Video Screencast Help

we are not getting Network Incidents

Created: 08 Feb 2013 | 4 comments


We are using Symantec DLP 11.5 version and we have Endpoint, Network and storage DLP.

Now we are not getting Network Incidents.

can any one help on this.

Comments 4 CommentsJump to latest comment

fivelakes's picture

Is your span or tap configured correctly?  Did you assign the correct NIC in the n. monitor configuration?  Are you using the correct packet capture software included with the DLP software?  Have you configured a policy to capture data?  Does a packet capture on the NIC show that you are indeed capturing HTTP, HTTPS, SMTP, FTP traffic?  What OS are you using, did you install the software correctly?  

This question is very vague, but I would start by looking over the installation guide and walking (very slow) through this guide and making sure it is installed properly.

After you have confirmed all the above, then I would look at the \Vontu\Protect\logs directory for analysis.  If you can't get the product installed properly please open a ticket with Symantec support, or call your Symantec sales representative and get a professional services consultant to assist with your installation.  It is extremely important to get this product installed properly.

stumunro's picture


make sure you have the services running and you have winpcpa installed, if you log into the netowrk monitor server you should see traffic on the NIC that is on the span/tap port. if you do not the port is configured improperly or you have the wrong nic... once you have this corrected i rename mine to say "span port" and the other to say "to enforce" so you know which one is which

DLPDan's picture

I found the best way to make sure my span port was directing the correct traffic was to use Wireshark on my Network Detection Server and filter using "port 53" which is DNS traffic. If you don't see any, your span port is not configured correctly. Have your network team reconfigure it till the you see DNS traffic.

stumunro's picture

I would agree with Dan, some clients freak out then you throw wireshark on a span part in their enviroment..

It is a tool i use when i can, and is yout friend in a instance like this. also make sure they are setting up the span port on the correct port and correctlocation. you want to see internet traffic when i say  internet no site to site vpn, or similiar traffic.