Video Screencast Help

How to configure DLP to exclude monitoring a specific network share?

Created: 03 Feb 2013 | 6 comments

Hello,

My DLP Version is 11.5.

I need to make a policy to allow the content to be moved to a specific network share while blocking communication with any other network share.

I've tryed to specify it using the option "Recipient Matches Pattern" in "exception" of a policy, in the rule, placing the IP of the network share, in the field "IP Address", but it didn't work.

Is it possible to implement such requirement in DLP 11.5?

Discussion Filed Under:

Comments 6 CommentsJump to latest comment

stumunro's picture

ozadsun,

copy and or quaratine will do this in teh discover option of moving it to a share... it may also be better to break out your scans to have a scans \\fs1\sales, \\fds\engineering. i will break mine out sometimes to avoid longer scans on certain servers, or scan different shares on the same server on different nites,

 

kishorilal1986's picture

Hi Oza,

Please refer

 

Currently, DLP does not support IP filter for Network shares. Network share uses UNC and for DLP it is not considered as network event. You can use IP filter for protocols such as HTTP/FTP traffic.

Endpoint File Copies to and from Network Shares does not currently have the ability to use filters to exclude specific destinations or sources. Advise User to put exception of copy to network share in policy in order to ignore monitoring of Endpoint File Copies to and from Network Share.

Helpful links

http://www.symantec.com/connect/forums/how-configu...

http://www.symantec.com/connect/forums/how-configu...

kishorilal1986's picture

Please also refer below

To setup IP filters for the Vontu Monitor Server:

  1. From Vontu Enforce, in the left pane, go to Administration > Settings > Protocols (if you want to apply to ALL Monitor servers); or go to Administration > System > Overview > Network Monitor server > Configure > Protocol (if you want to apply ONLY to a specific Monitor server).
  2. Add the filter by selecting the protocol you want.
  3. Use the following general syntax for IP filtering:

    -, <destination> , <source> drop all streams send to <destination> from <source>
    +, <destination> , <source> includes all streams send <destination> from <source>

    All filters are processed from top to bottom. Make sure that there is no extra linefeed at the end. Otherwise you will get errors.
    For example, if you want to exclude only IPs 1.1.1.1 and 2.2.2.2 and keep everything else, you could do the following

    -,*,1.1.1.1;-,*,2.2.2.2;+,*,*

    You can also use Classless Inter Domain Routing (CIDR) notation (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). A filter of +,10.67.0.0/16,*;-,*,* matches all streams going to network 10.67.x.x but does not match any other traffic.

    For more information on filtering and protocols, open the online help from Administration > Settings -> Protocols.

Salim Shaikh786's picture

Hi Ozard,

As shown above , u can use IPfiltering rule to exclude monitoring a specific network share in exception rule. Else route their traffice from where DLP cant monitor.

kishorilal1986's picture

Hi Oza,I hope above responce/resolution might helped you for your requirement.

You can use not only  IPfiltering solution but also the domain filtering(-/+www.gmail.com,*) etc for above thread.

check the above thraed and let me know if u need anything more on this.