Data Loss Prevention

 View Only

  • 1.  Impossibility: two enforce servers reporting to the same DB

    Posted Jul 03, 2016 12:07 AM
    Hi all, What is the exact reason behind two enforce servers couldn't have a same data base ? The reason I guess is enforce server 1 and enforce server 2 may generate same incident I'd which may lead to ambiguous state in database. Is it so ? Or something else is there? Thank you.


  • 2.  RE: Impossibility: two enforce servers reporting to the same DB

    Trusted Advisor
    Posted Jul 04, 2016 03:19 AM

    hello,

     there is different kind of possible issues running several enforce server on same DB.

    - Encryption : Encryption keys are managed by enforce, so you may have some issues to read incident from several enforce. There is some ways to manage this by sharing same master key.

    - Object IDs. I dont know exactly how IDs are managed by DLP UI, but i am afraid that ENforce will try to create some object with same IDs. As IDs are tables keys this will led to multiple DB errors. 

    - Operation locks are not managed by DB but by UI, so this will allow multiple update on same object and dont know what will happen at the end (i think the last one who click on "save" button will win the game...sorry for the other one :) )

     By design DLP is not ready to manage two active enforce server (you may have one active and one passive) at the same time, so you may also have some other "surprise" doing so.

     Regards.



  • 3.  RE: Impossibility: two enforce servers reporting to the same DB

    Posted Jul 04, 2016 02:48 PM

    What is the reason for doing this?  If you are trying to get reporting from multiple Enforce servers, you should leverage a sperate DB for both Enforce server and then IT Analytics can report across multiple Enforce Systems (DBs)



  • 4.  RE: Impossibility: two enforce servers reporting to the same DB
    Best Answer

    Broadcom Employee
    Posted Jul 07, 2016 09:06 AM

    The main reason is that all control comes from the enforce server for each detection server. In the event two Enforce servers were connected to the same database AND had the monitor controller service active they would bpoth be figihting for the same detction servers so it would not be deterministic for which enforce would recieve the incident to persist into the database.

     

    As Johnathan Jessse asked, what are you attempting to achieve? The main reasons for seperate Enforce servers has to do with either seperate organizations or seperate regulatartory enviroments (ie US, EMEA, APAC, etc) where there isnt a tecincal reason for the split but a larger reason. If you want to unify reporting you cna use IT Analytics as suggested by Johnathan. If you want to achieve policy consistency (perhaps between dev and test?) you cna export the policy from one and import it into the other. As of DLP 14.5 this applies to all parts of the policy (both detection and response rules).

     

     



  • 5.  RE: Impossibility: two enforce servers reporting to the same DB

    Posted Jul 08, 2016 03:17 AM

    Thanks all.

     

    I asked just to know.