Video Screencast Help

Network Monitor policies triggering on inbound SMTP

Created: 24 Sep 2013 | 2 comments

I have a network monitor using WinPcap to monitor a span port on a switch connected to the firewall. The network monitor can see all traffic outbound as well as inbound. Is there a network monitor configuration to to tell the monitor to just look at outbound traffic? I have searched the Admin guide,Symantec Connect, and the Symantec/Vontu DLP KB with no results.

Does anyone have any suggestions?

Operating Systems:

Comments 2 CommentsJump to latest comment

S_A_M's picture

Hi,

You need to use IP and sender filters at the global level. We need to either tell what you need to monitor to DLP and it will leave rest or provide filter to what not to monitor and it will monitor everything else.

To setup IP filters for the Vontu Monitor Server:

  1. From Vontu Enforce, in the left pane, go to Administration > Settings > Protocols (if you want to apply to ALL Monitor servers); or go to Administration > System > Overview > Network Monitor server > Configure > Protocol (if you want to apply ONLY to a specific Monitor server).
  2. Add the filter by selecting the protocol you want.
  3. Use the following general syntax for IP filtering: 

    -, <destination> , <source> drops all streams sent to <destination> from <source> 
    +, <destination> , <source> includes all streams sent to <destination> from <source> 

    All filters are processed from top to bottom. Make sure that there is no extra linefeed at the end. Otherwise you will get errors. 
    For example, if you want to exclude only IPs 1.1.1.1 and 2.2.2.2 and keep everything else, you could do the following 

    -,*,1.1.1.1;-,*,2.2.2.2;+,*,* 

    You can also use 

    Classless Inter Domain Routing (CIDR) notation (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). A filter of +,10.67.0.0/16,*;-,*,* matches all streams going to network 10.67.x.x but does not match any other traffic. 

    Hope this helps.

stephane.fichet's picture

Hi,

 usual issue i have with using L7 filters is that we are not always aware of new smtp/proxy servers added by people in chareg of company infrastructure so you can also :

- ask network admin to forward you only outbound traffic (if this is what you want to cover with your DLP).

- An other way to detect inbound traffic is that for most companies it comes from your company email domain (like @mycompany.com) and email coming from internet use other domain thant this one. so you can add a rule in your policies.unfortunately it means you will have to set this rule in all your policies, and all email will be processed by each policies.

 regards