Data Loss Prevention

Hello, our current DLP server is approaching its end of life and it is still running server 2003. Also we currently have a very big oracle database on the server with just over 11 million incidents.

I would like to try to stand up a new server running server 2008 r2 and start up a new oracle DB. I want to make sure all of my current policies move over to the new server. This needs to be completed over a weekend as I want to make sure that the endpoint servers do not get to hammered while enforce is down.

My question is has anyone actually done something like this and do they have any tips and tricks on what needs to be done? I also want to keep the old oracle database in case I need to reference older incidents.

Consult the upgrade guide for your product version.  You can export the policies you have but you will not be able to use them if you are moving to a new version (v10-v11 will not work as an example).  Depending on the size of your DB your backup or copy of that DB might take longer than the weekend to do so be prepared for that.  The endpoint servers will queue incidents locally until the enforce server comes back online but if you are moving toward a new version of DLP like v10-v11 then you will need to upgrade your agents as well.  When you upgrade you do not lose the incidents in the database, they will always be there unless you delete them. 

I highly recommend reading your upgrade guide and not using product forums to perform an upgrade, consult with Symantec sales to get an experienced professional services consultant to help you.  

Do you have Symantec Partner that is certified for DLP?  IF so might want to work w/ that partner to get help w/ planning and also upgrading.

If you don't have a Partner, let me know and I can help out.

We are already at version 11.6.1 so I do not need to upgrade DLP but, I need to upgrade our server. I was just making sure that someone here has moved policies from one server to another.

We did have a partner but money is tough to come by so there will not be a partner this time.

If you are on the same version that is very easy, go into the policy(s) and export them off.  Importing them back on will require you to place them on a portion of the enforce (when it's reinstalled) and import them in via the enforce UI.  It's a good practice to export them off and save them in a different location anyway, so this will be good practice.  If you search the "help" on the enforce UI or the admin guide for exporting/importing policies it will walk you through step by step.  As Johnathan suggested above if you need a partner don't hesitate to reach out to someone, if you are on limited funds you could still try to work out something with someone.  Johnathan is very reputable as are a select few other people in the DLP world.  

Hi

I am planning to ugrade from 11.6.0 to 11.6.1 on our existing 2003 server since we are faced with a red screen of death while making server config changes.

Do you know of any known issues with 11.6.1?

As you do, we are also planning to migrate to 2008 R2 in a month or so, but is planning to use the same DB.

Thanks for your help

Sachin

Hi Mike,

I think the best solution is u should not migrate from 2003 to 2008 as it may harm your whole DLP infra. If u have no strong reason to migrate then no need it. just 2008 server cant be reason. U can make some disaster recovery plan for same 2003 servers for DLP.

Still u have a plan to do on server 2008 then plz consult symantec team for safer side.

For the size of your DB (11M incidents) I would assume that you have a three tier setup. In that case changing the host OS of the Enforce tier is rather simple since you would only need to point back to the old DB. If size of the DB is not an issue but you would want to cut back on the performance hit you can archive the incidents starting in 11.6.  If you are concerned about size then there is the question of are all 11M incidents actionable? If they are not actionable or wont be actionable in the reasonable future then I would suggest deleting them from the DB rather than starting over from scratch. You can export the policies and reimport into the new DB but if you have EDM or IDM policies in place you will have to keep in mind that the index must also be restored as well or regenerated.

Whoa.. Hold on everyone.

Mike,

I am former Vontu/Symantec and know the inner workings of this product...so bare with me.

The DLP console/Enforce server is just a front end to the DB. So I would assume that you have already done the following:

• Upgraded all of the DLP servers to the current version
• Upgraded the Oracle DB to 11g
• Taken a Backup of the Oracle DB
• Taken a Backup of the Enforce server

If you have done that and plan to backup the DB just prior to the OS swap..then you are in good shape.

If you wanted to keep the existing DB (hopefully on another server) and just spin up another Enforce server (2008) to connect to it, this is very easy for most of the configurations are stored in the DB. The only things that are not are the customizations that you may have with the LDAP lookups and Script plugins. Though the most important thing is the have a copy of the CryptoMasterKey file and some of the other config files that are in the config directory of the enforce server.

If this is the case then... see here https://kb-vontu.altiris.com/display/1n/index.asp?aid=&cat=&catURL=&r=6.141299E-02

Though it sounds like you would like to keep the existing DLP installation for archival purposes and incase you need to look at old incidents. If this is the case it sounds like you just want to stand up a NEW DLP console and a NEW Oracle DB.

If this is the case then I would just build a fresh install of the Enforce and DB from scratch. If you want to use the existing polices from the old DLP server, then I reccommend to do the following and why.

• I would recreate all of the polices from scratch, do not import or export the existing policies from the old system. Just duplicate them from the old system by hand
• When exporting/importing a policy, it will NOT include any of the repsone rules or any of the "Groups" that it may utilize. These are customizations that are very specific to each installation.
• So you are going to have to create all of the response rules from scratch anyways.
• Also when you import a policy it will show up as an IMPORTED TEMPLATE (see the bottom of the templates page), not as a running policy. So you will still need to go through the process of adding the policies and then adding the repsone rules. Similar to the existing templates that come built in with the system. This is why I say to do it from scratch, its MORE work to import!

From my experience, it is easier to duplicate the system from scratch by importing a solution pack and then starting at the System section and configuring all of those settings (Email, Attributes, lookups, plugins, credentials etc) and then move your way backwards. When you get to the Manage section, start at the bottom (Repsonses first then to Policies) This way by the time you get to the policy you can add the response rules that you already created.

When it comes time to add the Detection servers to the NEW enforce server make sure to copy the communication keys (if you generated ones) to the detection servers. (If you have made any custom settings to the detection servers, make sure to duplicate them in the new enforce server) 90% of the detection configurations settings are in DB so they will inherit the configurations when they connect to the new Enforce server.

Hope this helps

Good Luck...

Ronak

Ronak that is exactly what I am looking for. I REALLY appreciate all of the feedback. Thank you everyone!

Mike,

Glad I can help with this..

Please mark my comment as the Solution to your question.This will call the case solved.!

Glad to help.

Ronak

Mike and all..

I was just thinking about this and there may be a better solution to this issue.

There is the option of creating your own solution pack from your existing DLP Enforce Server. You can 'export' a solution pack (using the same command line) from the existing server and it can then be imported to another server if they are on the same DLP version.

This solution pack would include all of the repsonse rules, active policies, and some other configurations. I am not sure if the respsone rules that are in a policy will be included, but it will create the response rules.

This would be an easy option to test, for you can import the solution pack after your install and if it DID NOT work, just reinstall the DLP enforce server and initialize the DB again (5 minute process).

Hope this helps..

If you would please mark my reply as the solution to the issue

Thanks Ronak

Nice and understanding that DLP solution has, your name itself proves it.

Thanks.