cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

FTP/SFTP traffic monitoring via Network DLP

Hi,

can someone help me on below reqiurement,

We want monitor file transfer (FTP/SFTP) to internet/intranet. Which protection rule needs to configure and which component of DLP will work for this requirement (DLP prevent/DLP monitor).

is there any documentation avilable to implement this change?

 

1 Reply
McAfee Employee jermaineeaden
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: FTP/SFTP traffic monitoring via Network DLP

Hello,

You can use DLP Monitor. Also, see attached DLP 11.1 Product Guide. Page 141-143.

You will need to check in the DLP Appliance Management Extension into EPO. Then take below steps:

Apply network communication protection rules to FTP, HTTP, or SMTP traffic
You can configure McAfee DLP Monitor to apply network communication protection rules to SMTP, HTTP, or FTP
traffic. By default, email and web protection rules are applied

In McAfee ePO, open the Policy Catalog.
2 Select the DLP Appliance Management product, select the McAfee DLP Monitor Settings category, and open the policy
that you want to edit.
3 In Protocol Rule Application, deselect the appropriate options and click Save.


Create a traffic filtering rule
By default, McAfee DLP Monitor analyzes all protocol traffic. You can create additional rules that filter the
protocol traffic in priority order to improve performance and stop incidents being created for protocols that are
not relevant to your requirements.
McAfee DLP Monitor analyzes the traffic rules in a top-down priority order. The analysis stops when it finds a
match, and takes the corresponding action.
If there is an HTTP conversation between a client 1.2.3.4 and a server 2.3.4.5, there are two transactions over
the same TCP connection. Consequently, the traffic filtering rules are evaluated separately. For example:
• The HTTP request (source 1.2.3.4:9999, destination 2.3.4.5:80)
• The HTTP response (source 2.3.4.5:80, destination 1.2.3.4:9999)


1 In McAfee ePO, open the Policy Catalog.
2 Select the DLP Appliance Management product, select the McAfee DLP Monitor Settings category, and open the policy
that you want to edit.
3 In the Traffic Rules section, click + to open the Define Rule dialog box.
4 Type a name for the rule, then click + to specify the network attributes you want the rule to filter on.
Each attribute can only be added once to a rule.
• Source IP Address — Specify an IP address or an IP address and netmask.
• Destination IP Address — Specify an IP address or an IP address and netmask.
• Source Port — Specify a port in the range of 0-65535.
• Destination Port — Specify a port in the range 0-65535.
• VLAN ID — Specify the VLAN tag ID. Untagged traffic uses the default 4095 ID.
• Transport Protocol — Choose from TCP or UDP.
• Application Protocol — Select the protocol you want the rule to match on.
• SOCKS Encapsulation — Select whether the traffic is encapsulated.
• Sender Email Address — Specify the sender email address to match against.
• Recipient Email Address List — Specify the recipient email address to match against.
• URL — Specify the HTTP URL.
5 Select the match operator and select or type the value for the attribute you are adding, then click Update.
6 Add more criteria as necessary and click OK to return to DLP Monitor Settings.
The rule is added to the top of the list.
7 Use the arrows to position the new rule where you want it in the priority order and optionally select Scan
Traffic.

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.