Transmission of Normal Content Is Affected by Data Filtering

Data filtering is configured on the FW to prevent the content containing the specified keywords from being transmitted between security zones. However, the content that does not contain keywords cannot be transmitted.

Cause one: The traffic does not match the correct security policy.

Cause two: The traffic is blocked by another security function.

Cause three: The data filtering profile is incorrectly configured.

Cause four: The keyword group is incorrectly configured.

Cause five: The weight of a keyword is too high, or the block threshold is too low.

1. Cause one: The traffic does not match the correct security policy.
   1. Choose Monitor > Log > Policy Matching Log.
   2. Click Advanced Search on the upper right of the UI and select a value for Source User and Application.
      • Source User: Select an intranet user that uploads or downloads files, for example, user_0001.
      • Application: Select a protocol or application program that an intranet user uses to upload or download files.

   3. Click Search.
   4. In the security policy matching logs that are displayed, you can check whether the upload or download traffic matches the correct security policy.
      • If no, choose Policy > Security Policy > Security Policy to fine-tune security policy sequence or parameters.
      • If yes, go to 2.

2. Cause two: The traffic is blocked by another security function.
   1. Click the security policy that is matched in 1. The Modify Security Policy dialog box is displayed. You can view the referenced profile in the dialog box.
   2. Query logs based on the referenced profile.
      • To view antivirus or intrusion prevention logs, choose Monitor > Log > Threat Log
      • To view URL logs, choose Monitor > Log > URL Log.
      • To view data filtering, file blocking, or application behavior control logs, choose Monitor > Log > Content Log.

   3. On the log interfaces, click Advanced Search on the upper right and then select a value for Security Policy.
   4. Click Search to view the logs that are displayed, find the log in which the Action is Block, and check the profile of this log.

      • If the traffic is blocked by a data filtering profile, go to 3.

      • If the traffic is blocked by a profile of another type, view the profile and determine whether the traffic needs to be blocked.

        • If yes, the fault diagnosis process ends.
        • If no, tune the parameters of the profile.

3. Cause three: The data filtering profile is incorrectly configured.
   1. Click the data filtering profile that is matched in 2. The Modify Data Filtering Profile dialog box is displayed. You can view the referenced data filtering rules in the dialog box.
   2. Tune the parameters of the data filtering rules to ensure that these rules do not match any normal content.
4. Cause four: The keyword group is incorrectly configured.
   1. Choose Object > Keyword Group.
   2. Click the keyword group referenced in the data filtering profile and check whether keywords in Keyword List contain any keyword that does not need to be filtered out.
      • If yes, modify the configuration of the keyword group.
      • If no, go to 5.

5. Cause five: The weight of a keyword is too high, or the block threshold is too low.
   

   You need to perform multiple tests to tune the block threshold and keyword weight.
   1. Choose Object > Security Profiles > Data Filtering to view the block threshold. If the value is too small, change it to a larger value.
   2. Choose Object > Keyword Group to view the weight of a keyword. If the value is too large, change it to a smaller value.