Was this article helpful?