In Symantec Data Loss Prevention versions 16.1 and 25.1, administrators may observe that the system fails to generate System Events regarding the expiration of Secure ICAP (SICAP) certificates used by the Network Prevent for Web detection servers. The System Events which are not generated on specific events are:

• System Event 1409 (Certificate for SICAP is about to expire) is not triggered when the SICAP certificate is reaching its expiration date
• System Event 1410 (Certificate for SICAP has expired) is not triggered when the SICAP certificate is past its expiration date

As a result, NPW detectors may stop processing traffic unexpectedly if the SICAP certificates expire without a prior notification. 

This issue is due to a product defect in DLP 16.1 and 25.1, which prevents the expected notification events from being produced by the NPWs and sent to the Enforce console. 

Permanent Fix

This defect is resolved in Symantec Data Loss Prevention 26.1. Broadcom recommends upgrading the Enforce and Detection servers to version 26.1 or later to restore proper alerting functionality.

Workarounds

If an immediate upgrade is not possible, implement the following measures to avoid service disruption:

1. Manual Certificate Monitoring: Periodically export and inspect SICAP keystores used by the NPWs to verify the Valid To dates of the certificates. 
2. Extended Validity Certificates: When creating or renewing SICAP certificates for NPWs, consider setting a longer validity period (i.e. several years) to reduce the frequency of expiration date checks requirement. 
3. External Monitoring: Use a third-party certificate management or monitoring system to track the expiration of these certificates independently of the DLP console.