Data Loss Prevention

 View Only

  • 1.  Issue with email delay - Network Prevent for Email

    Posted Feb 25, 2013 04:54 PM

    We recently stood up a new Symantec DLP solution. 1 Enforce Server, 1 Discover server, 2 network monitor servers, 2 Network Prevent for web servers and 2 Network Prevent for Email servers. All Windows 2008R2, running 11.6.1 and all VM except for the 2 network monitor systems. My issue is with email delays for outbound mail. We have our Exchange Edge Servers sending to DLP instead of sending direct to Postini as it was before DLP. In the past, email delivery (using email to my own gmail.com address) has been almost instantaneous and at most 1 minute or 2 max. Since DLP was installed there's a variable delay that can be close to the old normal, but can also grow to as large as 12-15 minutes.

     

    A ticket opened with support was closed without my consent after some analysis of our logs that pointed to some errors but without enough detail to resolve and then stated "working as designed". I simply can't picture a 15 minute delay in email delivery to be acceptable. 

     

    We're not a huge shop, processing perhaps 10-15K outbound messages per day. The Prevent for Email servers are virtual, running 64bit W2008R2 with 12gb ram and 4vCPU.

     

    What should I be looking for to troubleshoot? I can accept SOME delay - since DLP needs to look at every outbound message, but 15 minutes? Something must be configured wrong or not tuned properly.



  • 2.  RE: Issue with email delay - Network Prevent for Email

    Posted Feb 26, 2013 02:37 PM

    IT Security guy,

     

    there is some what a delay but not 15 mins, the rule of thumb is 20 messages/sec i believe per NP for email server. do you have these load balanced. 

     

    are there any errors on the servers and what do resources look like on the box?



  • 3.  RE: Issue with email delay - Network Prevent for Email

    Posted Feb 27, 2013 10:16 PM

    Yes - my exchange admin says they DNS round robin between the 2 DLP Email Prevent. Both are Windows 2008R2 VM's with 12gb ram and 4vCPU... They rarely have any CPU load but do seem to spike to  20 to as much as 50% cpu utilization for short (<30 seconds generally) periods of time. I just tried turning off TLS for a bit to see if there was a handshake problem but delay persists. It's very inconsident, so I have to think load related or something generating an error and waiting for a timeout. I just wish tech support has provided some options to try.

     



  • 4.  RE: Issue with email delay - Network Prevent for Email

    Posted Feb 28, 2013 05:01 PM

    What time of the day is the delay. Is it during peak hours or at any random time?

     

    Also, you can try to go into the log folder on the prevent server. Normally located in Prevent/logs and look for SmtpPrevent_Operational0.log

    I have troubleshoot many problems in that log file.



  • 5.  RE: Issue with email delay - Network Prevent for Email

    Posted Mar 01, 2013 01:58 AM

    HI IT Security guy,

    We are also facing same issue, can you check is it all DLP server and MTA are on 1GBPS LAN connection, is it switch port are set for Handel 1GBPS traffic.

     



  • 6.  RE: Issue with email delay - Network Prevent for Email

    Posted Mar 02, 2013 11:25 AM

    plz check the your mail server setting to rount robin timing config to transfer/process the mail