Advanced Troublshooting steps for DLP Network Sensor
RSA Product Set: DLP RSA Product/Service Type: DLP Network RSA Version/Condition: No events from Sensor Platform: CentOS O/S Version: 6
DLP Sensor is configured, all networks and protocol has been configured. Traffic is being sent to the sensor. Correct policies have been applied and confirmed they are working. There are still no events generated from the sensor.
To debug, you can take following steps. First find out what type of protocol is missing. 1. Work with the network team to make sure the IP addresses in question fall into the correct sub net. 2. confirm that host IP have not been changed. (If events are no longer being generated) 3. Traffic must be in the clear. (no encryption of data, https, or TLS enabled)
Find out which protocol is in question. (if it is http traffic, the service is called passivehttp, and for email it is passivesmtp)
Logon to sensor and open a command prompt, type: moncmd debug <service> on then type: conwatch -n 10
The message output will show every session that is received by sensor. Run your tests from machine and watch for the Client IP, if it is missing , you will need to work with the network team to find out why that IP is missing. If you see the IP and there is still no event, you need to find out if there is the network is asymmetrical routing In order for the session to be captured for analysis, it has to be full session.
After testing is complete you turn off debugging of the service. moncmd debug <service> off
Example of of enabling debug for smtp service Command used: moncmd debug passivesmtp on
Message displayed to confirm debug is enabled:
09-29 14:21:09 INFO NW_902 sensor1.ribeye.com PassiveSMTP0 #### debug: True
9-29 14:23:06 DEBUG NW_901 sensor1.ribeye.com PassiveSMTP0 [FLOW.Event] [Content ID: 1443568986.0000_bd3c42d8-382b-4856-8ffd-14f0a7d7274a_smtp] Analyzing (passive) SMTP Session. Mail From: email@example.com, Mail To: [u' joedoe@.company.com'], Subject: DLP Sensor Test, Client: "10.1.2.3", Server: "10.3.2.1"
In this case, client is the origination network and the Server is destination network.