Data Loss Prevention

Hello everyone!

I'm testing new version of DLP, 12.5, and have found some strange stuff I haven't found in earlier versions:

I set up a Endpoint Server and a client. Just test some random policies and I found out that the Enforce takes longer to receive the policy on Incidents page.

See the traffic and the Endpoint Server count a number of incidents

Which differs from the count when I have a look at the Server Overview:

And it actually takes some time to update the incidents count and to show it on the Incident Reports. 

When look at the incident finally receive, I see there's a difference in timing between Occured on and Reported on status. And sometimes, timing in between can be up to 9 to 30 minutes.

Has anybody had this problem before? I'm finding it on this new version and wonder if it's a bug?

Thanks in advance.

This is becuase version 12.5 onwards agent have transient connection to enforce server to scale for handling more endpoint agents. You can revert to real-tile connection if no. of endpoints reporting to the enforce server are less than 10000.

To revert change advanced agent settings to: -

EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.in=10

EndpointCommunications.IDLE_TIMEOUT_IN_SECONDS.int=0

Endpoint Server Setting: -

ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS= 15

Thanks Tariq!

This is the proper configuration for real-time connection.

I should review the DLP 12.5 admin guide, as I see quite a few changes in this version.