This article covers some common questions on how Symantec DLP Detection Servers function when the Enforce Server or Oracle database are down.
Q1. Does the Detection Server save a copy of all Enforce policies locally when the Enforce and database server are down?
Yes, your Detection Server keeps copy of all Enforce policies in memory (RAM) when your Enforce and DB server are down. As long as the Detection Server does not restart, detection will continue. If the Detection Server is restarted, policies stored in the memory will be lost and it will request a copy of the policies from Enforce. FileReader process on the Detection Server will not function until it gets policies from Enforce. FileReader will try to restart if it fails to communicate with Enforce.
Q2. When the Enforce Server and database are down, can the Detection Server continue to detect incidents and analyze the network traffic?
Yes, the Detection Server continues to detect incidents and analyzed network traffic when the Enforce Server and database are down, unless the DLP services or the Server is restarted.
The Detection Server keeps all incidents in Incidents directory (For Windows \ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\incidents, For Linux /var/Symantec/DataLossPrevention/ServerPlatformCommon/<version>/incidents)
Q3. If the Detection Server can save the incidents locally, then what is its maximum capacity of storage of queued up incidents (incident buffer capacity)?
Incident storage is limited by disk space available in the /incidents directory.
Q4. Once the Enforce Server is up, will the Detection Server direct the queued incidents to Enforce Server for processing?
Yes. Storage of queued up incidents on the Detection Server depends on drive size allocated to partition. The incidents are stored in encrypted files on the drive.
The moment Enforce Server starts communicating with Detection Server, the Detection Server will push queued incidents to the Enforce Server for processing. However if queued incidents are high in number it may choke the IncidentPersister process on the Enforce Server. See related article id 159855 for more details.