Slow Performance and Slow openning in DLP console
Dear All
Hi
We are using DLP standard edition version 11.5.1000.06038.
We are running two DLP servers running on Virtualization platform and they are virtual machines (I have attached the configuration of the servers from DLP server –(Our configuration))
After logging on to the console it takes time about 2 minutes(1:45 actually). It seems that this time is because of creating the Dashboard which we have and you can see in the screenshot (Our Dashboard).
And why I think that slow performance for login is because of creating the dashboard because when I remove the dashboard in customize menu, I can login to console after 1 second.
It is good to mention that when I want to work with the Polices, Policy groups, Roles, Users, Agents is do not see any slow operation.
Slow operation can be seen:
When I click on IncidentsàEndpoints (about 19 seconds to open).
After clicking on Incidentsà Filter(Status)-ALL and Date(All) it takes about 52 seconds to open.
After Clicking IncidentsàEndpointsàPolicy Summary (It takes time about 30 seconds to open, You can see Policy summary which shows incidents in the screenshot)
After Clicking on one of the Incidents on this page In example the incident that has 2125830 incidents it takes about 1 minutes to open.
I have attached also Performance monitor of one of the servers.
Would you please kindly help me to find the reason an troubleshoot the issue?
Comments 11 Comments • Jump to latest comment
the DLP console to query oracle will take but of time as it need to respond to the Dashboard as well as incidents. The incidents are very large in numbers, may be you can archive them or delete if it has been evalauated by the risk manager.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Dear Pete,
So you mean that the time it takes based on our incidents are normal and if we remove Incidents we will get better performance.
Would you please kindly let me know a link how to archive and prerequisites?
goto incident tab ---> select the detection server (endpoint/network/discover), select the incidents and then select to delete from Incident Actions
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
I would also ask, what are the specs on the Enforce server and Oracle server? As in, RAM/CPU for both machines.
Aaron
If this post has helped you, please vote up or mark as solution to help others looking for the same data.
shahram,
I am going to have to agree with the previous answers, what are the stats and you have a ton of incidents that need to be archived, I see from task manager shot you have 2 dual core cpu's running 7% and only using half the memory, i did notice you have a 10 mb nic? and Disc utilization is really high. Is this a physical or virtual server? I do agree you probally need to archive some incidents to relieve some of the congestion on the server.
hello shahram,
I agree with all previous comment there is lot of incident and so report take some time. If you cant delete/archive incidents, you can :
- Remove this dashboard from you home page and just use it when you need it. Especially if lot of user have the same.
- Simplify or filter more incident in your dashboard. especially on time period or status which are quite well efficient filter in database.
- Last but may be not the easier. Tune your policy to have less incident per day as it seems around 60 thousands incident is not that easy to check by people who assess incident.
regards.
i would also look at refining your policies to narrow down your rate, do you have a low throshold for match count. you may want to move this higher initially until you get a handle on things.
Suggest you to delete your current dashboard, and keep your homepage as a blank one. Too many incidents on your current dashborad to make the DLP to load and display.
If you upgrade to V11.6 you can then archive incidents, which will eliminate them from the standard reporting engine and increase performance. You can still get to those 'archived' incidents, but you will need to be explicit in looking for them.
Nice new feature in v11.6
Please make sure to mark this comment as a solution to your problem, when possible.
There could be below some reason
1)Network traffic of your oraganization
2)unmatured Polict designed for DLP
3)so many things on home page configured
4)communication betwwen Enforce and Oracle server
5)virus threat on oracle or on enforce
Hi Sahram,
Did u tried above solutions and checked.
please also refer below
https://www-secure.symantec.com/connect/forums/enf...
https://www-secure.symantec.com/connect/forums/sym...
https://www-secure.symantec.com/connect/articles/a...
https://www-secure.symantec.com/connect/forums/dlp...
Would you like to reply?
Login or Register to post your comment.