Data Loss Prevention

Hello,

I have been Googling around for a while now about this.

Note: I have my DLP server configured to store incident attachments​ on external storage.

I have a few questions:

1. What are incident attachements?
2. How are they used?
3. How are they accessed?

Cheers,

Cameron Mottus

from the maintenance guide

You can store incident attachments such as email messages or documents on a file system rather than in the Symantec Data Loss Prevention database. Storing incident attachments externally saves a great deal of space in your database, providing you with a more cost-effective storage solution. You can store incident attachments either in a directory on the Enforce Sever host computer, or on an stand-alone computer. You can use any file system you choose.

Symantec recommends that you work with your data storage administrator to set up an appropriate directory for incident attachment storage.
To set up an external storage directory, Symantec recommend these best practices:
■ If you choose to store your incident attachments on the Enforce Server host computer, do not place your storage directory under the /SymantecDLP folder.

■ If you choose to store incident attachments on a computer other than your Enforce Server host computer, take the following steps:
■ Ensure that both the external storage server and the Enforce Server are in the same domain.
■ Create a "protect" user with the same password as your Enforce Server "protect" user to use with your external storage directory.
■ If you are using a Linux system for external storage, change the owner of the external storage directory to the external storage "protect" user.
■ If you are using a Microsoft Windows system for external storage, share the directory with Read/Writer permissions with the external storage "protect" user.
After you have set up your storage location you can enable external storage for incident attachments in the Installation Wizard. All incident attachments will be stored in the external storage directory. Incident attachments in the external storage directory cannot be migrated back to the database. All incidents attachments stored in the external storage directory are encrypted and can only be accessed from the Enforce Server administration console.

The incident deletion process deletes incident attachments in your external storage directory after it deletes the associated incident data from your database. You do not need to take any special action to delete incidents from the external storage directory.

https://support.symantec.com/en_US/article.DOC8731.html

Hi Pete,

I had that information. I assume you should be able to access the incident attachment from the incident snapshop but I cannot. I suspect it is of imporortance because I was prompted to allocate file storage for it.

Ahh.. do you see the attachment file name in the incident snapshot? while opening, do you see any error/message? 

Go to file and go to directory take you to the actual file on the file server. Where would I click to see the DLP attachment?

Note: This is for Network Discover.

From the Admin Guide:

Note: The default data retention behavior for network incidents applies to Network
Prevent for Web and Network Prevent for Email incidents. The default behavior
does not apply to Network Discover incidents. For Network Discover incidents, the
system provides a link in the Incident Snapshot that points to the offending file at
its original location. Incident data retention for Network Discover is not configurable.

Can I anyone tell me how can we block network access (for security purpose) from symantec internet firewall?