External Incident Storage
search cancel

External Incident Storage

book

Article ID: 276213

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention API Detection for Developer Apps Virtual Appliance Data Loss Prevention API Detection Virtual Appliance Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Package Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Cloud Service for Discovery/Connector Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Storage Data Loss Prevention Core Package Data Loss Prevention Data Access Governance Data Loss Prevention Discover Suite Data Loss Prevention Endpoint Discover Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite Data Loss Prevention for Mobile Data Loss Prevention for Office 365 Email and Gmail with Email Safeguard Data Loss Prevention Form Recognition Data Loss Prevention Network Discover Data Loss Prevention Network Email Data Loss Prevention Network Monitor Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Prevent for Email Virtual Appliance Data Loss Prevention Network Prevent for Web Virtual Appliance Data Loss Prevention Network Protect Data Loss Prevention Network Web Data Loss Prevention Oracle Standard Edition 2 Data Loss Prevention Plus Suite Data Loss Prevention Sensitive Image Recognition Data Loss Protection Oracle Standard Edition

Issue/Introduction

Considerations when deciding on when to enable External Incident Storage.

Cause

Reasons to use External Incident Storage:
- Allows you to store incident attachments such as email messages or documents on a file system rather than inside the database.
- Saves a great deal of space in your database, which results in faster and easier database actions such as backup and restore.
- Can be stored locally on the server, or can be stored on a remote computer

Reasons to use Internal Database Storage:
- Once the data has been stored outside of the database it cannot be brought back into the database.
- If you use a remote storage location to store your External Incident Data and you lose connection to that drive, it will be unable to use/load that data.

Resolution

For instructions to enable External Incident Storage please use the link below.

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-0/maintaining-the-system/understanding-underlying-system-resources-v15258948-d363e192/about-the-incident-attachment-external-storage-dir-v109853476-d363e861.html

Required:
- Enforce (and the database) are in near constant contact with external storage. You need 100% Availability on any external storage (High Availability). 
- It will require as much storage space as it is currently using for existing database storage (plus all new incident data).

Best Practices:
- DO NOT place your external storage under the "/Symantec/DataLossPrevention/" folder (aka "/SymantecDLP/", or if you installed in a custom location, do not place it inside the installation location).
- DO NOT place your external storage under the "Archives" directory.
- Ensure that both the Enforce Server and your External Storage server are in the same Domain.
- Create a "protect" user with the same password as your Enforce Server "protect" user to use with your external storage directory.
- If you are using a MS Windows system for external storage, share the directory with Read/Write permissions with the external storage "protect" user.
- If you are using a Linux system for external storage, change the owner of the external storage directory to the external storage "protect" user.