Data Loss Prevention

 View Only

  • 1.  DLP Seems Broken

    Posted Oct 29, 2015 11:45 AM

    Hi , It seems that my DLP Installation is broken . I don't see any error messages but the my Credit card monitoring policy doesn't work at all .The Problem is observed with EMail prevent as well as Network discover  .Even though both claim that policies have been loaded successfully , nothing is detected . Any Idea on where to start from . I have tried by making new policies ,restarted the servers ,check their logs but couldn' find any clear indication of any problem .



  • 2.  RE: DLP Seems Broken

    Posted Oct 29, 2015 12:34 PM

    On further investigation ,I found that Network Prevent is not getting any traffic whereas the ports are open and no issues can be seen in the logs .



  • 3.  RE: DLP Seems Broken

    Posted Oct 29, 2015 01:20 PM

    Just curious to know what version you are on? we are at 12.5.2 and have seen similar issues with traffic being seeing but no incidents being generated. Restarting the monitor controller service fixed the issue of incidents not being detected (as thought the policies were not working). after restarting it we start seeing incidents. This is concerning because it appears to intermittent and no events or related alerts are thrown so we can't be sure when it's working and when it's not. Not a warm and fuzzy feeling.



  • 4.  RE: DLP Seems Broken

    Posted Oct 29, 2015 03:17 PM

    You mentioned the Netwrok PRevent server is not generating traffic at all?  When you look at the traffic report for that server are the counters not increasing? If they aren't increasing that's your problem. Either things aren't flowing to that server or there is another problem.  Once you resolve that we should start seeing incidents.

    The traffic counters are increasing and you still aren't seeing incidents we would need to check to see if items are staying in any of the other queues.  Once we figure that out we need to see whats going on from there.

    Hope that helps



  • 5.  RE: DLP Seems Broken

    Posted Oct 30, 2015 07:56 AM

    @Carly , version is 11.5.0.5030 ..I  know that it is old but it was working so far .

    @Jjesse , counters are not increasing .Apparently there are no errors when i check server view .however I found this error in Email prevent log .looks like a java error thus Email prevent  not able to maintain the smtp session . Any idea on who to fix the Java exception issue .

    29/Oct/15:19:38:31:548+0300 [INFO] (SMTP_CONNECTION.1203) Forward connection established (tid=28 cid=2 local=10.0.6.32:50178 remote=10.2.72.1:25)

    29/Oct/15:19:38:31:548+0300 [INFO] (SMTP_CONNECTION.5203) Forward connection error (tid=28 cid=2 mta=<> reason=<>)

    29/Oct/15:19:38:31:564+0300 [SEVERE] (SMTP_CONNECTION.5204) Peer disconnected unexpectedly (tid=28 cid=2 local=<> remote=<> reason=java.lang.NullPointerException)

    29/Oct/15:19:38:31:564+0300 [INFO] (SMTP_CONNECTION.1205) Service connection closed (tid=28 cid=1 local=10.0.6.32:25 remote=10.4.0.90:6616 messages=0 time=0.02s)

    29/Oct/15:19:41:31:235+0300 [INFO] (SMTP_CONNECTION.1201) Connection accepted (tid=2e cid=1 local=10.0.6.32:25 remote=10.4.0.90:8453)

    29/Oct/15:19:41:31:235+0300 [INFO] (SMTP_CONNECTION.1203) Forward connection established (tid=2e cid=2 local=10.0.6.32:50199 remote=10.2.72.1:25)

    29/Oct/15:19:41:31:235+0300 [INFO] (SMTP_CONNECTION.5203) Forward connection error (tid=2e cid=2 mta=<> reason=<>)

    29/Oct/15:19:41:31:235+0300 [SEVERE] (SMTP_CONNECTION.5204) Peer disconnected unexpectedly (tid=2e cid=2 local=<> remote=<> reason=java.lang.NullPointerException)



  • 6.  RE: DLP Seems Broken

    Posted Oct 30, 2015 11:15 AM

    So as this point I would recomend you contact Symantec Support and have them help things out.  You will get a faster response from them than with us.

    Please feel free to update us when things get resolved



  • 7.  RE: DLP Seems Broken

    Trusted Advisor
    Posted Oct 30, 2015 12:59 PM

    Subhani,

    With the SMTP Prevent.. do you know if your Exchange server or what ever the previous MTA is using TLS? If you are uisng TLS you may need to exchange keys or even turn off TLS period.. 

    If Exchange is require TLS then you need to make sure you have exchanged the TLS keys with the DLP Email Prevent server.

    I bet you the issue is that you have TLS turned on. One way to see if it is the TLS hand shake is causing the problem is to do the following...

    • Go to the Advanced settings for the Prevent server and change the following setting;
    • RequestProcessor.AllowExtensions  >>8BITMIME VRFY DSN HELP PIPELINING SIZE ENHANCEDSTATUSCODES STARTTLS
    • Remove the 'STARTTLS' from the field referenced above.
    • Recycle the prevent services.

    As far as Network Monitro goes.. are you seeing traffic at all. Make sure you have selected the right netowrk port when you configure the server in the UI. Also make sure to check the right protocols.

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak

     



  • 8.  RE: DLP Seems Broken

    Posted Nov 01, 2015 09:46 AM

    @Ronak , Thanks for your suggestions however that wasn't the cause .Haven't heard back from Symantec Support yet however I was able to fix the Problem . It seems that it was not able to maintain the Inline SMTP  session with one of the SMG Gateways .Can't pin point the exact solution but it is finally working .

    Another thing to ask is ,  How can a discover Scan create incidents . I have copied some card data on a PC and I am trying to scan it via Network discover but it is not generating any incidents . Any ideas ?



  • 9.  RE: DLP Seems Broken

    Posted Nov 01, 2015 02:36 PM

    Glad you got this to work, can you make a seperate thread about Network Discover and we can work through that?