cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 13

Best practice on how to test DLP Prevent Appliances for emails

Jump to solution

Hi,

As a quick background, we have already create and implemented policies for the DLP Endpoint, which are normally linked to a system. We have recently installed the DLP Prevent solution for emails, and the rules are currently set to take no action from the Prevent appliances (only from the Endpoint). What would be the best way to test the Prevent Appliances for a single test user?

Many Thanks

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 12 of 13

Re: Best practice on how to test DLP Prevent Appliances for emails

Jump to solution

Hi,

 

See attached screenshot, that tells you where/when to assign the rule to the appliance (NDLP). Hope it helps

View solution in original post

12 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 13

Re: Best practice on how to test DLP Prevent Appliances for emails

Jump to solution

Hi @Linuxxo ,

Thank you for writing in email.

DLP Prevent appliances are used to monitor / block SMTP traffic or Web Traffic. 

Which traffic you would like to monitor / block.

 

Thank you.

Regards,
Jithendran S
McAfee Employee
Highlighted
Level 10
Report Inappropriate Content
Message 3 of 13

Re: Best practice on how to test DLP Prevent Appliances for emails

Jump to solution

I would like to monitor and block the outgoing email traffic but without affecting existing users, just a test account.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 13

Re: Best practice on how to test DLP Prevent Appliances for emails

Jump to solution
Remember to do modify/edit policy on a single system and you'll be fine
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 13

Re: Best practice on how to test DLP Prevent Appliances for emails

Jump to solution

Create new policy (test policy), then new ruleset, in your new ruleset, create new rule => Email protection, fill all the fields under condition tab, click McAfee Network DLP then click reaction tab, choose No Action/Block/Request justification, user notification etc the choice is yours but remember to choose report incident and store original email as evidence. Provided all smart hosts are setup properly and Policy you should get an alert

Highlighted
Level 10
Report Inappropriate Content
Message 6 of 13

Re: Best practice on how to test DLP Prevent Appliances for emails

Jump to solution

Perhaps I should have clarified that I am already getting alerts from the Prevent without taking any actions. Now, let's say I have a test user and a system with a test policy assigned to it, what is going to happen if the user logs in on OWA from a different system with a different policy assigned?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 13

Re: Best practice on how to test DLP Prevent Appliances for emails

Jump to solution

Policy is system based and not user based. User Principal Name UPN) and User Logon Name (ULN) is used mainly for Incident /Reviewer group assignment

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 13

Re: Best practice on how to test DLP Prevent Appliances for emails

Jump to solution

Hi @Linuxxo ,

To explain you in detail, can we know,

1) how did you setup your environment to receive alerts from the Prevent? 

2) What alerts (Incidents) are you receiving from DLP Prevent?

 

Kind Note: If you are using DLP Prevent then the DLP policy needs to be assigned to the DLP Prevent appliance and not to a user System as you have mentioned in your comment.

All email traffic or web traffic from your mail gateway or web gateway will be forwarded to the DLP Prevent and then DLP prevent takes action as per the DLP Prevent Email Protection Policy which you have created. If its OWA then you would need to use a Web Protection Rule.

 

Thank you.

Regards,
Jithendran S
McAfee Employee
Highlighted
Level 10
Report Inappropriate Content
Message 9 of 13

Re: Best practice on how to test DLP Prevent Appliances for emails

Jump to solution

Hi Suburra

1) I have just configured the Prevent appliances and the alerts starting coming in. I have checked this morning and noticed that the rules used to generate the alerts, are the ones I initially created to monitor Endpoints. I am not sure how that was automatically assigned to Prevent.

2) I receive alerts whenever a classification triggers the monitoring rule.

Assigning policy or rule sets to the appliances now is starting to make more sense, however I have not been able to find where it is being assigned.

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 13

Re: Best practice on how to test DLP Prevent Appliances for emails

Jump to solution

Hi @Linuxxo ,

For a quick help I advise to raise a support case with McAfee Support, so that we can help you to find the assignments over the remote session.


Thank you.

Regards,
Jithendran S
McAfee Employee
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community