Data Loss Prevention

 View Only
Back to discussions
Expand all | Collapse all

Policy order of execution

  • 1.  Policy order of execution

    Posted May 10, 2013 01:08 PM

    I'm using Sym DLP v11.1.  Is there a way to order the execution of policies for email and web prevent?



  • 2.  RE: Policy order of execution

    Broadcom Employee
    Posted May 10, 2013 01:18 PM

    are you using both?

    when the user sends email it checks with the MTA for policy and then take nexessary action, similalry for http/ftp the web prevent server of DLp will take the action.



  • 3.  RE: Policy order of execution

    Posted May 10, 2013 01:28 PM

    I have a 3 tier implementation using both types of detection servers in forwarding mode. I'm hoping the order of policy execution can be controlled by the a config file on the enforce server rather than individual detection servers



  • 4.  RE: Policy order of execution

    Trusted Advisor
    Posted May 13, 2013 02:18 AM

    Hi jeff

     I didnt understand your point as mail and web prevent didnt apply on same type of message (one for mail and one for http/frp request). Why do you want to order them ? each server (web and mail prevent) will apply policy to message received.

     you can deploy policies on a specific server using different policy group (one for mail prevent and one for web prevent), but you cant define the way or any priority betwwen each policy.

     regards



  • 5.  RE: Policy order of execution

    Posted May 13, 2013 08:11 AM

    Let me rephrase the question.  Can I control the order in which email prevent policies are executed when an email message is inspected?



  • 6.  RE: Policy order of execution

    Trusted Advisor
    Posted May 13, 2013 08:21 AM

    no jeff, you cant. And your email will be analyzed by all policies, you cannot stop execution of policies if one policy has matched.



  • 7.  RE: Policy order of execution

    Posted May 13, 2013 08:49 AM

    If it matters, the intent is not to stop any policy just control the order in which they execute.



  • 8.  RE: Policy order of execution

    Broadcom Employee
    Posted May 13, 2013 10:17 AM

    it will be checking for all policies applied for the server.



  • 9.  RE: Policy order of execution

    Posted May 14, 2013 12:48 PM

    I think it is based on creation of policies in policy list. But execution of rules are like exclude first then scan to include.



  • 10.  RE: Policy order of execution

    Posted May 16, 2013 04:10 PM

    Jeff,

    If I remember some detailed debug logs, it may be that the work is done in order of creation of the policies.  I seem to recall the policy numbers were increasing in the log.

    I do know that exceptions are processed first and then rules.  Both types are evaluated in order of increasing "cost".

    I also reall that a particular rule is only evaluated once and the results used by any other policy that has that rule.

    JGT



  • 11.  RE: Policy order of execution

    Posted May 16, 2013 04:42 PM

    Thanks JGT,

    the reason i ask is because it appears if an email violates multiple policies, and the response rules on those policies conflict with each other, the response rule does not work as expected.  Specifically if response rule from policy A saves attachements/original message then the response rule from policy B to limit incident data does not discard attachments/original message.