Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Create Ip filter list to exclude monitoring an internal IP address

Created: 31 Dec 2012 | 8 comments

Dears,

Hi

There is a HTTP server in the network.

Users upload files to that HTTP server but they claim that it is very slow and actually after stopping DLP agent on the machines, the issue will be resolved!

-I have attached an example of incident which is being detected while users are uploading to that IP address.

-I have added an screenshot which shows IP filter which i have created for that server.

-Please let me know if i have to add another type of exclusion in addition to the IP filter list.

-I am using DLP endpoint standard.

 

Best Regards

Comments 8 CommentsJump to latest comment

yang_zhang's picture

Your IP filter :

-,10.132.58.92/32,*;+,*,*

is correct.

So, you mean: after you create this IP filter, your DLP Agent still trigger incident when upload file to your server?

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
shahram.dehghani's picture

Dear Yang_Zhung,

That IP Filter worked.

Would you please let me know for adding the second Ip to be excluded is this correct or not?

-,10.132.58.92/32,10.132.58.93/32,*;+,*,*

shahram.dehghani's picture

Dear Yang_Zhung,

That IP Filter worked.

Would you please let me know for adding the second Ip to be excluded is this correct or not?

-,10.132.58.92/32,10.132.58.93/32,*;+,*,*

 

shahram.dehghani's picture

Dear Pete,

That IP Filter worked.

Would you please let me know for adding the second Ip to be excluded is this correct or not?

-,10.132.58.92/32,10.132.58.93/32,*;+,*,*

 

kishorilal1986's picture

Hi Shahram,
I think above u mentioned is correct one but I think u should add "-" before adding second IP filtering rule

DLP Solutions2's picture

You have it close...

-,10.132.58.92/32,*;-,10.132.58.93/32,*;+,*,*

The way the nominclature works..is

(+ or -), destination IP, source IP;(+ or -), destination IP, source IP

so in your case it would be like the following

-,10.132.58.92/32,*;-,10.132.58.0/24,*;+,*,*

Also when on that page click on the online HELP.. it outlines this also

If this answers your question please mark this as solved

 

Ronak

 

Please make sure to mark this as a solution

 

 

to your problem, when possible.

 

 

 

kishorilal1986's picture

Hi Shahram,

Just put exclusion rule in Ipfiltering config. U can do this by inserting in agent configaration.

To setup IP filters for the Vontu Monitor Server:

  1. From Vontu Enforce, in the left pane, go to Administration > Settings > Protocols (if you want to apply to ALL Monitor servers); or go to Administration > System > Overview > Network Monitor server > Configure > Protocol (if you want to apply ONLY to a specific Monitor server).
  2. Add the filter by selecting the protocol you want.
  3. Use the following general syntax for IP filtering:

    -, <destination> , <source> drop all streams send to <destination> from <source>
    +, <destination> , <source> includes all streams send <destination> from <source>

    All filters are processed from top to bottom. Make sure that there is no extra linefeed at the end. Otherwise you will get errors.
    For example, if you want to exclude only IPs 1.1.1.1 and 2.2.2.2 and keep everything else, you could do the following

    -,*,1.1.1.1;-,*,2.2.2.2;+,*,*

    You can also use Classless Inter Domain Routing (CIDR) notation (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). A filter of +,10.67.0.0/16,*;-,*,* matches all streams going to network 10.67.x.x but does not match any other traffic.

    For more information on filtering and protocols, open the online help from Administration > Settings -> Protocols.

Just refer below important threads, I hope this will resolve your concern

https://www-secure.symantec.com/connect/forums/int...

https://www-secure.symantec.com/connect/forums/dlp...

https://www-secure.symantec.com/connect/forums/nee...