Network Prevent for Web does not generate incidents

book

Article ID: 160012

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Web

Issue/Introduction

A keyword policy with a compound detection rule, Keyword+Protocol Monitoring for HTTP/HTTPS, does not generate incidents.

Resolution

  1. Ensure the policy is set to Active.
  2. Confirm the policy group name and ensure the Keyword+Protocol policy is assigned to the correct policy group.
  3. Check if the Detection Server has been assigned the policy group required to load the Keyword+Protocol policy.
  4. Review the Detection Server events for "1200 Loaded policy" or "1201 Loaded policies {0.EN_US}" to confirm the policy had been loaded.
  5. Enable Detection Operational Trace logging (System > Servers > Logs > Configuration tab)

Refer to the Symantec Data Loss Prevention Administration GuideConfiguring server logging behavior section for more information.

  1. Submit test data to an external web site where traffic will be intercepted by a web proxy with Network Prevent for Web attached.
  2. Review 'detection operational trace' logs and ensure the Detection Server is accurately detecting the sensitive data and triggering incident creation.