Mcafee Data Loss Prevention 11.0.000 Migration Guide (Mcafee Epolicy Orchestrator) 9-17-2019

McAfee Data Loss Prevention
11.0.000 Migration Guide (McAfee

ePolicy Orchestrator)
Contents
Introduction 5
Migration overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Migration workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Differences between versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Unsupported features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Installation 9
Migrating physical appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Installing McAfee DLP Prevent appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Plan your configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Identify network ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Install the extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Configure network information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Set up the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Install the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Post-setup tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuring system components 13

Register an LDAP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Create end-user definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Users, groups, and permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Create a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Create a permission set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Create a McAfee DLP permission set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
The Common Appliance Management policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Add an evidence server to store incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Classifying sensitive content 16

Create a classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Create classification criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Create document properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Upload registered documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
From concepts to definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Dictionary definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Advanced pattern definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Create a general classification definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Protecting with rules, rule sets, and policies 22

McAfee DLP Prevent rule reactions and definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Create a rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Create a rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Create an email address list definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Create a network address range. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Create a URL list definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Create a network port range. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Create a policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Assign a policy to a McAfee DLP Prevent appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Use case: Block outbound messages with confidential content unless they are sent to a specified domain. .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Use case: Track intellectual property violations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Use case: Application-based fingerprinting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Scanning data with McAfee DLP Discover 10.x and later 31

Types of repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Types of scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Define scan definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Create a classification scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Create rules for remediation scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Create a scheduled remediation scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Use case: Filter the results of a remediation scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Monitoring and reporting 36

Incidents and cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Sort and filter incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
View incident details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Update a single incident. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Update multiple incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Create email notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Create cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Assign a reviewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
View case information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Update cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Assign incidents to a case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Use case: Find policy violations by user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Use case: Find high-risk incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Use case: Set properties to incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Use case: Filter incidents by date, destination, and user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Assign incident viewing permissions to users in an Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Assign case management viewing permissions to a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Monitoring system health and status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
McAfee DLP dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Appliance Management dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
McAfee Data Loss Prevention 11.0.000 Migration Guide (McAfee ePolicy Orchestrator) 3
McAfee DLP appliance events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Maintenance and troubleshooting 51

Troubleshooting tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Managing with the McAfee DLP appliance console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Accessing the appliance console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Replace the default certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Error messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuration backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4 McAfee Data Loss Prevention 11.0.000 Migration Guide (McAfee ePolicy Orchestrator)
Introduction
This migration guide provides information that helps you move from McAfee® Network Data Loss Prevention (McAfee Network
DLP) 9.3.x to McAfee® Data Loss Prevention (McAfee DLP) 10.x.
It covers the following versions of McAfee DLP products:
• McAfee® Data Loss Prevention Discover (McAfee DLP Discover) 9.3.x to version 10.0.0 and later
• McAfee® Data Loss Prevention Prevent (McAfee DLP Prevent) 9.3.x to versions 10.0.100 and later
• McAfee® Data Loss Prevention Monitor (McAfee DLP Monitor) 9.3.x to version 11.0
It also provides information to help you get started with your new version of McAfee DLP.
For more information, see the McAfee Data Loss Prevention Product Guide for version 11.0.
Migration overview
There is no automatic upgrade path to move from McAfee Network DLP 9.3.x to McAfee DLP 10.x and later. This guide helps you
configure the newer versions of McAfee DLP with settings that behave in a similar way to your McAfee Network DLP 9.3.x setup.
Migration workflow
Use the workflow diagram to install the appliance, then recreate your configuration settings, rules, policies, and incident and case
management settings using the tools in McAfee ePO.
Note: McAfee DLP Monitor does not exist in McAfee DLP 10.x.
Installation scenarios
See
To
From
Physical
McAfee
Physical
DLP Hardware Migration Guide
McAfee
McAfee
McAfeeDLP Hardware Guide
DLP
Network
10.x
DLP
or
9.3.x
11.0
McAfee
Virtual
Physical
DLP Hardware Migration Guide
McAfee
McAfee
McAfee DLP Product Guide
DLP
Network
10.x
DLP
or
9.3.x
11.0
This
Virtual
Virtual
guide
McAfee
McAfee
DLP
Network
10.x
DLP
or
9.3.x
11.0
For a list of virtual platforms supported by McAfee DLP 10.x and later, see the release notes for your version.
Scenario: Using unified incident and case management or McAfee DLP Manager
Complete the steps in this workflow diagram if:
• Your existing incidents and cases are already available in McAfee ePO.
• You use McAfee DLP Manager to manage incidents and cases.
Incidents and cases in McAfee DLP Manager cannot be migrated to the McAfee DLP 10.x and later tools.
Tip: McAfee Network DLP 9.3.x customers and McAfee DLP Endpoint 9.4 customers who chose to retain their McAfee DLP
Manager box can keep it available until the incidents and cases are no longer needed.
Scenario: Using the Capture Search feature
McAfee DLP 10.x and later does not include capture functionality.
Differences between versions

Because the product architecture for versions 9.3.x and 10.x and later is different, the configuration settings and data you had in
McAfee DLP Manager cannot migrate directly to the McAfee DLP tools in McAfee ePO.
Product names
The 9.3.x version of the product was called McAfee Network Data Loss Prevention (McAfee Network DLP). With version 10.x and
later, the Network part of the product name has been dropped to become McAfee Data Loss Prevention.
Product management
With version 10.x and later, products are now managed with McAfee ePO.
Configuration settings, rules, concepts and policies that you used in McAfee DLP Manager must be recreated in McAfee ePO.
Tip: Keep McAfee DLP Manager available until the incidents and cases are no longer required.
Differences in terms
Most features have the same name in the new version, with a few exceptions.
Table 1: Terminology differences
McAfee Network DLP 9.3.x McAfee DLP 10.x and later
Concept • Dictionary definition

• Advanced pattern definitions (regex)
Action rule Reaction
Template • Classification
• Definition
Policy Rule set
Validator Algorithm
Group Permission set
Incidents and cases
Incidents and cases in McAfee DLP Manager cannot be migrated to the McAfee DLP 10.x and later tools.
Unsupported features
These features are not supported in McAfee DLP version 10.x and later.
• Capturing data
• Creating definitions using the following settings:
◦ Number of lines from the beginning
◦ Percentage match
◦ Number of byes from the beginning
Installation
To use McAfee DLP 10.x, you must perform a full installation.
For instructions on installing McAfee DLP Discover 10.x, see the McAfee Data Loss Prevention Product Guide.
Tip: Best practice: Before you begin to install the new version, make a full configuration backup of your current installation so
you can return to it if necessary.
Migrating physical appliances

If you have a model 4400, 5500, or 6600 appliance, you can install McAfee DLP Prevent 10.x or McAfee DLP Monitor 11.0.
McAfee DLP Manager machines can be repurposed after you've installed McAfee DLP Prevent 10.x or McAfee DLP Monitor 11.0
on your existing appliances. For more information, see the McAfee Network DLP 9.3.x to McAfee DLP 10.x Hardware Migration Guide
available from the McAfee download site.
Note: Model 1650 and 3650 appliances do not support McAfee DLP Prevent 10.x or McAfee DLP Monitor 11.0.
Installing McAfee DLP Prevent appliances

For more detailed installation instructions, see the McAfee Data Loss Prevention Product Guide for your version of the product.
Plan your configuration

Use the deployment information in the product guide to plan the integration of McAfee DLP products in your network.
Task
1. Familiarize yourself with the McAfee DLP deployment options.
2. Complete the deployment checklist.
Identify network ports

