Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Slow Performance and Slow openning in DLP console

Created: 16 Oct 2012 • Updated: 16 Oct 2012 | 11 comments

Dear All

Hi

We are using DLP standard edition version 11.5.1000.06038.

We are running two DLP servers running on Virtualization platform and they are virtual machines (I have attached the configuration of the servers from DLP server –(Our configuration))

After logging on to the console it takes time about 2 minutes(1:45 actually). It seems that this time is because of creating the Dashboard which we have and you can see in the screenshot (Our Dashboard).

And why I think that slow performance for login is because of creating the dashboard because when I remove the dashboard in customize menu, I can login to console after 1 second.

It is good to mention that when I want to work with the Polices, Policy groups, Roles, Users, Agents is do not see any slow operation.

Slow operation can be seen:

When I click on IncidentsàEndpoints  (about 19 seconds to open).

After clicking on Incidentsà Filter(Status)-ALL and Date(All) it takes about 52 seconds to open.

After Clicking IncidentsàEndpointsàPolicy Summary (It takes time about 30 seconds to open, You can see Policy summary which shows incidents in the screenshot)

After Clicking on one of the Incidents on this page In example the incident that has 2125830 incidents it takes about 1 minutes to open.

I have attached also Performance monitor of one of the servers.

Would you please kindly help me to find the reason an troubleshoot the issue?

Comments 11 CommentsJump to latest comment

pete_4u2002's picture

the DLP console to query oracle will take but of time as it need to respond to the Dashboard as well as incidents. The incidents are very large in numbers, may be you can archive them or delete if it has been evalauated by the risk manager.

shahram.dehghani's picture

Dear Pete,

So you mean that the time it takes based on our incidents are normal and if we remove Incidents we will get better performance.

Would you please kindly let me know a link how to archive and prerequisites?

pete_4u2002's picture

goto incident tab ---> select the detection server (endpoint/network/discover), select the incidents and then select to delete from Incident Actions

AMyers6671's picture

I would also ask, what are the specs on the Enforce server and Oracle server? As in, RAM/CPU for both machines.

Aaron

If this post has helped you, please vote up or mark as solution to help others looking for the same data.

stumunro's picture

shahram,

I am going to have to agree with the previous answers, what are the stats and you have a ton of incidents that need to be archived, I see from task manager shot you have 2 dual core cpu's running 7% and only using  half the memory, i did notice you have a 10 mb nic? and Disc utilization is really high. Is this a physical or virtual server? I do agree you probally  need to archive some incidents to relieve some of the congestion on the server.

stephane.fichet's picture

hello shahram,

 I agree with all previous comment there is lot of incident and so report take some time. If you cant delete/archive incidents, you can :

- Remove this dashboard from you home page and just use it when you need it. Especially if lot of user have the same.

- Simplify or filter more incident in your dashboard. especially on time period or status which are quite well efficient filter in database.

- Last but may be not the easier. Tune your policy to have less incident per day as it seems around 60 thousands incident is not that easy to check by people who assess incident.

 regards.

stumunro's picture

i would also look at refining your policies to narrow down your rate, do you have a low throshold for match count. you may want to move this higher initially until you get a handle on things.

yang_zhang's picture

Suggest you to delete your current dashboard, and keep your homepage as a blank one. Too many incidents on your current dashborad to make the DLP to load and display.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
DLP Solutions2's picture

If you upgrade to V11.6 you can then archive incidents, which will eliminate them from the standard reporting engine and increase performance. You can still get to those 'archived' incidents, but you will need to be explicit in looking for them.

Nice new feature in v11.6

Please make sure to mark this as a solution

to your problem, when possible.

kishorilal1986's picture

There could be below some reason

1)Network traffic of your oraganization 

2)unmatured Polict designed for DLP

3)so many things on home page configured

4)communication betwwen Enforce and Oracle server

5)virus threat on oracle or on enforce