search cancel

Application Detection never changes "Sync Pending" status

book

Article ID: 185832

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Detection Service Data Loss Prevention

Issue/Introduction

You are using 1 or more Cloud Detectors, and have previously integrated it with a WSS tenant, aka the Cloud Web Proxy.

You currently have a second Detector for REST, integrated with the CloudSOC solution (Elastica CASB).

It is also observed, in the "Manage > Application Detection" section of the Enforce UI, that a "Sync pending" status never completes successfully.

Environment

Release : 15.8 and earlier

Component : Enforce

The MonitorController0.log may reveal the following:

=========================================================================================

May 7, 2020 8:33:28 PM com.symantec.dlp.communications.applicationcommunicatorlayer.ApplicationCommunicatorActivityNotifiableImpl onRetryUponRecoverableApplicationException
WARNING: OnRetry after encountering a recoverable applcation exception for com.symantec.dlp.co[email protected]2bef934e and the replicatorId is Replicator(21,'SPI_RESPONSE'). Will retry in 10 seconds.


May 7, 2020 8:33:38 PM com.symantec.dlp.communications.applicationcommunicatorlayer.HomogeneousReceiverApplicationCommunicator$HomogeneousReceiverDataAcceptor$ApplicationProcessingTask run
WARNING: Unexpected exception occurred for com.symantec.dlp.co[email protected]2bef934e
org.springframework.dao.IncorrectResultSizeDataAccessException: query did not return a unique result: 3; nested exception is javax.persistence.NonUniqueResultException: query did not return a unique result: 3

=========================================================================================

Cause


The original versions of the Cloud Detector for the CloudSOC were also capable of accepting traffic from a WSS proxy.
That is no longer the case (we have dedicated "ICAP" Detectors for WSS traffic).
 
If the previous Application Detection option for "Cloud Web Proxy" is still loaded in the database, and has been removed and replaced, it's likely there is more than one of these configurations stored in the ScanFilterGUID table.

This is causing the Sync operation to fail to complete.

Resolution

There is a defect in the hard-coding of the ScanFilterGUID for the Cloud Web Proxy entry which is scheduled to be fixed in a coming release of DLP.

Use the following SQL query to confirm the issue:

SET COLSEP |
SET PAGESIZE 10000
SET LINESIZE 115
SET TRIMOUT ON
SET WRAP OFF
SELECT RESTCONNECTORID,ISDELETED,SCANFILTERGUID,FILTERNAME FROM RESTCONNECTOR WHERE SCANFILTERGUID='bluecoatwss';


The result should appear similar to the following output:

RESTCONNECTORID| ISDELETED|SCANFILTERGUID                                  |FILTERNAME
---------------|----------|------------------------------------------------|---------------------------------------
             21|         1|bluecoatwss                                     |TEST WSS
             23|         1|bluecoatwss                                     |TEST WSS Config
             22|         1|bluecoatwss                                     |WSS Whistle Test


In the above example, there have been 3 "Cloud Web Proxy" configurations, each saved and deleted from the Enforce UI - and these all have the same value for the SCANFILTERGUID ("bluecoatwss"), when there should only be 1.

This issue only occurs if more than one of them was created, and deleted, such that there are at least 2 "bluecoatwss" entries stored in the database.


The following steps should correct the issue.

  1. If there are any entries having a "bluecoatwss" GUID like the above configurations - but they are NOT currently shown in the Enforce Server:
    • Create a New Configuration with an Identical Name to those in the database - e.g., the "FILTERNAME" results from query above: e.g., "TEST WSS", "TEST WSS Config", and "WSS Whistle Test". The name needs to be identical so the old entry will be updated.
    • For the "Type", don't use "Cloud Web Proxy" - instead, "Cloud Detection API Service". This will overwrite the incorrect entry in the table.
  2. If there are any entries having a "bluecoatwss" GUID like the above configurations - and they ARE currently shown in the Enforce Server:
    • Change the "Type" of config from "Cloud Web Proxy" to "Cloud Detection API Service"
  3. Save all updated configurations.
    • Re-querying the table in SQLPLUS with the same script should have a result of "no rows selected".
    • You can then delete all of the new configurations from the Enforce UI.
  4. Wait for a period (~10 minutes) - then perform the "Sync to CloudSOC" operation.
  5. The sync should complete successfully.


Recreating a previously deleted Cloud Web Proxy configuration as a Cloud Detection API Service type:



To prevent this issue recurring, do not add any "Cloud Web Proxy" configurations in the Application Detection settings.
The new DLP Cloud Detection Service for WSS ("CDS for WSS", which uses ICAP) does not use this method to assign policies - instead, use the "System > Servers and Detectors > Policy Groups" configuration to send policies to a WSS Cloud Detector.


Additional Information

A permanent fix for this will be in a future release, and is being tracked by DLP-31545.

Attachments

Powered by Wolken Software