Locate the network ports on your appliance. Unlabeled ports are not used.
Figure 1. Model 4400 appliance port configuration
1. Serial port
2. OOB port
3. LAN1 port
4. Remote access port (RMM)
5. Ethernet port or fiber port *
◦ McAfee DLP Prevent — Unused
◦ McAfee DLP Monitor — Capture port 1
6. Ethernet port — Unused
* If the appliance has a fiber NIC:

• For McAfee DLP Prevent, the fiber port becomes LAN1.
• For McAfee DLP Monitor, the fiber port becomes Capture port 1.
Note: On some 4400 models, the capture ports might be on a slotted NIC instead of on the motherboard. In this case, these two
ports are swapped over.
1. Ethernet port or fiber port — Unused

2. Ethernet port or fiber port *
◦ McAfee DLP Prevent — Unused
◦ McAfee DLP Monitor — Capture port 1
3. OOB port
4. LAN1 *
5. Serial port
* If the appliance has a fiber NIC:

• For McAfee DLP Prevent, this fiber port (callout 2) becomes the LAN1 port.
• For McAfee DLP Monitor, this fiber port (callout 2) becomes Capture port 1.
1. LAN1
2. McAfee DLP Prevent — Unused
McAfee DLP Monitor — Capture port 1
3. OOB port
4. Serial port
Install the extensions

Prepare the McAfee ePO server for integration with McAfee DLP Appliance Management.
For information about manually installing the extensions, see the product guide.
Task
1. In McAfee ePO, select Menu → Software → Software Manager.
2. In the left pane, expand Software (by Label) and select Data Loss Prevention.
3. Select the entry for McAfee Network Data Loss Prevention.
These extensions are included:
◦ McAfee DLP
◦ Common UI
◦ Appliance Management Extension
◦ McAfee DLP Appliance Management
4. Click Check In.
5. Select the checkbox to accept the agreement, then click OK.
Configure network information

For McAfee DLP appliances, configure the DNS server and NTP server. For McAfee DLP Prevent, you must also configure a Smart
Host.
Task
1. In McAfee ePO, select Menu → Policy → Policy Catalog.
2. From the Product drop-down list, select Common Appliance Management.
3. Select the My Default policy.
4. Add the DNS server and the NTP server, then click Save.
5. From the Product drop-down list, select DLP Appliance Management.
6. Select the My Default policy for McAfee DLP Prevent Email Settings.
7. Enter the IP address of the Smart Host, then click Save.
Set up the appliance

Prepare the appliance for network integration.
Tip: The appliance power supply units and the hard disk can be replaced. Instructions are available in the hardware guide.
By default, each appliance is configured with these IP addresses after installation:
• McAfee DLP Prevent LAN1 — 10.1.1.108/24
Use the LAN1 network for SMTP or ICAP traffic. You can also use it for management traffic.
• McAfee DLP Monitor LAN1 — 10.1.1.108/24
Use the LAN1 network for management traffic.
• OOB — 10.1.3.108/24
(Optional) Use the out-of-band (OOB) network for management traffic including McAfee ePO communication.
McAfee DLP Monitor Capture port 1 is used for analysis traffic. It is not configured with any IP address.
Note: If your network uses DHCP, the first IP address that the DHCP server assigns to the McAfee DLP appliance is used instead.
You can manually configure the IP address with the Setup Wizard. The appliance does not support using a continuous DHCP
configuration.
The default gateway for the appliance must be on the LAN1 subnet. Configure any routing required on the OOB interface using
static routes.
Task
1. Install the appliance in a rack.
2. Connect a monitor, keyboard, and mouse to the appliance.
3. Connect the appliance to the network:
◦ McAfee DLP Prevent and McAfee DLP Monitor — Connect the LAN1 interface of the appliance to your network.
◦ McAfee DLP Monitor — Connect the Capture port 1 interface to your network tap or SPAN port.
4. (Optional) Connect the OOB interface to another network.
This is required for McAfee DLP Monitor if you are not using LAN1 for your management traffic.
Install the appliance

Install the software and run the Setup Wizard.
Task
1. Prepare the appliance for installation.
◦ 6600 appliances — Turn on the appliance.
◦ 4400 and 5500 appliances
◦ Using the installation ISO file, create or set up the external imaging media. You can perform the initial installation
using these methods:
◦ USB drive
Note: Use image writing software, such as Launchpad Image Writer, to write the image to the USB drive. For
more information, see KB87321.
◦ USB CD drive
◦ (4400 appliances only) Integrated CD drive
◦ Virtual CD drive using the remote management module (RMM)
◦ Insert or connect the media to the appliance.
◦ Turn on the appliance.
◦ Before the operating system starts, press F6 for the boot menu and select the external media.
Note: R3c0n3x is the BIOS password for 4400 appliances.
2. Follow the on-screen prompts.
When the installation completes, the appliance restarts.
3. Complete the Setup Wizard using the information in the on-screen Help.
4. If the installation fails:
a. Verify the network connection is working and any configured static routes are correct.
b. Ping the default gateway and McAfee ePO from the appliance console.
c. If the problem persists, contact technical support for assistance. Do not perform the installation again.
When you contact technical support, make sure you know the appliance primary serial number. You can find the serial
number on the product name sticker on the delivery packaging, the sticker on the bottom-left of the top panel, or the
sticker on the pull-out tray on the front panel.
Results
The McAfee DLP appliance is installed and registered to McAfee ePO.
Post-setup tasks
For more information on these tasks, see the product guide.
McAfee DLP appliances
1. Configure an evidence server to store the files that trigger a rule.

2. Configure one or more syslog servers if required.
3. Enable relevant predefined policies and rules.
4. Create additional classifications, policies, and rules to detect potential data loss incidents.
5. Confirm that incidents are recorded in the DLP Incident Manager.
McAfee DLP Prevent appliances

For McAfee DLP Prevent appliances that analyze email traffic:
1. Verify connectivity and mail flow between the mail transfer agent (MTA) server and the McAfee DLP Prevent appliance.
2. Confirm that the X-RCIS-Action: Allow header is added to received email.
For McAfee DLP Prevent appliances that analyze web traffic, verify connectivity between the web proxy server and the appliance.
McAfee DLP Monitor appliances
• Generate some traffic that the configured network tap or SPAN can see.
Configuring system components
Register LDAP servers, define user permissions and groups, and specify evidence servers in McAfee ePO. Manage appliances
with a new feature in McAfee ePO called Appliance Management, where you specify policies and view system health status for all
McAfee DLP Prevent and McAfee DLP Monitor appliances.
Register an LDAP server

You must have a registered LDAP server to use Policy Assignment rules, to enable dynamically-assigned permission sets, and to
enable Active Directory User Login.
Task
1. Select Menu → Configuration → Registered Servers, then click New Server.
2. Select LDAP Server from the Server type menu, then specify a unique name and optional description and click Next.
3. Select an OpenLDAP or Active Directory server from the LDAP server type list.
4. Specify a domain name or a specific server name.
Use DNS-style domain names (such as internaldomain.com), or fully-qualified domain names or IP addresses for servers (such
as server1.internaldomain.com or 192.168.75.101). OpenLDAP servers can only use server names. They cannot be specified by
domain.
5. Specify whether to use the Global Catalog (not available for OpenLDAP servers).
Select it only if the registered domain is the parent of only local domains to avoid potential network traffic, which can impact
performance.
6. If you don't use the Global Catalog, select whether to chase referrals.
Chasing referrals can generate non-local network traffic.
7. Choose whether to use SSL to communicate with this server.
8. If you are configuring an OpenLDAP server, enter the port.
9. Enter a user name and password for an admin account on the server.
◦ Active Directory servers — Use the format domain\username
◦ OpenLDAP servers — Use the format cn=User,dc=realm,dc=com
10. Enter a Site name for the server, and click Test Connection to verify the connection, then click Save to complete the registration.
Create end-user definitions

