Blocking emails larger than 15 MB and logging emails from 5 MB to 15 MB
Multiple filters will have to be used in this case and the order that they are used is important. Because there is no mechanism to move the filters within the sensor the order that they are added to the sensor is important.
1. Go to Security Profile > Data Leak Prevention.
2. Use the Create New icon to add a new sensor.
Use the following values
Name | large_emails |
Comment | <optional> |
Once the Sensor has been created, a new filter will need to be added.
3. Create the filter to block the emails over 15 MB. In the filters table select Create New.
Use the following values
Filter
Filter | Messages |
Filter option | File Size >= |
KB | 15360 (1MB = 1024KB, 15 MB = 15 x 1024KB = 15360KB) |
Examine the Following Services
Make sure all of the Email services are being examined.
Action
Set action to Block.
Select OK.
4. Create the filter to log emails between 5 MB and 10 MB. In the filters table select Create New.
Use the following values
Filter
Filter | Messages |
Filter option | File Size >= |
KB | 5120 (1MB = 1024KB, 5 MB = 5 x 1024KB = 5124 KB) |
Examine the Following Services
Make sure all of the Email services are being examined.
Action
Set action to Block.
Select OK.
The reason that the block filter is placed first is because the filters are applied in sequence and once the traffic triggers a filter the action is applied and then the traffic is passed on to the next test. If the Log Only filter which checks for anything over 1MB is triggered this would include traffic over 15MB, so a 16 MB file would only be logged. In the described order, the 16 MB file will be blocked and the 3 MB file will be logged.