Troubleshooting

The following sections explain how to troubleshoot the DLP Gateway and captured files.

Incidents Do Not Expire

If UserCheck incidents are not expiring, or the change in value of the quarantine parameter seems to have no effect, verify that expiration is enabled.

To enable expiration of UserCheck incidents

  1. On the DLP Gateway, open the $FWDIR/conf/mail_security_config file.

  2. Find the expiration active parameter:

    [mail_repository]
    #is expiration for mail repository active value can be 0 or 1
    expiration_active=1

    The default value is 1. If the value of expiration_active is 0, incidents do not expire.

  3. Save mail_security_config and install the policy on the DLP Gateway.

Mail Server Full

The /var/spool/mail directory may become full. This may occur if you de-activate the settings to delete incident data after expiration or on exceeding quota. It may also occur due to regular usage, depending on your environment. The quota for the DLP data to be held on the mail server is set in the configuration files.

DLP routinely checks the usage on the Mail Server /var/spool/mail directory against the DLP global_quota_percentage parameter. If usage on the Mail Server exceeds the global quota: no more emails are stored; all emails of UserCheck incidents are passed; and logs are issued.

To change the quota use percentage:

  1. On the DLP Gateway, open the $FWDIR/conf/mail_security_config file.

  2. Find the global quota parameter:

    # ... no more emails are written and a log comes out every 5 minutes

    global_quota_percentage=80

    The default value is 80 (% of Mail Server used).

  3. Change the value to the usage percent you want.

  4. Save mail_security_config and install the policy on the DLP Gateway.

To change DLP behavior if global quota is exceeded:

  1. On the DLP Gateway, edit the $FWDIR/dlp/config/dlp.conf file.

  2. Find the SMTP parameters:

    :smtp (
    :enabled (1)
    :max_scan_size (150000000)
    :max_recursion_level (4)
    :max_attachments (100)
    :block_on_engine_error (0)

    • If you want UserCheck emails to be sent and logged (same behavior as Detect), keep the default 0:

      block_on_engine_error (0)

    • If you want UserCheck emails to be dropped and logged (same behavior as Prevent), change the value to 1:

      block_on_engine_error (1)

  3. Save the changes in the file and exit the editor.

  4. Install the policy on the DLP Gateway.

Important - For security and performance, it is recommended that you leave the Mail Server quota activated. However, if you do need to de-activate it, set the value of the global_quota_active parameter to 0 in the $FWDIR/conf/mail_security_config file.