McAfee DLP accesses Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) servers to create end-user definitions.
End-user groups are used for administrator assignments and permissions, and in protection and device rules. They can consist of
users, user groups, or organizational units (OU), allowing the administrator to choose an appropriate model. Enterprises
organized on an OU model can continue using that model, while others can use groups or individual users where needed.
LDAP objects can be identified by name or security ID (SID). SIDs are more secure, and permissions can be maintained even if
accounts are renamed. On the other hand, they are stored in hexadecimal, and have to be decoded to convert them to a
readable format.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Policy Manager.
2. Click the Definitions tab.
3. Select Source/Destination → End-User Group, then Actions → New.
4. In the New End-User Group page, enter a unique name and optional description.
5. Select the method of identifying objects (SID or name).
6. Click one of the Add buttons (Add Users, Add Groups, Add OU).
The selection window displays the selected type of information.
The display might take a few seconds if the list is long. If no information appears, select Container and children from the Preset drop-
down list.
7. Select names and click OK to add them to the definition.
Repeat the operation as needed to add users, groups, or organizational users.
8. Click Save.
Users, groups, and permission sets

Creating users and groups is managed in McAfee DLP 10.x and later in the McAfee ePO Users and Permission Sets sections. You can
also create LDAP user groups in the McAfee ePO DLP Policy Manager.
Permission sets in McAfee ePO are referred to as groups in McAfee DLP Manager.
Tip: Best practice: Create specific McAfee DLP permission sets, users, and groups. Create different roles by assigning different
administrator and reviewer permissions for the different McAfee DLP modules in McAfee ePO.
For more information about users and permission sets in McAfee DLP 10.x and later, see the McAfee Data Loss Prevention Product
Guide for your version.
Administrator rights in McAfee ePO

When you install McAfee ePO, an administrator account is created automatically. Administrators have read and write
permissions and rights to all operations. By default, the user name for this account is admin. If the default value is changed
during installation, this account is named accordingly.
You can create additional administrator accounts for people who require administrator rights. To do so, follow the instructions in
Create a user.
Administrator rights include:
• Creating, editing, and deleting source and fallback sites
• Changing server settings
• Adding and deleting user accounts
• Adding, deleting, and assigning permission sets
• Importing events into the McAfee ePO databases and limiting the number of events stored
Create a user
Users in McAfee DLP 10.x are known as local users in McAfee Network DLP 9.3.x.
Task
1. In McAfee ePO, select Menu → User Management → Users.
2. Click New User and type a user name.
3. Select whether to enable or disable the logon status of this account.
Tip: Best practice: Disable this account if it is for someone who is not yet a part of the organization.
4. Select an authentication method for this account, and provide the required credentials.
◦ Windows authentication
◦ Certificate-Based Authentication
5. (Optional) Provide the user's full name, email address, phone number, and a description in the Notes text box.
6. Choose to make the user an administrator, or select the appropriate permission sets.
7. Click Save to return to the Users tab.
Results
The new user appears in the Users list on the User Management page.
Create a permission set

A permission set in McAfee DLP is equivalent to a local group in McAfee Network DLP 9.3.x.
Task
1. In McAfee ePO, select Menu → User Management → Permission Sets.
2. Select a predefined permission set or click New to create one.
3. Type a name, select the users you want to add, then click Save.
4. Click Save.
Create a McAfee DLP permission set

Permission sets define different administrative and reviewer roles in McAfee DLP software.
Task
2. Select a predefined permission set or click New to create a permission set.
a. Type a name for the set and select users.
b. Click Save.
3. Select a permission set, then click Edit in the Data Loss Prevention section.
a. In the left pane, select a data protection module.
Incident Management, Operational Events, and Case Management can be selected separately. Other options automatically create
predefined groups.
b. Edit the options and override permissions as needed.
Policy Catalog has no options to edit. If you are assigning Policy Catalog to a permission set, you can edit the sub-modules in the
Policy Catalog group.
c. Click Save.
The Common Appliance Management policy

The Common Appliance Management policy category is installed as part of the Appliance Management extension. It applies common
settings to new or re-imaged appliances.
• Date and time, and time zone information
• Lists of DNS servers
• Static routing information
• Secure Shell (SSH) remote logon settings
• Remote logging settings
• SNMP alerts and monitoring
Information about these options is available in the Appliance Management Help.
Add an evidence server to store incidents

Some incidents have evidence items associated with them. You can store the evidence on an evidence server.
Before you begin

The evidence server must be a CIFS share with read/write permissions.
Task
1. In McAfee ePO, select Menu → DLP Settings → General.
2. Enter the path to the evidence server in Default Evidence Storage to save the settings and activate the software.
The evidence storage path must be a network path, that is \\[server]\[share].
3. Provide the user name and password to access the server, and click Save.
Classifying sensitive content
With McAfee DLP 10.x and later, content is defined using classifications. Classifications used for McAfee DLP Prevent and McAfee
DLP Monitor can contain combinations of definitions, document properties, and registered documents.
For McAfee DLP 10.x and later, content classification is configured in two places in McAfee ePO.
• Menu → Classification → Definitions → Dictionary — Create definitions based on keywords.
• Menu → Classification → Definitions → Advanced Pattern — Create definitions based on regex.
You can associate the predefined definitions as they are to create rules, or create duplicates of the predefined rules that you can
customize.
Create a classification
Data protection and discovery rules require classification definitions in their configuration.
Task
1. In McAfee ePO, select Menu → Data Protection → Classification.
2. Click New Classification.
3. Enter a name and optional description.
4. Click OK.
5. Add end user groups to manual classification, or registered documents to the classification, by clicking Edit for the respective
component.
6. Add content classification criteria or content fingerprinting criteria with the Actions control.
Create classification criteria

Apply classification criteria to files based on file content and properties.
You build content classification criteria from data and file definitions. If a required definition does not exist, you can create it as
you define the criteria.
Task
2. Select the classification to add the criteria to, then select Actions → New Content Classification Criteria.
3. Enter the name.
4. Select properties and configure the comparison and value entries.
◦ To remove a property, click <.
◦ For some properties, click ... to select an existing property or to create one.
◦ To add additional values to a property, click +.
◦ To remove values, click –.
5. Click Save.
Create document properties

Create a classification based on document properties.
Task
2. Click New Classification, type a unique name and an optional description.
3. Click Actions, then select New Content Classification Criteria or click the Edit link to change an existing classification criteria.
4. Click Document Properties , then click … and select New item.
5. Select the property you want, then click Save.
Upload registered documents
Select and classify documents to distribute to the endpoint computers.
Before you begin

Uploading registered documents requires a license for McAfee DLP Endpoint, McAfee DLP Prevent, or McAfee DLP Monitor.
Task
2. Click the Register Documents tab.
3. Click File Upload.
4. Browse to the file, select whether to overwrite a file if the file name exists, and select a classification.
File Upload processes a single file. To upload multiple documents, create a .zip file.
5. Click OK.
The file is uploaded and processed, and statistics are displayed on the page.
6. Click Create Package when the file list is complete.
When files are deleted, remove them from the list and create a new package to apply the changes.
7. You can create a package of only registered or whitelisted documents by leaving one list blank.
Results
A signature package of all registered documents and all whitelisted documents is loaded to the McAfee ePO database for
distribution to the endpoint computers. McAfee DLP Prevent and McAfee DLP Monitor can access the McAfee ePO database to
use registered documents in rule definitions.
From concepts to definitions

