kgess-mirror/cloudflare-docs
1
0
Fork 0
mirror of https://github.com/cloudflare/cloudflare-docs.git synced 2026-01-11 20:06:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Create DLP troubleshooting (#27207)

Browse source 
Co-authored-by: Max Phillips <mphillips@cloudflare.com>
This commit is contained in:
Justin Wong 2026-01-06 12:00:04 -08:00 committed by GitHub
parent 6cdbeb0222
commit d0cf0a1499
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 66 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx Normal file
View file

@ -0,0 +1,66 @@
---
title: Troubleshoot DLP
pcx_content_type: troubleshooting
sidebar:
order: 5
---
import { Render } from "~/components";
Use this guide to troubleshoot common issues with Data Loss Prevention (DLP).
## DLP policy does not trigger or block content
DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/).
To turn on TLS decryption:
<Render file="gateway/enable-tls-decryption" product="cloudflare-one" />
Once you turn on TLS decryption, you can create a DLP policy to inspect the content of HTTPS requests. For example:
| Selector | Operator | Value | Logic | Action |
| ----------- | -------- | --------------------- | ----- | ------ |
| Domain | in | `box.com` | And | Block |
| DLP Profile | in | _Credit card numbers_ | | |
## DLP scans trigger false positives or block legitimate sites
If your DLP policy is blocking access to business-critical applications (such as Zoho, Google, or internal domains) or generating a high number of false positives, your DLP policy is likely too broad. Profiles such as **Credentials and Secrets** are powerful but can be overly aggressive if not scoped correctly.
### Problematic configuration
Applying a sensitive profile to all traffic causes unnecessary blocks. For example:
| Selector | Operator | Value | Action |
| ----------- | -------- | ------------------------- | ------ |
| DLP Profile | in | _Credentials and Secrets_ | Block |
### Recommended solution
Make your policies more specific. Instead of a catch-all block, create granular policies that target high-risk destinations or user groups.
This policy only blocks uploads of financial data to file-sharing websites for a specific user group, reducing the risk of false positives on other sites.
| Selector | Operator | Value | Logic | Action |
| ------------------ | -------- | ------------------------------- | ----- | ------ |
| Destination Domain | in | `dropbox.com`, `wetransfer.com` | And | Block |
| DLP Profile | in | _Financial Information_ | And | |
| User Group Names | in | `Finance Team` | | |
You can also create policies that match trusted applications using the [**Do Not Scan** action](/cloudflare-one/traffic-policies/http-policies/#do-not-scan).
## DLP detections are inconsistent
If DLP detects sensitive data in plain text but not within images or certain applications, check for the following issues:
- **OCR is turned on**: For DLP to scan text within images (such as a picture of a credit card), you must turn on [Optical Character Recognition (OCR)](/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#optical-character-recognition-ocr) in the corresponding DLP profile.
- **Application-specific behavior**: Some applications, such as WhatsApp Web, use protocols or encryption methods (such as WebSockets) that Gateway may not be able to fully inspect with HTTP policies.
- **Supported file types**: Content must be in a [supported file type](/cloudflare-one/data-loss-prevention/#supported-file-types) for DLP inspection.
## DLP options are missing or you cannot create custom profiles
If you cannot use the _DLP Profile_ selector when creating an HTTP policy or are blocked from creating a custom DLP profile, it typically means one of two things:
1. Incorrect plan. These features require a Zero Trust Enterprise plan. If you believe your account should have this entitlement, contact your account team to confirm your subscription details.
2. Permissions issue. You may not have the required administrative privileges to configure DLP settings. Check with your Cloudflare account administrator.