New Cloud Detection or Cloud Email server added to DLP is not detecting any data uploads or accepting emails
search cancel

New Cloud Detection or Cloud Email server added to DLP is not detecting any data uploads or accepting emails

book

Article ID: 164312

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Package Data Loss Prevention Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST

Issue/Introduction

This issue pertains to any DLP Cloud Service environment, specifically when a new Cloud Detector has been enrolled.
Registration was successful, and it did appear that the Enrollment Bundle was successfully uploaded (if not, see related article TECH236383 for enrollment issues).

The Detector status showed as "Connected", and the Enforce UI shows no errors for the server.

In addition, after a restart of the MonitorController process, some of the following 2705 Event Codes are listed for the CDS:

Configuration file [Policy] delivery complete
Configuration file [VMLProfile] delivery complete
Configuration file [Settings] delivery complete
Configuration file [Protocols] delivery complete

 

However, emails are not accepted when sent to the Cloud Service, nor are file uploads to the CASB CloudSOC being detected.

The following SMTP messages failures have been seen at the customer's upstream MTA (O365), in relation to a newly registered Cloud Service for Email CDS:

"450 4.4.317 Cannot connect to remote server [Message=451 4.4.0 Socket Error SocketError ..."

Environment

DLP supported releases.

CDS server is newly added the upgrade, and the Enrollment Bundle appears successfully uploaded.

This could affect the following products:

  • Data Loss Prevention Cloud Service for Email
  • Data Loss Prevention Cloud Detection Service for REST
  • Data Loss Prevention Cloud Detection Service for ICAP

 

Cause

The profile for the Cloud Detection Server is not fully loaded.

This can occur if the Enforce server's Data Profiles have not been re-indexed after upgrading Enforce from a prior version:

As per the Help Center topic Updating EDM indexes to the latest version: "When you upgrade to the latest version of Symantec Data Loss Prevention, you must update each Exact Data profile by reindexing the data source using the latest EDM Indexer."

If a Cloud Detection Server has been added since the upgrade, but reindexing has not been done, the new CDS will fail to start properly.

Resolution

All index profiles for EDM & IDM need to either be reindexed, or deleted (note - deleting two-tier profiles would mean related two-tier conditions in policies need to be removed as well).

Once ALL indexed sources created prior to upgrading have either been successfully reindexed, or removed, recycle the MonitorController from the Enforce UI.

Once this comes back up, the last stages of the CDS process should complete - and the following events should be present for each CDS (available clicking on the Detector in Enforce).

 

Here is a list of 2705 Event Codes, for different Cloud Detectors, on different versions of Enforce. This can help determine what, if any, deliveries are missing. 

Note that some of the configurations listed (IctTaxonomy, ICECredentialSettings) are actually dependent upon available licensing and thus may not appear for all environments.

Enforce version 15.8 - these include the new AIP component

A Cloud Detector configured for CASB Application Detection (aka receiving traffic from the CloudSOC):

Configuration file [Policy] delivery complete
Configuration file [AipTaxonomy] delivery complete
Configuration file [EMDIProfile] delivery complete
Configuration file [IctTaxonomy] delivery complete
Configuration file [SPI_REQUEST] delivery complete
Configuration file [REST] delivery complete
Configuration file [Form Recognition] delivery complete
Configuration file [VMLProfile] delivery complete
Configuration file [IDMProfile] delivery complete
Configuration file [EDMProfile] delivery complete
Configuration file [Protocols] delivery complete
Configuration file [Settings] delivery complete
Connected to Cloud detector

 

A Cloud Detector configured for Web Security Service (receiving ICAP traffic from WSS):

Configuration file [Policy] delivery complete
Configuration file [EMDIProfile] delivery complete
Configuration file [AipTaxonomy] delivery complete
Configuration file [IctTaxonomy] delivery complete
Configuration file [Form Recognition] delivery complete
Configuration file [VMLProfile] delivery complete
Configuration file [IDMProfile] delivery complete
Configuration file [EDMProfile] delivery complete
Configuration file [Settings] delivery complete
Configuration file [Protocols] delivery complete
Connected to Cloud detector

 

A Cloud Detector configured for the Cloud Email Service:

Configuration file [Policy] delivery complete
Configuration file [DetectorEmailDomains] delivery complete
Configuration file [AipTaxonomy] delivery complete
Configuration file [EMDIProfile] delivery complete
Configuration file [ICECredentialSettings] delivery complete
Configuration file [IctTaxonomy] delivery complete
Configuration file [Form Recognition] delivery complete
Configuration file [VMLProfile] delivery complete
Configuration file [IDMProfile] delivery complete
Configuration file [EDMProfile] delivery complete
Configuration file [Protocols] delivery complete
Configuration file [Settings] delivery complete
Connected to Cloud detector

 

Enforce version 15.7

A Cloud Detector configured for CASB Application Detection (aka receiving traffic from the CloudSOC):

Configuration file [Policy] delivery complete
Configuration file [EMDIProfile] delivery complete
Configuration file [IctTaxonomy] delivery complete
Configuration file [SPI_REQUEST] delivery complete
Configuration file [REST] delivery complete
Configuration file [Form Recognition] delivery complete
Configuration file [VMLProfile] delivery complete
Configuration file [IDMProfile] delivery complete
Configuration file [EDMProfile] delivery complete
Configuration file [Protocols] delivery complete
Configuration file [Settings] delivery complete
Connected to Cloud detector

 

A Cloud Detector configured for Web Security Service (receiving ICAP traffic from WSS):

Configuration file [Policy] delivery complete
Configuration file [EMDIProfile] delivery complete
Configuration file [IctTaxonomy] delivery complete
Configuration file [Form Recognition] delivery complete
Configuration file [VMLProfile] delivery complete
Configuration file [IDMProfile] delivery complete
Configuration file [EDMProfile] delivery complete
Configuration file [Settings] delivery complete
Configuration file [Protocols] delivery complete
Connected to Cloud detector

 

A Cloud Detector configured for the Cloud Email Service:

Configuration file [Policy] delivery complete
Configuration file [EMDIProfile] delivery complete
Configuration file [ICECredentialSettings] delivery complete
Configuration file [DetectorEmailDomains] delivery complete
Configuration file [IctTaxonomy] delivery complete
Configuration file [Form Recognition] delivery complete
Configuration file [VMLProfile] delivery complete
Configuration file [IDMProfile] delivery complete
Configuration file [EDMProfile] delivery complete
Configuration file [Protocols] delivery complete
Configuration file [Settings] delivery complete
Connected to Cloud detector

 

 

Additional Information

If your Enforce Server is configured to use Directory Connections, those will also need to be successfully reindexed.

Likewise, if any LDAP Plugins are configured, and using those same Directories, they will need to be successfully reindexed (or deleted).

Tip: Save details for EDM/IDM profiles, Directory Connections and Plugins, before deletion, to assist with later recreation.