McAfee Network DLP 9.3.x uses concepts based on McAfee expressions to create classification criteria. A concept can contain
keywords or regular expressions (regex). In McAfee DLP 10.x and later, concepts become definitions. McAfee DLP 10.x and later
use Google RE2 syntax expressions to build definitions.
McAfee Network DLP 9.3.x contained some predefined concepts (such as a selection of credit card numbers, HIPAA, and
gambling) that match definitions available in McAfee DLP 10.x and later. For those that do not match, you must create them by
hand.
To achieve similar functionality with McAfee DLP 10.x and later, create separate definitions for Dictionary definitions (keywords) and
Advanced Pattern definitions (regular expressions).
Table 1: Regular expressions
DLP
DLP
Expression
9.3.x 10.x
any
\s character [\ \f \n \r \t < > ;] whitespace
character
any
\w alphanumeric character plus underscore any
alphanume
character
plus
underscore
. any
character
any
\D non-digit
any
\c alpha [A–Z] or [a–z]
DLP
DLP
Expression
9.3.x 10.x
case
\i sensitivity off
$ end
of
a
string
(up start
arrow) of
a
string
For more information about Google RE2, see https://support.google.com/a/answer/1371417?hl=en.

Tip: Best practice: Before you start to create definitions in McAfee DLP 10.x and later, review your existing concept settings to
ensure they are still relevant to your needs, and that they provide the results you expect.
Dictionary definitions
A dictionary is a collection of keywords or key phrases where each entry is assigned a score.
Content classification and content fingerprinting criteria use specified dictionaries to classify a document if a defined threshold
(total score) is exceeded — that is, if enough words from the dictionary appear in the document. The assigned scores can be
negative or positive, allowing you to look for words or phrases in the presence of other words or phrases.
The difference between a dictionary and a string in a keyword definition is the assigned score.
• A keyword classification always tags the document if the phrase is present.
• A dictionary classification gives you more flexibility because you can set a threshold when you apply the definition, making the
classification relative. The threshold can be up to 1000. You can also choose how matches are counted: Count multiple occurrences
increases the count with each match, Count each match string only one time counts how many dictionary entries match the document.
McAfee DLP software includes several built-in dictionaries with terms commonly used in health, banking, finance, and other
industries. You can also create your own dictionaries. Dictionaries can be created and edited manually or by copying and pasting
from other documents.
Limitations
There are some limitations to using dictionaries. Dictionaries are saved in Unicode (UTF-8) and can be written in any language.
The following descriptions apply to dictionaries written in English. The descriptions generally apply to other languages, but there
might be unforeseen problems in certain languages.
Dictionary matching has these characteristics:
• It is only case sensitive when you create case-sensitive dictionary entries. Built-in dictionaries, created before this feature was
available, are not case-sensitive.
• It can optionally match substrings or whole phrases.
• It matches phrases including spaces.
If substring matching is specified, use caution when entering short words because of the potential for false positives. For
example, a dictionary entry of "cat" would flag "cataracts" and "duplicate." To prevent these false positives, use the whole phrase
matching option, or use statistically improbable phrases (SIPs) to give the best results. Similar entries are another source of false
positives. For example, in some HIPAA disease lists, both "celiac" and "celiac disease" appear as separate entries. If the second
term appears in a document and substring matching is specified, it produces two hits (one for each entry) and skews the total
score.
Create or import a dictionary definition

A dictionary is a collection of keywords or key phrases where each entry is assigned a score. Scores allow for more granular rule
definitions.
You can create a dictionary definition by importing a dictionary file in CSV format. You can also import items with a script
containing REST API calls. The administrator running the script must be a valid McAfee ePO user who has permissions in McAfee
ePO Permission Sets to perform the actions that are invoked by the APIs.
Tip: Best practice: Dictionary CSV files can use multiple columns. Export a dictionary to understand how the columns are
populated before creating a file for import.
Task
2. Click the Definitions tab.
3. In the left pane, select Dictionary.
4. Select Actions → New.
6. Add entries to the dictionary.
To import entries:
a. Click Import Entries.
b. Enter words or phrases, or cut and paste from another document.
The text window is limited to 20,000 lines of 50 characters per line.
c. Click OK.
All entries are assigned a default score of 1.
d. If needed, updated the default score of 1 by clicking Edit for the entry.
e. Select the Start With, End With, and Case Sensitive columns as needed.
Start With and End With provide substring matching.
To manually create entries:
a. Enter the phrase and score.
b. Select the Start With, End With, and Case Sensitive columns as needed.
c. Click Add.
7. Click Save.
Create a keyword-based dictionary definition

Create a dictionary definition based on keywords
Task
1. In McAfee ePO, go to Classification- → Definitions → Dictionary and click Action → New.
2. Give the dictionary a name and an optional description, then click Action → Add.
3. In Phrase, type the word security, then set the Score as 1 and select Case Sensitive to only match on the keyword when it is
lowercase.
4. Click Add, then click Save.
5. Select Classification → New Classification. Give the classification a name, add an optional description and click OK.
6. Select the newly-created classification and click Action → New Content Classification Criteria.
7. Select the dictionary and use the comparison (OR/AND/NOT).
8. Click (…). select the dictionary you recently created, give it a threshold of 10 and click OK.
9. Assign the classification to a rule to trigger the classification.
Advanced pattern definitions

Advanced patterns use regular expressions (regex) that allow complex pattern matching, such as in social security numbers or
credit card numbers. Definitions use the Google RE2 regular expression syntax.
Advanced pattern definitions include a score (required), as with dictionary definitions. They can also include an optional validator
— an algorithm used to test regular expressions. Use of the proper validator can significantly reduce false positives. The
definition can include an optional Ignored Expressions section to further reduce false positives. The ignored expressions can be regex
expressions or keywords. You can import multiple keywords to speed up creating the expressions.
When defining an advanced pattern, you can choose how matches are counted: Count multiple occurrences increases the count with
each match, Count each match string only one time counts how many defined patterns give an exact match in the document.
Advanced patterns indicate sensitive text. Sensitive text patterns are redacted in hit highlighted evidence.
Note: If both an matched pattern and an ignored pattern are specified, the ignored pattern has priority. This allows you to specify
a general rule and add exceptions to it without rewriting the general rule.
Create a definition based on an advanced pattern

Advanced patterns are used to define classifications. An advanced pattern definition can consist of a single expression or a
combination of expressions and false positive definitions.
Advanced patterns are defined using regular expressions (regex).
Note: There is no equivalent to the Percentage match, Proximity, and Number of bytes from the beginning options in McAfee DLP 10.x.
Task
2. Select the Definitions tab, then select Advanced pattern in the left pane.
To view only the user-defined advanced patterns, deselect the Include Built-in items checkbox. User-defined patterns are the only
patterns that can be edited.
The available patterns appear in the right pane.
5. Under Matched Expressions:
a. Enter an expression in the text box and add an optional description.
b. Select a validator from the drop-down list or if validation is not appropriate for the expression, select No Validation.
A validator is the same as algorithm in McAfee DLP 9.3.x. Use it to minimize false positives.
c. Enter a number in the Score field to indicate the weight of the expression in threshold matching.
d. Click Add.
6. Under Ignored Expressions:
a. Enter an expression in the text box.
If you have text patterns stored in an external document, copy them into the definition with Import Entries.
b. In the Type field, select RegEx from the drop-down list if the string is a regular expression, or Keyword if it is text.
Keyword expressions can also be added using Import Keywords, entering keywords separated by a new line.
c. Click Add.
7. Add the count to the concept:
a. Give all the expressions a score of 1.
b. When you assign the dictionary to the classification, give the threshold the same value that the count setting had in McAfee
DLP 9.3.x.
c. Select count multiple occurrence of each match string if the score must be added for multiple occurrence of a single expression in a
document.
d. Select count each match string only one time if the score should not be added and should be one even when multiple occurrences
of a single expression are present in a document.
e. Select start with and end with to see if the document starts or ends with the expression, or select both options to find the
expression anywhere in the document.
f. To match on the number of lines from the beginning of the document, you can create a new regular expression using
conditions such as less than, equals, or greater than.
8. Click Save.
Create a regex-based definition

