After Upgrading Web Prevent to 16.1 Blocking rules no longer work.
search cancel

After Upgrading Web Prevent to 16.1 Blocking rules no longer work.

book

Article ID: 402848

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Email and Web

Issue/Introduction

 Lack of the blocking messages in DLP Web Prevent servers. No block response sent to proxy, incident still generated. 

Environment

The following error may be observed in the SymantecDLPDetector#.log
Jul 1, 2025 10:51:28 AM com.vontu.command.CommandRuntime execute
SEVERE: Error executing command: http-reject
java.lang.NullPointerException
    at com.vontu.detection.response.variable.RestRequestEvaluator.evaluate(RestRequestEvaluator.java:55)
    at com.vontu.detection.response.variable.ParsedMessageVariableEvaluator.evaluate(ParsedMessageVariableEvaluator.java:49)
    at com.vontu.condition.java.VariableReplacer.replace(VariableReplacer.java:91)
    at com.vontu.icap.prevent.command.RejectHttpRequest.doExecute(RejectHttpRequest.java:56)
    at com.vontu.icap.prevent.command.HttpPreventCommand.execute(HttpPreventCommand.java:52)
    at com.vontu.detection.response.api.PreventCommand.execute(PreventCommand.java:57)
    at com.vontu.command.CommandRuntime.executeCommand(CommandRuntime.java:1004)
    at com.vontu.command.CommandRuntime.execute(CommandRuntime.java:904)
    at com.vontu.command.CommandRuntime.executeInstruction(CommandRuntime.java:871)
    at com.vontu.command.CommandRuntime.executeInstructions(CommandRuntime.java:849)
    at com.vontu.command.CommandRuntime.executeCommands(CommandRuntime.java:748)
    at com.vontu.command.CommandRuntime.execute(CommandRuntime.java:704)
    at com.vontu.detection.response.IncidentPostProcessingHelper.processMessage(IncidentPostProcessingHelper.java:156)
    at com.vontu.detection.response.IncidentPostProcessingHelper.processMessage(IncidentPostProcessingHelper.java:93)
    at com.vontu.detection.response.IncidentPostProcessing.processMessage(IncidentPostProcessing.java:66)
    at com.vontu.messaging.chain.MessageChain.processMessage(MessageChain.java:293)
    at com.vontu.messaging.chain.MessageChain.run(MessageChain.java:191)
    at java.lang.Thread.run(Thread.java:750)

Cause

Prior to 16.1 response rule variables that were not relevant in the current context (such as $INCIDENT_ID$) could be used in an automatic response rule. This variable is not valid in this context because the incident has not yet been persisted to the database and therefore there is not yet an INCIDENT_ID assigned to the incident. 

Resolution

When authoring a response rule, only include variables as they appear available in the 'Insert Variable' table within the UI. 
For example:
'Policy Name'($POLICY$) is the only variable available to
'Network Prevent: Block HTTP/HTTPS'


Powered by Wolken Software