Data Filtering Does Not Take Effect

Data filtering is configured on the FW to prevent the content containing the specified keywords from being transmitted between security zones. However, the content that should be filtered out is transmitted during the test.

Cause one: The traffic does not match the correct security policy.

Cause two: No data filtering profile or an incorrect profile is referenced in the security policy.

Cause three: The matching conditions in data filtering rules are incorrectly configured.

Cause four: The desired keyword is not defined.

Cause five: The action in data filtering rules is Alert.

Cause six: The action in data filtering rules is By-Threshold, but the sum of keyword weights is less than the block threshold.

1. Cause one: The traffic does not match the correct security policy.
   1. Choose Monitor > Log > Policy Matching Log.
   2. Click Advanced Search on the upper right of the UI and select a value for Source User and Application.
      • Source User: Select a user name that is used for tests, for example, user_0001.
      • Application: Select a protocol or application program that is used for tests.

   3. Click Search.
   4. In the security policy matching logs that are displayed, you can check whether the test traffic matches the correct security policy.
      • If no, choose Policy > Security Policy > Security Policy to fine-tune security policy sequence or parameters.
      • If yes, go to 2.

2. Cause two: No data filtering profile or an incorrect profile is referenced in the security policy.
   1. Click the security policy that is matched in 1. The Modify Security Policy dialog box is displayed. You can view the referenced data filtering profile in the dialog box.
      • If no data filtering profile or an incorrect profile is referenced in the security policy, select the desired data filtering profile.
      • If the correct data filtering profile is referenced in the security policy, go to 3.

3. Cause three: The matching conditions in data filtering rules are incorrectly configured.
   1. Click Configure to the right of Data Filtering.
   2. Verify the matching conditions of data filtering rules in the Modify Data Filtering Profile interface.

      Check whether conditions Application, File Type, and Direction of each rule can match all files to be blocked.

      • If a condition is incorrect, modify the data filtering rule.
      • If all conditions are correct, go to 4.

4. Cause four: The desired keyword is not defined.
   1. Choose Object > Keyword Group.
   2. Click the keyword group referenced in the data filtering profile and check whether keywords in Keyword List contain any keyword that does not need to be filtered out.
      • If no, modify the configuration of the keyword group.
      • If yes, go to 5 or 6.

5. Cause five: The action in data filtering rules is Alert.
   1. Check the actions of data filtering rules in the Modify Data Filtering Profile interface.
      • If the action is Alert and is the same as that in data planning, transmitting and logging the content is a normal operation.
      • If the action is Alert but the planned action is Block or By-Threshold, change the action.

6. Cause six: The action in data filtering rules is By-Threshold, but the sum of keyword weights is less than the block threshold.
   

   You need to perform multiple tests to tune the block threshold and keyword weight.
   1. Choose Object > Security Profiles > Data Filtering to view the block threshold. If the value is too large, change it to a smaller value.
   2. Choose Object > Keyword Group to view the weight of a keyword. If the value is too small, change it to a larger value.