Block a document that has a credit card number in the format xxxx-xxxx-xxxx-xxxx where x is any digit (0–9) that occurs more
than 10 times.
Task
1. In McAfee ePO, go to Classification → Definitions → Advanced pattern and click Actions → New.
2. Type a name for the advanced pattern and add an optional description.
3. Enter the phrase as \d{4}(-|\s)\d{4}(-|\s)\d{4}(-|\s)\d{4}\D, select Luhn10 as the validator, and give it a score of 1.
4. Specify any credit card numbers that you want to ignore.
5. Click Add, then click Save.
6. Select Classification → New Classification, type a name for the classification and add an optional description, then click OK.
7. Select the classification and select Action → New Content Classification Criteria, then click Advanced pattern and select the comparison
(OR/AND/NOT).
8. Click (…), select the pattern you recently created and give it a threshold of 10, then click OK.
9. Assign the classification to a rule.
Create a general classification definition

Create and configure definitions for use in classifications and rules.
Task
2. Select the type of definition to configure, then select Actions → New.
3. Enter a name and configure the options and properties for the definition.
The available options and properties depend on the type of definition.
4. Click Save.
Protecting with rules, rule sets, and policies
McAfee DLP 10.x and later uses rules to inspect data and traffic, and takes protective action when it detects rule violations. Rules
are grouped into rule sets.
Rules
The rule conditions define what triggers the rule. Depending on the rule type, conditions include classifications, rule definitions,
and other criteria. For example, you can create a rule that monitors for when a specific group of users sends out certain
company confidential documents as email attachments.
Exceptions define parameters excluded from the rule. You might want to block most users from visiting a certain website but
allow a certain user group access as an exception.
Rule sets
To recreate the policies you used in DLP Manager, you create rule sets in McAfee DLP 10.x and later. Your rules are grouped into the
rule sets. If you have multiple McAfee DLP products, you can combine all rule types into a single rule set.
Policy
Policies in McAfee DLP 10.x and later are sets of definitions, classifications, and rules that define how McAfee DLP products
protect your data.
McAfee DLP Prevent rule reactions and definitions

McAfee DLP Prevent works with McAfee DLP Email Protection rules and Web Protection rules.
Reactions
McAfee DLP Prevent can take these actions when rules are triggered.
Rule type Description

Reaction
Any Allows
No
Action
the
traffic
or
action.
Generates
Report
an
Incident
incident
reporting
the
violation.
Web Protection Stores

Store
original
the
file
as
that
evidence
triggered
the
rule
on
the
evidence
share.
You
can
Reaction
view
evidence
in
the
incident
details.
Notifies
User
the
notificatio
user
of
the
violation.
Blocks
Block
the
user
from
accessing
the
website.
Email Protection Add

These
Header
actions
X-
are
RCIS-
available:
Action
•
SCANFAIL
—
Messages
that
cannot
be
analyzed.
•
BLOCK
—
Blocks
the
message.
•
QUART
—
Quarantin
the
message.
•
ENCRYPT
—
Encrypts
the
message.
•
BOUNCE
—
Reaction
Issues
a
Non-
Delivery
Receipt
(NDR)
message
to
the
sender.
•
REDIR
—
Redirects
the
message.
•
NOTIFY
—
Notifies
superviso
staff.
•
ALLOW
—
Allows
the
message
through.
The
Allow
value
is
added
automati
to
all
messages
that
do
not
contain
any
matched
contents.
Stores
Store
the
original
email
email
that
as
triggered
evidence
the
rule
on
the
evidence
Reaction
share.
You
can
view
evidence
in
the
incident
details.
Note: Rule reactions do not apply to McAfee DLP Monitor.
Rule definitions
Similar to classifications, rule definitions specify a condition in the rule. McAfee DLP Prevent uses these rule definitions:
• Email Address List
• End-User Group
• URL List
• User Notification
• Network Address
• Network Port
• File Extension
• Application Template
• File name List
Create a rule
The process for creating a rule is similar for all rule types.
Task
2. Click the Rule Sets tab.
3. Click the name of a rule set and if needed, select the appropriate tab for the Data Protection, Device Control, or Discovery rule.
4. Select Actions → New Rule, then select the type of rule.
5. On the Condition tab, enter the information.
◦ For some conditions, such as classifications or device template items, click ... to select an existing item or create an item.
◦ To add additional criteria, click +.
◦ To remove criteria, click –.
6. (Optional) To add exceptions to the rule, click the Exceptions tab.
a. Select Actions → Add Rule Exception.
Device rules do not display an Actions button. To add exceptions to device rules, select an entry from the displayed list.
b. Fill in the fields as needed.
7. On the Reaction tab, configure the Action, User Notification, and Report Incident options.
Rules can have different actions, depending on whether the endpoint computer is in the corporate network. Some rules can
also have a different action when connected to the corporate network by VPN.
8. Click Save.
Create a rule set

Rule sets combine multiple device protection, data protection, and discovery scan rules.
Task
2. Click the Rule Sets tab.
3. Select Actions → New Rule Set.
4. Enter the name and optional note, then click OK.
Create an email address list definition

Email address list definitions are predefined email domains or specific email addresses that can be referenced in email
protection rules.
To get granularity in email protection rules, you include some email addresses, and exclude others. Make sure to create both
types of definitions.
Tip: Best practice: For combinations of operators that you use frequently, add multiple entries to one email address list
definition.
You can import email address lists in CSV format. You can also import items with a script containing REST API calls. The
administrator running the script must be a valid McAfee ePO user who has permissions in McAfee ePO Permission Sets to perform
the actions that are invoked by the APIs.
Tip: Best practice: Email address list CSV files use multiple columns. Export an address list to understand how the columns are
populated before creating a file for import.
Email value definitions support wildcards, and can define conditions. An example of a condition defined with a wildcard is
*@intel.com. Combining an address list condition with a user group in a rule increases granularity.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Policy Manager → Definitions.
2. In the left pane, select Email Address List, then Actions → New.
3. Enter a Name and optional Description.
4. Select an Operator from the drop-down list.
Operators defined using the Email Addresses option support wildcards in the Value field.
Note: Email protection rules that are enforced on McAfee DLP Prevent or McAfee DLP Monitor do not match on the Display
name operators.
5. Enter a value, then click Add.
6. Click Save when you have finished adding email addresses.
Create a network address range

Network address ranges serve as filter criteria in network communication protection rules.
For each required definition, perform steps 1–4:
Task
2. In the left pane, select Network Address (IP address), then click Actions → New.
3. Enter a unique name for the definition and an optional description.
4. Enter an address, a range, or a subnet in the text box. Click Add.
Correctly formatted examples are displayed on the page.
Note: Only IPv4 addresses are supported. If you enter an IPv6 address, the message says IP address is invalid rather than
saying that it isn't supported.
5. When you have entered all required definitions, click Save.
Create a URL list definition

