Data Loss Prevention

Hi,

I have installed Symantec DLP 14.0 in Single Tier Installlation on CentOS 6.5. The Detection server that i am using as part of this Single Tier Installation is Endpoint Discover/Prevent

The problem is that whenever i create a new policy or update an existing policy which is in Policy Group applicable on Endpoint Prevent, it takes 5 to 10 minutes for Endpoint Prevent to reflect that change. Whenever i do these things, that change doesn't take affect immediately.

I go to  "System --> Servers --> Overview --> Server Detail" and finds in "All Recent Events" of Endpoint Prevent that my changes are not being reflected. After 5 to 10 minutes it shows depending on whether i have updated a policy or loaded a new policy the following:

Updated policy xxx or Loaded policy xxx etc

I believe this is also the reason that Endpoint Agent Incidents comes in Enforce Console after 5 to 10 minutes delay instead of instantaneously. I have even followed the recommendation at below URL with no luck. Please help.

http://www.symantec.com/connect/forums/dlp-125-incidents-delay-takes-longer-show-incidents-reports

Jawa,

First of all, I will let you know that CENTOS is not a supported platform, though it might work. It has not been tested by SYMC... this is just as an FYI.

As far as the system updating in a timely basis, what are the specs of the DLP system? Since this is a single tier is the DB also on the same server along with the Enforce Server and Endpoint?

How much CPU and memory do you have?

Is this running on a VM?

Also the changes you made to have persistent connections ONLY effects the agent communication, it does NOT effect how fast the Endpoint Server updates the policies (whic is what you are seeing in the Event Pages).

Overall I think the issue you are having is due to it being a single tier installation - Its a perfromance thing on the server.

Please marked solved if possible.

Good Luck

Ronak

Hi Ronak,

Thank you for your reply. I am well aware of CentOS not being officially supported. Since this is Testing server and not a Production Server hence i am using CentOS.

I have previously worked with Symantec DLP 11.5 and 11.6 but never faced any delay issue like i am currently facing with 14.0. I don't believe the problem is related to specs of the machine as they are reasonable. The specs of the machine are below:

CPU: Intel Core i7 @2.10 Ghz

Memory: 6 GB

I have worked with lot less powerful machine for DLP 11.5 & 11.6 installations in Single Tier without any delay issue. Also only one Endpoint Agent is connected with Endpoint Discover/Prevent

Jawad,

It looks like you are trying to run Oracle, Enforce, Endpoint Server on a SINGLE CPU with 6GB of RAM???

If so you are trying to do a lot with very little resource. 

Couple of things to do is see what RAM you have allocated to the Endpoint Server (VontuMonitor.conf check the heap size) you would want this to be a min of 512 and max of 1024.

Also look at the Drive IO.. you may be taxing this server pretty well with Disk IO. This is what can be causing the issuse..

When you modofy the policy is it processed by the UI and then written to the DB and then pushed to the Endpoint Server where it is then processed into memory. This is a lot of writes and memory changes, so you are doing a lot with very little RAM resources.

I would try to increase the RAM.

What version of Oracle are you running?

Is this a VM??

Ronak

The Oracle version is 11.2.0.4.0.

Yes its a VM. Let me juice up the RAM to 8 GB to test your theory and then will revert back if i am still having same issue. Maybe increasing RAM will do the trick.

I don't believe IO is culprit here as only a single DCM policy is active and i only have one Endpoint Agent in my staging environment.

Ronak, Thank you very much for your help.

However as strange as it may sound, the problem was i guess somewhat related to wrong timings on Linux server. After i synchronzied the timings on it using NTP, the problem was altogether gone.