Data Loss Prevention

 View Only
  • 1.  DLP + SMG Integration Help

    Posted Aug 24, 2015 09:37 PM

    After integrating DLP + SMG for Email quarantine, it appears that SMG is unable to update DLP incidents.

     

    1. From DLP we can execute flexresponse rules and quarantine Approve or Reject works as expted and is able to update SMG Status as well.

     

    2. From SMG we execute the Approve or Reject action but when we go back to DLP to review, it is not updated.

     

    Error from SMG Log:

    Aug 24 2015 13:30:10 [BrightmailScheduler_Worker-43] [IncidentUpdateManager] ERROR - failed to publish incident updates to 10.XX.XX.XXX(ENFORCE) 
    com.symantec.smg.controlcenter.quarantine.contentincident.dlp.jaxws.AuthenticationFailedFault: Authentication failed
        at sun.reflect.GeneratedConstructorAccessor241.newInstance(Unknown Source)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
        at java.lang.reflect.Constructor.newInstance(Unknown Source)
        at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:141)
        at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
        at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
        at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
        at com.sun.proxy.$Proxy42.updateIncidentRemediationStatus(Unknown Source)
        at com.symantec.smg.controlcenter.quarantine.contentincident.dlp.IncidentUpdateClient.remediate(IncidentUpdateClient.java:224)
        at com.symantec.smg.controlcenter.quarantine.contentincident.dlp.IncidentUpdateManager.publishIncidentUpdates(IncidentUpdateManager.java:226)
        at com.symantec.smg.controlcenter.quarantine.contentincident.dlp.IncidentUpdateTask.executeTask(IncidentUpdateTask.java:84)
        at com.symantec.smg.controlcenter.internal.scheduledtask.ScheduledTask.execute(ScheduledTask.java:133)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:195)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)

     

    Error from DLP Log:

    10.X.X.X(SMG) - [24/Aug/2015:20:20:50:959 -0400] AUTHORIZATION_FAILED DLPRole\USER1 updateIncidentRemediationStatus 18ms
    10.X.X.X(SMG) - [24/Aug/2015:20:25:50:969 -0400] AUTHORIZATION_FAILED DLPRole\USER1 updateIncidentRemediationStatus 17ms
    10.X.X.X(SMG) - [24/Aug/2015:20:30:50:960 -0400] AUTHORIZATION_FAILED DLPRole\USER1 updateIncidentRemediationStatus 30ms
    10.X.X.X(SMG) - [24/Aug/2015:20:35:50:942 -0400] AUTHORIZATION_FAILED DLPRole\USER1 updateIncidentRemediationStatus 18ms
    10.X.X.X(SMG) - [24/Aug/2015:20:40:50:958 -0400] AUTHORIZATION_FAILED DLPRole\USER1 updateIncidentRemediationStatus 26ms
    10.X.X.X(SMG) - [24/Aug/2015:20:45:50:937 -0400] AUTHORIZATION_FAILED DLPRole\USER1 updateIncidentRemediationStatus 16ms
    10.X.X.X(SMG) - [24/Aug/2015:20:50:51:026 -0400] AUTHORIZATION_FAILED DLPRole\USER1 updateIncidentRemediationStatus 96ms
    10.X.X.X(SMG) - [24/Aug/2015:20:55:50:936 -0400] AUTHORIZATION_FAILED DLPRole\USER1 updateIncidentRemediationStatus 40ms
    10.X.X.X(SMG) - [24/Aug/2015:21:00:51:068 -0400] AUTHORIZATION_FAILED DLPRole\USER1 updateIncidentRemediationStatus 25ms

    24 Aug 2015 20:55:50,940- Thread: 97 WARNING [com.vontu.manager.webservice.incidentremediation.security.ServiceAuthenticationHandler] Unable to authenticate request connecting from [10.X.X.X(SMG)]
    24 Aug 2015 20:55:50,940- Thread: 97 INFO [com.vontu.manager.webservice.common.security.ServiceAuthenticationHandlerBase] (INCIDENT_REMEDIATION_WEBSERVICE.2) Unable to authenticate request from host [10.X.X.X(SMG)]
    24 Aug 2015 21:00:51,072- Thread: 89 WARNING [com.vontu.manager.webservice.incidentremediation.security.ServiceAuthenticationHandler] Unable to authenticate request connecting from [10.X.X.X(SMG)]
    24 Aug 2015 21:00:51,072- Thread: 89 INFO [com.vontu.manager.webservice.common.security.ServiceAuthenticationHandlerBase] (INCIDENT_REMEDIATION_WEBSERVICE.2) Unable to authenticate request from host [10.X.X.X(SMG)]

     

     



  • 2.  RE: DLP + SMG Integration Help

    Posted Aug 25, 2015 12:22 PM

    We might want to check Roles, under Actions - do you have the below option checked?
     - Remediate Incidents (Status, Severity, Data Owner, Comments, Response Rules, Remediation Location*, Remediation Status*)
     
     I understand even the appropriate smart response rules need to be added on the same page.
     
    Additionally, we also need the below options checked, I feel:
     
    Incident Reporting and Update API
     - Incident Reporting
     - Incident Update
     
    Mostly this looks like a authentication/authorization error & may help to use an admin to isolate the cause, if none of the above steps work.