URL list definitions are used to define web protection rules. They are added to rules as Web address (URL) conditions.
You can create a URL list definition by importing the list in CSV format. You can also import items with a script containing REST
API calls. The administrator running the script must be a valid McAfee ePO user who has permissions in McAfee ePO Permission
Sets to perform the actions that are invoked by the APIs.
Tip: Best practice: URL list CSV files can use multiple columns. Export a URL list to understand how the columns are populated
before creating a file for import.
For each URL required, perform steps 1–4.
Task
2. In the left pane, select URL List, then select Actions → New.
3. Enter a unique Name and optional Definition.
4. Do one of the following:
◦ Enter the Protocol, Host, Port, and Path information in the text boxes, then click Add.
◦ Paste a URL in the Paste URL text box, then click Parse, then click Add.
The URL fields are filled in by the software.
5. When all required URLs are added to the definition, click Save.
Create a network port range

Network port ranges serve as filter criteria in network communication protection rules.
Task
2. In the left pane, select Network Port, then click Actions → New.
You can also edit the built-in definitions.
3. Enter a unique name and optional description.
4. Enter the port numbers, separated by commas, and optional description, then click Add.
5. When you have added all required ports, click Save.
Create a policy
Task
1. Click Menu → Policy → Policy Catalog, select the DLP Appliance Management category, and click New Policy.
2. Select the policy you want to duplicate, type a name for the new policy and click OK.
The policy appears in the Policy Catalog.
3. Select the name of the new policy to open the Policy Settings wizard.
4. Edit the policy settings and click Save.
Assign a policy to a McAfee DLP Prevent appliance

Before you begin
• An email protection or web protection rule enforced on McAfee DLP Prevent
• A rule set
• A McAfee DLP Prevent policy
that is assigned to a rule set.
Task
1. In McAfee ePO, open the policy you created.
2. Select Actions → Active Rule Set, then select the rule set from the list and click OK.
3. Click Menu → Systems → System Tree → Assigned Policies, then select a group from the System Tree.
4. Select the product as DLP Appliance Management.
All assigned policies, organized by product, appear in the details pane.
5. Click the Edit Assignment link for the DLP Policy category.
6. Select Break inheritance and assign the policy and settings below and change the assigned policy to the policy you created.
7. Click Save.
Use case: Block outbound messages with confidential content unless they are
sent to a specified domain
Outbound messages are blocked if they contain the word Confidential, unless the recipient is exempt from the rule.
Table 1: Expected behavior
Expected
Email contents Recipient
result
Body: Confidential external_us

The
message
is
blocked
because
it
contains
the
word
Confidentia
Body: Confidential internal_us

The
message
is
not
blocked
because
the
exception
settings
mean
that
confidentia
material
can
be
sent
to
people
at
example.co
Body: external_us
The
Attachment: Confidential internal_us
message
is
blocked
because
one
of
the
recipients
is
Expected
Email contents Recipient
result
not
allowed
to
receive
it.
Task
1. Create an email address list definition for a domain that is exempt from the rule.
a. In the Data Protection section in McAfee ePO, select DLP Policy Manager and click Definitions.
b. Select the Email Address List definition and create a duplicate copy of the built-in My organization email domain.
c. Select the email address list definition you created, and click Edit.
d. In Operator, select Domain name is and set the value to example.com.
e. Click Save.
2. Create a rule set with an Email Protection rule.
a. Click Rule Sets, then select Actions → New Rule Set.
b. Name the rule set Block Confidential in email.
c. Create a duplicate copy of the in-built Confidential classification.
An editable copy of the classification appears.
d. Click Actions → New Rule → Email Protection Rule.
e. Name the new rule Block Confidential and enable it.
f. Enforce the rule on DLP Endpoint for Windows and DLP Prevent.
g. Select the classification you created and add it to the rule.
h. Set the Recipient to any recipient (ALL).
Leave the other settings on the Condition tab with the default settings.
3. Add exceptions to the rule.
a. Click Exceptions, then select Actions → Add Rule Exception.
b. Type a name for the exception and enable it.
c. Set the classification to Confidential.
d. Set Recipient to at least one recipient belongs to all groups (AND), then select the email address list definition you created.
4. Configure the reaction to messages that contain the word Confidential.
a. Click Reaction.
b. In DLP Endpoint, set the Action to Block for computers connected to and disconnected from the corporate network.
c. In DLP Prevent, select the Add header X-RCIS-Action option and click the Block value.
5. Save and apply the policy.
Use case: Track intellectual property violations

Your company has lost intellectual property, and you suspect it was leaked from someone at a specific office location. You can
create rule parameters that find the leaked documents and the suspected employee, then monitor their activities to build a legal
case and prevent any more data loss.
Before you begin

You must have an Active Directory server and McAfee® Logon Collector connected to McAfee DLP. For more information, see the
McAfee Data Loss Prevention Product Guide.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Policy Manager → Rule Sets .
2. Either edit an existing rule, or select Actions → New Rule Set and create a new one.
3. Select a rule set, then click Actions → New Rule, and select the type of rule.
4. Enter a Rule Name, State, and Severity for the rule.
5. Add classification criteria that describes the lost intellectual property. Either select an existing classification, or add a new one.
6. Add classification criteria that describes the lost intellectual property.
a. Click Menu → Data Protection → Classification
b. Select the classification and click Actions → New Content Classification Criteria.
c. Add conditions that describes the lost intellectual property.
For example, you might add keywords, an exact phrase found in the leaked documents, a file type, or a concept.
7. Return to the DLP Policy Manager, and select the Definitions tab.
8. Open the Source/Destination category and add a destination that might identify the recipients of the data.
For example, you might have IP addresses, domains, or a geographic locations that might help to define the recipient.
9. Click Save.
After the rule retrieves incidents.
10. Examine the Incident Details page to confirm the rule retrieves incidents.
11. On the Reaction tab, select Add header X-RCIS-Action from the drop down list in the McAfee DLP Prevent section, then select Block,
Quarantine, Redirect, or Notify.
Use case: Application-based fingerprinting

