Gateway Cleanup of Data

The complete data of UserCheck incidents are held in quarantine on the DLP Gateway. Thus, if an email is caught, and it contains a large attachment, it takes up the necessary space on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. until the incident is handled or expires.

Gateway Cleanup of Expired Data

The DLP Gateway automatically cleans itself of expired incident data. Incident data that is held for the backend:expiration:db number of days gets deleted.

Changing How Often and When the Gateway Checks for Data to Delete

On the DLP Gateway, open the $FWDIR/conf/mail_security_config file.

Find the expiration interval parameter:

#A check for expired email items is executed every 'expiration_interval' minutes

expiration_interval=1440

#the first time of execution for the expiration feature set to begin at 3:30 in the morning when there is no traffic on the system

expiration_execution_time=3:45

Change the value of expiration_interval (minutes), to have the Security Gateway search for expired data on a different interval. The default is 1440 minutes, which is one day.
Change the value of expiration_execution_time (24 hour clock), to change the time of day that the Security Gateway is cleaned. Be default, this is 3:45 AM, to ensure that Security Gateway maintenance does affect performance during usual working hours.
Save mail_security_config and install the policy on the DLP Gateway.

Gateway Cleanup of All Captured Data

DLP automatically cleans its Security Gateway periodically of temporary files, to make sure that disk use does not unduly build over time. But sometimes unnecessary files are left on the disk.

You can customize the cleanup with these configuration files:

$FWDIR/conf/mail_security_config
$DLPDIR/config/dlp_cleanup_files_list.conf

Important - It is not recommended to de-activate the cleanup. If you must do so, set the value of dlp_delete_redundant_files_active to 0.

mail_security_config File Parameters

mail_security_config Parameters	Description
dlp_delete_redundant_files_interval	How often (in minutes) cleanup runs. Default = 1440 (24 hours)
dlp_delete_redundant_files_execution_time	Exact time (on 24 hour clock) when cleanup runs. Default = 4:45 (when Security Gateway load is low)
dlp_delete_redundant_files_age_group1_files	Minimum age of UserCheck data files, which should be maintained on the disk until their handling expiration arrives. Default = 0 (use the expiration_time_in_days value) Note: This value does not change the expiration of incidents; it changes when data of expired incidents is removed.
dlp_delete_redundant_files_age_group2_files	Minimum age of files in /proc Default = 15 minutes
dlp_delete_redundant_files_age_group3_files	Minimum age of files in $FWDIR/tmp/dlp Default = 15 minutes

The dlp_cleanup_files_list.conf file is a list of scan commands with this syntax

scan[ CHECK_DB | - ] path mask scale age

Parameter	Description
CHECK_DB or -	Tests files to see if they are in the DLP database, to prevent accidental deletion of UserCheck incident data: `scan CHECK_DB` To clean up everything, even user captured data, change the flag to a dash ( - ): `scan -`
path	Path to look for files to delete. May include shortcuts such as $DLPDIR or $FWDIR, but cannot contain spaces.
mask	Regular expressions for files to match: * = all files Default masks used include: `.eml`, `.result`, `*.meta`
scale	Unit of measure for age parameter: `minutes_back` or `days_back`
age	Minimum time since creation the file must have before it can be deleted

Best Practice - Contents of this file explain more options, such as how to use macros for file age. It is recommended that you read the file comments before changing anything here.

The default age values of scan commands in the file are macros that pull values from mail_security_config. You can use numeric values instead of macros.

age Macros	Description
$2	group1 age (in days): UserCheck data files, value taken from `dlp_delete_redundant_files_age_group1_files`
$3	group2 age (in minutes): /proc files, value taken from `dlp_delete_redundant_files_age_group2_files`
$4	group3 age (in minutes): /tmp/dlp files, value taken from `dlp_delete_redundant_files_age_group3_files`