-
-
- Converting your LOB tables from BasicFiles to SecureFiles format in Symantec Data Loss Prevention 14.6 and 15.x:
- Error: "ORA-28000: the account is locked" in Symantec DLP Enforce
- How to change the "protect" user password in the Oracle database for Symantec DLP
- How to default to the local database when logging in from the command line
- How to Extend Oracle tablespace (LOB_TABLESPACE, USERS, etc.) when almost full
- How to Removing Oracle Database Client Software for symantec DLP
- Show all articles ( 1 ) Collapse Articles
-
- Best Practice for Endpoint Agents with Antivirus Protection
- Creating a new agent attribute in Symantec DLP
- Generating agent installation packages for Symantec DLP
- How to collect the Endpoint Agent logs
- How to install the Symantec DLP Agent (Windows)
- How to remove the Symantec DLP Endpoint Agent (Mac)
- How to remove the Symantec DLP Endpoint Agent (Windows)
- How to Speed up the incident traffic from endpoint to endpoint server
- How to start DLP Agents that run on Mac endpoints
- How to troubleshoot DLP Agent status not reporting as expected on Enforce
- Troubleshoot Agents not reporting into the Enforce Console
- Troubleshooting Symantec File Reader Restarts
- Show all articles ( 7 ) Collapse Articles
-
- Configuring LDAP Lookup Plugins in Symantec DLP 15.5+
- Creating a new agent attribute in Symantec DLP
- Default ports used by Symantec DLP
- Disable SSLv3, TLSv1.1, and TLSv1.0 on Data Loss Prevention components
- fixing Enforce Server migration fail for three-tier environments due to "DatabaseProcessCheck"
- Generating Syslog messages from Symantec Data Loss Prevention
- How To Access DLP incidents
- How to Configure AD User login Authentication in Enforce for Data Loss Prevention 15.x and above
- How to configure the LDAP Lookup Plug-In within Symantec DLP
- How to create a report in Symantec DLP
- How To create a user role in Symantec DLP
- How to create users in Symantec DLP
- How to create, sign, and import an SSL certificate signed by a Trusted Certificate Authority
- How to create, start & stop Discover scans in Symantec DLP
- How to enable Finest level logging on DLP agents
- How to enable Syslog Logging for Symantec Data Loss Prevention
- How to export incidents in Symantec DLP
- How to filter incidents and Summarise in Symatec DLP
- How to gather a process dump using the ProcDump Tool
- How to increase the max number of incidents exported within Symantec DLP
- How To Login to the Symantec DLP Console
- How to Obtain a Broadcom/Symantec Support Site ID
- How to obtain the Symantec DLP Server Log files: location and description
- How to restart Symantec DLP services (14.6-15.0)
- How to restart Symantec DLP Services for Oracle Patching
- How To Restore the DLP Enforce Server across platforms in three-tier deployments
- How to set incident status in Symantec DLP
- How to solve Error: "Error 1802: Corrupted incident received"
- The maximum number of Agents than can be allowed to export, print or mail from Agents Summary Report or Agents Legacy Summary Report.
- What Are the Differences Between the “same” and “any” Components in Symantec DLP Rules?
- Show all articles ( 25 ) Collapse Articles
-
- Best Practices for Scanning Files Larger Than 30MB Using Discover
- Default ports used by Symantec DLP
- How To Access DLP incidents
- How to filter incidents and Summarise in Symatec DLP
- How To troubleshoot DLP Network Discover scan common errors
- Symantec Network Detection is not working for DLP User Groups that index the Domain Users AD Security Group
- Troubleshooting Symantec File Reader Restarts
- Show all articles ( 2 ) Collapse Articles
-
-
- Articles coming soon
-
- Articles coming soon
-
- Articles coming soon
0 out Of 5 Stars
5 Stars | 0% | |
4 Stars | 0% | |
3 Stars | 0% | |
2 Stars | 0% | |
1 Stars | 0% |
- KB Home
- Symantec Articles
- Symantec DLP Endpoint Prevent
- How to troubleshoot DLP Agent status not reporting as expected on Enforce
Basic network connectivity
Verify the Agent machine can ping the Endpoint server by name or IP address.
Check both Agent and Aggregator logs for errors.
Within the agent logs, look for the lines following CurlTransportLayer and ServerCommunicatorService. You may notice certificate errors such as handshake failures.
Within the aggregator logs, any communication errors should result in a severe error that describes the problem.
Performance Tuning
There are many settings that relate to performance and convenience within various properties files and the advanced agent settings.
Advanced Agent settings:
ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int
This setting controls how often an agent checks in with the Endpoint Server. This should generally be left at the default of 15 minutes (900 seconds). If this has been decreased, it should not be decreased below 1 minute per every 1000 agents.
CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS.int
This setting controls when the agent will close the connection if no traffic or hearbeat has been received from the server. Under normal circumstances, this setting should not come into play. Agents should transfer all data and be disconnected by the server well before this time is reached. This should be left at the default of 300 seconds.
EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int
This setting controls when the server will send a heartbeat to the agent to detect if it is still connected. This setting is only used if the agent idle timeout is disabled. The normal, expected, behavior is for traffic to cease for 30 seconds, thus causing the server to disconnect the agent after CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS This should be left at the default of 270 seconds.
EndpointCommunications.IDLE_TIMEOUT_IN_SECONDS.int
This setting controls when the server will disconnect the agent. When an agent checks in during its normal polling interval, after it has transferred all data, and then remain idle. After 30 seconds of this idle connection, the server will initiate a disconnect on the agent. This is considered normal and default behavior. This should be left at the default of 30 seconds.
Enforce General Settings
Not reporting time
When navigating to System -> Settings -> General within Enforce, there is a setting labeled ‘Show Agent as “Not Reporting” after’. This setting controls how long Endpoint Server will wait before it reports to Enforce that the agent has stopped reporting. The default is 18 hours. This setting can be raised or lowered depending on preferences, however it cannot be made lower than ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int.
Server Properties files
MaxQueueSize
Both MonitorController.properties and Aggregator.properties on the endpoint server have a setting of MaxQueueSize. This setting controls how many tasks can be queued on each of the respective servers. The default value is 5000. It is recommended that this value be increased. On Aggregator.properties we should use a value of 2x the number of agents that regularly connect to that server. On MonitorController.properties this should be increased to 10,000.
Triggering an update
Often times, it is assumed that ‘Last Update Time’ refers to the last time the agent checked in. This is false. The ‘Last Update Time’ is only updated when agents’ attributes or statuses receive a new update in the oracle database.
In order to force an update of ‘last update time’, we can modify the description of the agent configuration applied to that agent. This will force an update that will update the agent’s last update time. See Article 162207 for more details.
Load Balancers.
When agents are connected to their endpoint servers. A couple of considerations are needed.
-
-
- SSL Session Persistence. This refers to whether or not an agent will reuse the same session ID on consecutive handshakes with the server. This should not directly impact agent reporting status
- Server Affinity. This refers to what server a load balancer will decide to connect an agent to when they check in. In general an agent should check into the same server as it did previously whenever possible. This is because of the strong relationship between ‘Connect_Polling_Interval’ in the advanced agent settings and ‘Not Reporting Time’ in the Enforce General Settings.
-
Since the entity responsible for signaling to Enforce that an agent is not reporting is an Endpoint server, this occurs as soon as its ‘Not Reporting Time’(18 hours by default) has been reached. If an agent checks in with different servers on each polling interval, then the chance that it will not connect to a server for 18 straight hours is highly likely. At this point, the endpoint server will report the agent as ‘Not Reporting’ despite the agent being successfully connected to another endpoint server.
Cache Deletion 14.0 – 15.0
In some scenarios, the agent may be communicating with a different Endpoint Server than expected, causing the status of the agent to remain unchanged in Enforce. Deleting the Endpoint Server may resolve this issue.
-
- Start by forcing an agent to directly connect to a single endpoint server.
- Shut down the SymantecDLPDetectionServerService on the Endpoint Server
- Delete any files found in SymantecDLP/Protect/agentupdates and SymantecDLP/Protect/agentatttributes.
- Restart SymantecDLPDetectionServerControllerService on Enforce.
- Start SymantecDLPDetectionServerService on the Endpoint Server.
- Update the agent’s configuration to force an update.
Cache Deletion 15.1+ instructions
- Ensure that the endpoint agent is communicating directly to an endpoint server. If its load balanced we want to force traffic to a specific endpoint server.
- On the Detection server shut down Symantec DLP Detection Server service.
- On that same Detection server navigate to the following directory and delete any files present.
- (15.1) C:\ProgramData\Symantec\Data Loss Prevention\DetectionServer\15.1\agentattributes
- (15.5) C:\ProgramData\Symantec\Data Loss Prevention\DetectionServer\15.5\agentattributes
- Restart Symantec DLP Detection Server Controller on the Enforce Server.
- Start Symantec DLP Detection Server Service on the Endpoint Detection Server.
- On Enforce, navigate to: System ->Agents-> Agent Configuration -> <Name of Config>
- Select or deselect a monitoring option.
- Save the agent configuration.
- Publish the agent configuration to the agent group to force the update.
0 out Of 5 Stars
5 Stars | 0% | |
4 Stars | 0% | |
3 Stars | 0% | |
2 Stars | 0% | |
1 Stars | 0% |