As a quick background, we have already create and implemented policies for the DLP Endpoint, which are normally linked to a system. We have recently installed the DLP Prevent solution for emails, and the rules are currently set to take no action from the Prevent appliances (only from the Endpoint). What would be the best way to test the Prevent Appliances for a single test user?
Solved! Go to Solution.
Hi @Linuxxo ,
Thank you for writing in email.
DLP Prevent appliances are used to monitor / block SMTP traffic or Web Traffic.
Which traffic you would like to monitor / block.
Create new policy (test policy), then new ruleset, in your new ruleset, create new rule => Email protection, fill all the fields under condition tab, click McAfee Network DLP then click reaction tab, choose No Action/Block/Request justification, user notification etc the choice is yours but remember to choose report incident and store original email as evidence. Provided all smart hosts are setup properly and Policy you should get an alert
Perhaps I should have clarified that I am already getting alerts from the Prevent without taking any actions. Now, let's say I have a test user and a system with a test policy assigned to it, what is going to happen if the user logs in on OWA from a different system with a different policy assigned?
Policy is system based and not user based. User Principal Name UPN) and User Logon Name (ULN) is used mainly for Incident /Reviewer group assignment
Hi @Linuxxo ,
To explain you in detail, can we know,
1) how did you setup your environment to receive alerts from the Prevent?
2) What alerts (Incidents) are you receiving from DLP Prevent?
Kind Note: If you are using DLP Prevent then the DLP policy needs to be assigned to the DLP Prevent appliance and not to a user System as you have mentioned in your comment.
All email traffic or web traffic from your mail gateway or web gateway will be forwarded to the DLP Prevent and then DLP prevent takes action as per the DLP Prevent Email Protection Policy which you have created. If its OWA then you would need to use a Web Protection Rule.
1) I have just configured the Prevent appliances and the alerts starting coming in. I have checked this morning and noticed that the rules used to generate the alerts, are the ones I initially created to monitor Endpoints. I am not sure how that was automatically assigned to Prevent.
2) I receive alerts whenever a classification triggers the monitoring rule.
Assigning policy or rule sets to the appliances now is starting to make more sense, however I have not been able to find where it is being assigned.
Hi @Linuxxo ,
For a quick help I advise to raise a support case with McAfee Support, so that we can help you to find the assignments over the remote session.