Video Screencast Help

Running DLP 11.5 in a LAB environment (NW Monitor) no incidents reported.

Created: 31 May 2012 • Updated: 31 May 2012 | 1 comment
This issue has been solved. See solution.

Running DLP 11.5 in a LAB environment (NW Monitor) no incidents reported.

 I followed a test scenario listed in the DLP admin guide using a secret word "test_vontu_secret_keyword". The odd thing about it is the following:

* If I send an email from an endpoint using Gmail or Hotmail; the incident is reported under the "Endpoint" tab and not under the "Network" TAB. Is this the way it should work? 

* If so; what would be another way to test it if I don't have any IM protocols in our LAB environment.

Thanks for your help!


Comments 1 CommentJump to latest comment

Keith Reynolds - ExchangeTek's picture

Network Monitor in a lab environment...there's a few ways to do this.  Understand that in a live environment, Network Monitor is getting traffic via a tap, which you're likely not going to be able to do in a Lab.  So there's two main ways to "send" traffic to a network monitor outside of that:

(1) Drop an email file (.eml) into the drop folder on the Network Monitor.  It will get picked up and processed by the server.

(2) Set up a replay of a PCAP file that you've captured off your network (if you're comfortable with loading in live traffic into you lab).  This will effectively replay that packet capture indefinitely.

Start with the first's the easiest way to do this.


p.s. The answer to your question about whether it's normal to be reported as an Endpoint incident.  Yes, if the incident was detected by the Endpoint Agent, which is what you have done, then it gets reported as an Endpoint Incident.  You're obviously monitoring HTTP with the agent.