How to set up IP filters for Symantec DLP Network Monitor
search cancel

How to set up IP filters for Symantec DLP Network Monitor

book

Article ID: 160497

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor Data Loss Prevention Enforce

Issue/Introduction

How to setup IP filters for the Symantec DLP Monitor Server.

Resolution

You must have the appropriate role provisioned with permissions assigned to make these changes.

For more details, please refer to the online help such as the 25.1 documentation found here:

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/25-1.html

Modifications are made on the Enforce console for both default protocols that apply where applicable to any detection server attached and if specific traffic is going to be sent to specific monitors for inspection.

For additional information on adding or modifying protocols see the online help for the DLP version.

For 25.1, see https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/25-1/managing-the-enforce-server/managing-enforce-server-services-and-settings/about-protocol-filtering.html

  1. To apply to ALL Monitor servers
    1. Go to System > Settings > Protocols
      1. Any protocol settings assigned here will be the default settings for all servers unless configured as below (see step 2.)
      2. Click on the Add button to add a new protocol.
      3. Click on the existing protocol name to modify an existing protocol.
  2. To apply ONLY to a specific Monitor server
    1. Go to System > Overview >
    2. Click on the Network Monitor server to be modified
    3. Click on the Configure > Packet Capture > Protocol 
      1. Add a filter by selecting the protocol you want.

Use the following general syntax for IP filtering:

-, <destination> , <source> drops all streams sent to <destination> from <source>
+, <destination> , <source> includes all streams sent to <destination> from <source>

  • All filters are processed from top to bottom.
  • Make sure that there is no extra linefeed at the end as it will cause errors.
  • Classless Inter Domain Routing (CIDR) notation is allowed. http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

Example

To exclude only streams from IPs 1.1.1.1 and 2.2.2.2 and include all other streams, you could do the following. Note that the subnet mask is mandatory and the mask /32 will only add the specific IP provided to the list.

-,*,1.1.1.1/32;-,*,2.2.2.2/32;+,*,*

To include all streams going to network 10.67.x.x  but exclude any other traffic, you could do the following:

+,10.67.0.0/16,*;-,*,* 

For more information on filtering and protocols, visit the online help (from the console, click on the Help icon or visit the published documentation linked above.)

Powered by Wolken Software