Video Screencast Help

DLP Agent Configuration

Created: 20 Apr 2012 • Updated: 07 May 2012 | 8 comments
This issue has been solved. See solution.

Hi,

I use DLP Endpoint Prevent ver 11.1.1

I have around 24 file servers in different network segments and I dont want to capture incidents when people transfer data to the file servers, so I went to agent configuration -> IP Filters and wrote this (-,172.21.37.113/32,*;+,*,* ). Actually the list is big, I just took an example of a single server,

But the problem is when I apply configuration, I still get incidents when some data is transferred to this file server.

Can you help?.

Let me know if you need further information.

 

Thanks,

Vinodh Stanley

 

Comments 8 CommentsJump to latest comment

yang_zhang's picture

So, you mean 'some data'? Is that mean not all the data violate your policy can be detected?

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
Syed Hussain -Compliance Devil's picture

Hi,

Can you please analyze the incidents and let me know if you see the data has been transfered via HTTPS or HTTP?

If you see the data has been transfered via HTTPS then there is no problem all you have to do is have the filter applied to HTTPS box as well.

Refer to this Example:

-,10.6.232.115/32,*;-,10.0.0.0/8,*;-,132.180.8.41/32,*;-,172.16.4.30/32,*;+,*,*

it works perfectly at my environment :)

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
vstanley's picture

Hi Syed,

Let me check and get back to you.

Thanks,

Vinodh Stanley

vstanley's picture

Hi Syed,

I just checked, its neither http nor https. :-(

Regards,

Vinodh Stanley

Syed Hussain -Compliance Devil's picture

Hi Vinodh,

Could you please give me more details on this

1) Let me know if the policy is applied to detect data transfer to a file servers is on endpoint or network

2) When you see the incidents, could you please look at Type and identify if it indicates as mail/globe icon/USB/CD-Rom

The above things will give me a clear picture where it is going on and conclude the root cause of the issue.

 

 

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
vstanley's picture

Hi Syed,

Answers

1. The policy is to track any transfer of data via all possible modes availabe in DLP

2. The icon against the incidents looks like three small monitors, with the middle monitor on top. It is not a https/http/ftp/ or email icon

 

Regards,

Vinodh Stanley

Syed Hussain -Compliance Devil's picture

Hi Vinodh

The icon which your refering as three monitor with one on the top is "Network share"

Currently, DLP does not support IP filter for Network shares. Network share uses UNC and for DLP it is not considered as network event. You can use IP filter for protocols such as HTTP/FTP traffic.

Endpoint File Copies to and from Network Shares does not currently have the ability to use filters to exclude specific destinations or sources. Advise User to put exception of copy to network share in policy in order to ignore monitoring of Endpoint File Copies to and from Network Share.

Enhancement Request has been created to address this issue.  Hopefully this will be addressed in future release or any future updates.

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
Syed Hussain -Compliance Devil's picture

Hi Vinodh,

Let me know, if your  query has been addressed or do you still have any questions in context to this issue.

 

 

 

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
SOLUTION