You can classify content as sensitive according to the application that produced it.
In some cases, content can be classified as sensitive by the application that produces it. An example is top-secret military maps.
These are JPEG files, typically produced by a specific US Air Force GIS application. By selecting this application in the
fingerprinting criteria definition, all JPEG files produced by the application are tagged as sensitive. JPEG files produced by other
applications are not tagged.
Task
2. On the Definitions tab, select Application Template, then select Actions → New.
3. Enter a name, for example GIS Application, and optional description.
4. Using one or more properties from the Available Properties list, define the GIS application, then click Save.
5. On the Classification tab, click New Classification, and enter a name, for example, GIS application, and optional definition. Click OK.
6. Select Actions → New Content Fingerprinting Criteria → Application to open the applications fingerprinting criteria page.
7. In the Name field, enter a name for the tag, for example GIS tag.
8. In the Applications field, select the GIS application created in step 1.
9. From the Available Properties → File Conditions list, select True File Type, then in the Value field, select Graphic files [built-in].
The built-in definition includes JPEG, as well as other graphic file types. By selecting an application as well as a file type, only
JPEG files produced by the application are included in the classification.
10. Click Save, then select Actions → Save Classification.
Results
The classification is ready to be used in protection rules.
Scanning data with McAfee DLP Discover 10.x and later
The types of scan and rules used by McAfee DLP Discover 10.x and later are different from those available in McAfee Network
DLP 9.3.x and must be manually recreated.
Types of repositories
McAfee DLP Discover 10.x and later supports scanning content stored on file servers using CIFS protocol, on-premise SharePoint,
and Box. McAfee DLP Discover 11.x adds support for scanning content stored on database servers.
CIFS repositories
When defining a CIFS repository, the UNC path can be the fully qualified domain name (FQDN) (\\myserver1.mydomain.com) or
the local computer name (\\myserver1). You can add both conventions to a single definition.
SharePoint repositories
When defining a SharePoint repository, the host name is the server URL unless Alternate Access Mapping (AAM) is configured on
the server. For information about AAM, see the SharePoint documentation from Microsoft.
Box repositories
When defining a Box repository, obtain the client ID and client secret from the Box website.
Database repositories
McAfee DLP Discover 11.0 adds support for scanning content in database servers.
McAfee DLP Discover 11.0 can scan these database servers:
• Microsoft SQL
• MySQL Enterprise edition
• Oracle
The McAfee Data Loss Prevention 11.0 Release Notes lists the supported database versions.
Important: To add a new database repository, use credentials that can access the database and test the connection.
Types of scans
McAfee DLP Discover 10.x and later perform inventory, classification, remediation, and registration scans.
Inventory scan
• Collects metadata but does not retrieve any files or data from the repository
• Returns Online Analytical Processing (OLAP) counters and data inventory (list of files or database table scanned)
• Restores the last access time of files scanned
Classification scan
• Collects the same metadata as an inventory scan
• Analyzes the true file type of files based on the internal file format of the file rather than the extension
• Identifies the classification of files and data stored in databases based on the classification criteria that match the scanned data
• Restores the last access time of files scanned
Remediation scan
Remediation scans apply rules to protect sensitive content in the scanned repository. Each analyzed file is compared against the
McAfee DLP Discover rules assigned to the scan. When a file matches the rules in a remediation scan, McAfee DLP Discover can:
• Report an incident to McAfee ePO
• Store the original file on the evidence server
• Copy or move the file to a different location
• Apply rights management policy to the file
• (Box scans only) Modify the anonymous share to logon required
• Take no action
The most restrictive action is taken when multiple actions (belonging to different rules) are triggered. Only one action takes place,
but all rules that match are reported back to McAfee ePO in the incident details. The most restrictive action is reported as the
actual action in the Incident Manager.
Example: If multiple rules trigger for the file, the most restrictive action is Move, and two rules have the same action (Move or Copy),
only one action is performed. The action taken is the one that belongs to a rule with a higher severity (critical > major > minor >
warning > info).
The available reactions depend on the repository type. The table shows the list of actions in order. Move is the most restrictive
action and No action is the least restrictive action.
File
Action
Servers SharePoint (On-premise) Box Database
xMove x x
xApply x x
RM
policy
Modify x
Anonymous
sharing
to
Logon
required
xCopy x x
xNo x x x
Action
Document registration scan

McAfee DLP Discover 11.0 adds support for document registration scans.
Registration scans extract text content from files stored in repositories and create content fingerprints of the data. The content
fingerprints (signatures) are stored in a database of registered document signatures contained in the McAfee DLP server.
The fingerprints map to McAfee DLP classifications to identify classified documents or fragments of classified content that was
copied from a registered document to a different document.
The content classification fingerprints are used by McAfee DLP Discover classification and remediation scans, or by McAfee DLP
Prevent and McAfee DLP Monitor. When McAfee DLP Discover, McAfee DLP Prevent, or McAfee DLP Monitor analyzes a file, it
creates fingerprints of the file. The file fingerprints are compared against the registered document fingerprints to identify
whether the file is classified. The action it takes on the file is based on the McAfee DLP policy rules that protect that classification.
You can run document registration scans in McAfee DLP Discover to fingerprint content from these file repositories:
• File Servers (CIFS)
• SharePoint
• Box
Note: More than one document registration scan can pick up a file. If the file matches more than two content fingerprinting
criteria that correspond to different classifications, the file signatures are recorded as matching more than one classification.
Define scan definitions

All McAfee DLP Discover scans require a definition to specify the repository, credentials, and scheduler.
Before you begin

To define a repository, you must have the user name, password, and path for the repository.
• Repository — The target of the scan.
• Credentials — The credentials needed to access the repository. For example, the user and password that access and scan a file
server.
• Scheduler — Defines when the scan runs, and the frequency for repeated runs of the scans.
Tip: Best practice: Optional file information definitions are used to define scan filters. Filters allow you to scan repositories in a
more granular and efficient manner by defining which scanned files you want the scan to analyze.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Discover, and click the Definitions tab.
2. Specify credentials for the definition.
a. In the left pane, select Others → Credentials.
b. Select Actions → New.
c. Enter a unique name for the new definition.
The Description and Domain name are optional fields. All other fields are required. If the user is a domain user, use the domain
suffix for the Domain name field. If the user is a workgroup user, use the local computer name.
d. For Windows domain credentials, click Test Credential to verify the user name and password.
The test does not verify whether the domain is accessible from the McAfee DLP Discover server.
3. Define a repository.
a. In the left pane, under Repositories, select the type of new repository you want to create.
b. Select Actions → New, type a unique repository name, and fill in the rest of the information.
c. Click Save.
4. Define a scheduler.
a. In the left pane, select Others → Scheduler.
b. Select Actions → New and fill in the scheduler information.
c. Click Save.
5. (Optional) Define the file information.
a. In the left pane, select Data → File Information.
b. Select Actions → New and replace the default name with a unique name for the definition.
c. Select properties to use as filters and fill in the Comparison and Value details.
d. Click Save.
Create a classification scan

Classification scans collect file data based on defined classifications. They provide visibility to data stored on file systems, cloud
repositories and databases, and identify where sensitive data is stored.
The sensitive data identified by the classification scan can be protected with a remediation scan.
Note: Change the scan type to create remediation and inventory scans.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Discover.
2. On the Discover Servers tab, select Actions → Detect Servers to refresh the list.
The list shows all McAfee DLP Discover servers that are installed and managed by this McAfee ePO server. If the list is long,
you can define a filter to display a shorter list.
3. On the Scan Operations tab, select Actions → New Scan and select the repository type.
4. Type a unique name and select Scan Type: Classification, then select a McAfee DLP Discover server that runs the scan, and a
schedule when you want the scan to run.
5. (Optional) Set values for Throttling, Files List, or Error Handling or accept the default values.
6. Select the repositories to scan.
a. On the Repositories tab, click Actions Select Repositories.
b. If needed, specify the credentials for each repository from the drop-down list.
c. (Optional) On the Filters tab, select Actions → Select Filters to specify files to include or exclude.
By default, all files are scanned.
7. Select the classifications that you want the scan to check.
a. On the Classifications tab, click Actions → Select Classifications.
b. Select one or more classifications from the list.
c. Click Save.
8. Click Apply policy to push the new scan to the McAfee DLP Discover servers.
Create rules for remediation scans

Use rules to define the action to take when a remediation scan detects files that match classifications.
To enforce Discovery rules you must create a remediation scan, and select one or more rule-sets to be enforced by the
remediation scan.
Discovery rules belong to rule sets which are simply a container that groups multiple rules (of similar type or different types) into
a logical set with a common denominator. For example, PCI compliance is a rule set that includes multiple rules for protecting
PCI content.
Each rule belongs to only one rule set. All Discovery rules included in the selected rule sets are evaluated and enforced by the
remediation scan. The rule sets
Task
2. On the Rule Sets tab, create a rule set if one does not already exist.
a. Select Actions → New Rule Set.
b. Enter the name and optional note, then click OK.
3. Click the name of a rule set to edit it, then click the Discover tab if needed.
4. Select Actions → New Network Discovery Rule, then select the type of rule.
5. On the Condition tab, configure one or more classifications and repositories.
◦ To create an item, click ....
◦ To add additional criteria, click +.
◦ To remove criteria, click -.
6. (Optional) In the rule condition, select one or more repositories where the rule applies (the scan can analyze files in multiple
repositories).
By default, the rule applies to files in all repositories.
7. (Optional) On the Exceptions tab, specify any exclusions from triggering the rule.
The rule first analyzes the conditions. If a file matches a condition, the rule engine analyzes the rule exceptions. If one of the
exceptions matches the file, the rule does not apply to the file.
8. On the Reaction tab, configure the reaction and click Save.
The available reactions depend on the repository type.
Create a scheduled remediation scan

