Status Updates are Missing on quarantined incidents when using Email Quarantine Connect FlexResponse

book

Article ID: 184680

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

The "Remediation Status Set" status update in the details of incident history is missing on incidents that are set to quarantine with Email Quarantine Connect FlexResponse. The headers are modified, and the quarantine appears to happen on the SMG side, but the quarantine not reflected in the incident history in Enforce

This problem can cause the "quarantined" status to be missing from incident reports ran from Enforce

Cause

There are several potential causes, as there are several potential points of failure in the back and forth communication that needs to occur between SMG and DLP.

If the incidents are truly getting quarantined in SMG but the message is not getting back to Enforce, the most likely causes of the problem would be

  1. The password for the account that is setup in SMG for "Enforce Server Access" has expired
  2. The certificate was exported from SMG to Enforce is expired

We have seen an instance where this problem developed shortly after SAML authentication was setup in Enforce server while the default "Administrator" Enforce account was setup in the "Enforce Server Access" section of SMG

Environment

DLP integrated with SMG via Email Quarantine Connect FlexResponse

Resolution

TROUBLESHOOTING CHECKLIST:

  1. Check response rules to ensure that a 'quarantine' rule has been setup (ie: the "Enable Email quarantine connect [requires Symantec Messaging Gateway]" option is checkmarked)
  2. Confirm that the problem is not limited to one server
  3. With the help of SMG support, ensure that emails are truly getting quarantined
  4. Confirm that the user that is viewing the incidents (or running their reports) is part of a "DLP-remediator-role" type role whose user privileges include the "Incident Update", "Remediate Incidents", and  "incident reporting" features
  5. Check the user that is setup in the "Enforce Server Access" tab of the "DLP Connect", make sure that it's password is not expired, and ensure that it is able to log into the Enforce console (if there is any chance that the password could have expired or been reset, it would be best to re-enter the account in the "Enforce Server Access" section SMG with the current password)
  6. Keep in mind that there can be delays in sending status updates from SMG to DLP ... allow for adequate processing time ... look for possible causes of delays (such as security programs on either server) ... and work to ensure that they can be resolved
  7. Confirm compatibility between SMG version & and DLP version as per the "system requirements" guide for the current DLP version being used
  8. Check to see if any certificates in the SMG may have expired
  9. If SMG was upgraded from an earlier version to 10.6.3, refer to https://support.symantec.com/us/en/article.TECH247088.html to ensure that the "ssl-protocol-version" in the properties for the following three files (located inside of the "...\protect\plugins\" folder) is setup to use TLS v 1.2
  10. Confirm that the timestamp for the HTTPS certificate in the "Administration > Settings > Certificates" section of SMG (&/or on the certificate tab of "Administration > Settings > Control Center" in SMG) matches up to the "server" alias in the keytool in the following three files
  11. If SMG was upgraded from an earlier version to 10.6.3, refer to https://support.symantec.com/us/en/article.TECH247088.html to ensure that the "ssl-protocol-version" in the properties for the following three files as well
  •         EmailQuarantineConnectApproved.properties
  •         EmailQuarantineConnectCustom.properties
  •         EmailQuarantineConnectRejected.properties

 

If none of the above steps resolve the problem, and the "Administrator" account is setup in the "Enforce Server Access" tab of the "DLP Connect" section in SMG (or SAML authentication was setup in Enforce prior to the problem developing), it is possible that refreshing the account that is setup to access Enforce in SMG could help. This can be done by doing the following:

  1. Remove the Administrator account from the "Enforce Server Access" tab of the "DLP Connect" section in SMG
  2. Temporarily replace the Administrator account with another account which is part of a "DLP-remediator-role" type role (whose user privileges include the "Incident Update", "Remediate Incidents", and  "incident reporting" features)
  3. Leave the other account in the "Enforce Server Access" area for a few minutes ... then take it out, put the "administrator" account back in
  4. Check the "localhost" log & confirm that the "administrator" account appears to be communicating with Enforce
  5. Restart the Enforce services

The above refresh process was found to resolve the issue for a customer who had recently switched their Enforce console to SAML authentication prior to the problem developing