Video Screencast Help

Symantec DLP- Licensing Modules- Simplified for Beginners

Created: 22 Feb 2012 • Updated: 22 Feb 2012 | 7 comments
AR Sharma's picture
+10 10 Votes
Login to vote

In this article, I am trying to explain Symantec DLP licensing module (under each channel, viz. endpoint, Network and Data at rest) and it's relation with Symantec DLP components.

DLP primarily focuses on the following channels for preventing data loss:

1. Endpoints (desktop/laptop) and tablets also in ver 11.5

2. Network (email, HTTP/HTTPS, FTP or any TCP protocol)—also called as Data in Motion

3. Data residing at file server, NAS, hard drives of server – also called as Data at Rest.

For more details, if you wish, you can check the following two articles also:

Now, under each of these three channels, following are the licensing modules:


1. Endpoint Prevent: This module of license is for data loss through endpoint such as laptop and desktop. Data loss can include data copy to CD/DVD, USB, floppy drives, print, fax, data copy to other document, data transmitted through SMTP, FTP, IM etc, when user is disconnected from corporate network. This can also optionally throw a pup-up to inform users about the possible violation of policy.

2. Endpoint Discover: This module can be used to scan staff's desktop/laptop for sensitive data stored on them. Once sensitive data is found, it can move the data at safer location and/or generate an incident for further action to be taken on it.

Both endpoint prevent and endpoint discover can be achieved through a single agent that is deployed at endpoints (laptop/desktop), but their licensing is separate.

Network (Data in Motion):

1. Network Monitor: This licensing module can be used for monitoring the email and/or web traffic. DLP component can be present inline(where data flow can happen through the DLP component) or can be present like a sniffer (SPAN port or mirror port or tap). With this licensing module, only monitor can happen, there is no prevent.

2. Network Prevent for E-mail: This licensing module is Network Monitor + Prevent through Email. This can work with MTA (message transfer agent like Symantec Brightmail Gateway or IBM Lotus Domino)

3. Network Prevent for Web: This licensing module is Network Monitor + Prevent through Web. This can work with proxy servers.

Data residing at file server, NAS, hard drives of server (Data at Rest)

1. Network Discover: This module of licensing can be used for discovering the sensitive and confidential information on databases, file servers, NAS, web sites, desktop, laptops etc.

2. Network Protect: This module of licensing is Network Discover + Protecting. This means that DLP Network Protect component can automatically relocates, copies or quarantines the exposed confidential data.

Endpoints (discover and prevent) are generally user based licenses. Organizations need to buy depending on number of deployment being planned. Network monitor, network prevent, Network discover and network protect are generally based on total number of users in an organization.

Licensing module relation with Symantec DLP components:

DLP components associated with all the above licensing modules are as given below:

Endpoint Prevent and Endpoint Discover: These two are associated with Endpoint servers component of Symantec DLP, which is generally residing at the datacenter. Endpoint servers--->Enforce server. Endpoint server connects to enforce server.

Network Monitor, Network Prevent for email and Network Prevent for Web are themselves DLP component (servers) are again residing in datacenter (LAN or in DMZ). Here, licensing module name and DLP component name are the same. These again connects to Enforce server.

Similarly, like network monitor and network prevent for email and web, Network Discover and Network Protect are again residing on servers in datacenter. Network discover and protect DLP component connects to Enforce server.

So, Enforce Server (or platform) is the base on which all other DLP components are sitting.

Comments 7 CommentsJump to latest comment

Srikanth_Subra's picture


Thanks & Regards,


"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

Login to vote
AP@sil's picture

Good share AR.

Good article to know the basics!!

Login to vote
kishorilal1986's picture

Hi AR,

Above details are nice .Thanks for sharing



Login to vote
gribarski's picture

how excalty are the licenses count ? 

if i have more that 100 agents installed and i have only 100 licenses for endpoint prevent/discover, what should i expect. 

the same goes to the network monitor, if i have more users what behaviour should i expect from the monitor servers. 

is there a detailed document base on this topic ? 


Login to vote
heathu's picture


What if the symantec dlp licence for servers got expired?

what are issue will be there?

Login to vote