Schedule a remediation scan and enforce the Discovery rules.
Before you begin

Create rules for the scan.
Scans run until they are complete unless a suspend time is defined in the scheduler.
A scan pauses when it is suspended and resumes when it reaches the end time. If the scan is still running at the time of the next
scheduled scan, the next scan is skipped, and scanning restarts at the following interval. For example, if a daily scan starts
running on Monday at 9 a.m. and is complete 49 hours later, it restarts Thursday at 9 a.m.
Run at night to prevent extensive bandwidth use during work hours.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Discover.
2. Click the Scan Operations tab, click Actions → New Scan and select the type of repository you want to scan.
3. Type a unique name for the scan and set the scan type to Remediation.
4. In the scheduler, select a scheduler and define when to run the scan.
5. Select File List to store the list of all analyzed files in the McAfee ePO database.
Metadata for each analyzed file is stored, even if no rules matched the file. During the scan, McAfee DLP Discover sends the
list of files that are being analyzed to the McAfee ePO server. The list of files is displayed on the Data Inventory tab in DLP Discover.
6. In the Scan operation editor, click the Repositories tab and select one or more repositories to scan.
7. Click the Rules tab, then select Actions → Select Rule Sets to specify one or more rule sets that you want this scan to enforce.
8. Click Save.
9. To push the new scan to McAfee DLP Discover servers, click Apply policy on the Scan Operations tab.
Results
The scan starts running at the scheduled time. You can see its progress in the Scan operations table.
What to do next
Check the Data Inventory tab for a list of files that were analyzed as part of the scan.
Use case: Filter the results of a remediation scan

Get the results of a remediation scan and filter the results.
Before you begin

Create rules for a remediation scan and run the scan.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Discover and select Scan operations.
2. Select a scan to open the Scan operation editor, then click the History tab to see the scan results.
The History tab displays information such as how many files were scanned, and how many files matched the rules.
The number of matched files might be higher than the number of incidents reported because a file can match a discovery rule
and a remediation action can be performed. But, the decision to report an incident to McAfee ePO is optional. In this case, the
file is reported as matching the rule, but there is no incident recorded.
3. Click Cancel to close the Scan operation editor.
4. Select Menu → Data Protection → DLP Discover, click Data Analytics, then select the scan name.
The Data Analytics view allows you to group the scanned files by up to three categories. For example, the size of the file, the file
extension, and the share where the file resides. The number of scanned files that matched the category is shown next to the
category.
Note: If you selected to store the file list when you configured the scan, each of the group-by categories becomes a link.
5. (Optional) Click a link in the Data Analytics table to go to the Data Inventory tab in DLP Discover, which contains a pre-populated filter
that displays the list of files that matched the group-by category.
The Data Analytics and Data Inventory tabs enable you to analyze the files stored in your repositories so you can define and tune
your data protection policies.
Monitoring and reporting
McAfee DLP offers several features for managing incidents, cases, and appliance status.
• Use the DLP Incident Manager console to view and manage incidents created when rules are triggered.
• Use the DLP Case Management console to view and manage incidents that are assigned to cases.
• Use the DLP Operations console to view errors and administrative events.
• Use the Appliance Management system health cards to monitor the status of each of your McAfee DLP appliances.
• Use the McAfee DLP dashboards in McAfee ePO to retrieve incident information.
Incidents and cases

Incident and case management are handled similarly between McAfee Network DLP 9.3.x and McAfee DLP 10.x and later.
With McAfee DLP 10.x and later, incidents are sent to the McAfee ePO Event Parser and stored in a database. Incidents contain
the details about the violation, and can optionally include evidence information. You can view incidents and evidence as they are
received in the DLP Incident Manager console which has three tabbed sections:
• Incident List — The current list of policy violation events. The following operations can be performed on incidents:
◦ Case management — Create cases and add selected incidents to a case
◦ Comments — Add comments to selected incidents
◦ Email events — Send selected events
◦ Export device parameters — Export device parameters to a CSV file (Data in-use/motion list only)
◦ Labels — Set a label for filtering by label
◦ Release redaction — Remove redaction to view protected fields (requires correct permission)
◦ Set properties — Edit the severity, status, or resolution; assign a user or group for incident review
• Incident Tasks — Use the Incident Tasks or Operational Event Tasks tab to set criteria for scheduled tasks. Tasks set up on the pages
work with the McAfee ePO Server Tasks feature to schedule tasks. Tasks can also include assigning reviewers to incidents, setting
automatic email notifications, and purging all or part of the list.
• Incident History — A list containing all historic incidents. Purging the incident list does not affect the history. Displays
historical incidents or events based on the current selections. Selections can be View, Time, and Filter.
When a rule is triggered, the incident is reported to the DLP Incident Manager console. Use this console to view, sort, and modify
incidents. The DLP Incident Manager displays incidents for all McAfee DLP products. The type of incidents displayed depends on the
Present field selection. The Data in-use/motion option includes incidents generated by McAfee DLP Prevent or McAfee DLP Monitor.
Tip: Best practice: The incidents from your McAfee Network DLP 9.3.x setup can't be migrated to McAfee ePO unless you were
using the unified incident management feature in McAfee ePO. If you continue to need access to any legacy incidents, run your
McAfee Network DLP 9.3.x setup in parallel with McAfee DLP 10.x or later until the legacy incidents are no longer required.
Use the DLP Case Management console to group related incidents to a case for further tracking and review. Cases allow
administrators to collaborate on the resolution of related incidents. In many situations, a single incident is not an isolated event.
You might see multiple incidents in the DLP Incident Manager that share common properties or are related to each other. You can
assign these related incidents to a case. Multiple administrators can monitor and manage a case depending on their roles in the
organization.
Sort and filter incidents

Arrange the way incidents appear based on attributes such as time, location, user, or severity.
Task
1. In McAfee ePO, select DLP Incident Manager.
2. From the Present drop-down list, select Data in-use/motion.
3. Perform any of these tasks.
◦ To sort by column, click a column header.
◦ To change columns to a custom view, from the View drop-down list, select a custom view.
◦ To filter by time, from the Time drop-down list, select a time frame.
◦ To apply a custom filter, from the Filter drop-down list, select a custom filter.
◦ To group by attribute:
◦ From the Group By drop-down list, select an attribute.
A list of available options appears. The list contains up to 250 of the most frequently occurring options.
◦ Select an option from the list. Incidents that match the selection are displayed.
View incident details

View the information related to an incident.
Task
2. From the Present drop-down list, select the option for your product.
3. Click an Incident ID.
For McAfee DLP Endpoint, McAfee DLP Monitor, and McAfee DLP Prevent incidents, the page displays general details and
source information. Depending on the incident type, destination or device details appear. For McAfee DLP Discover incidents,
the page displays general details about the incident.
4. To view additional information, perform any of these tasks.
◦ To view user information for McAfee DLP Endpoint incidents, click the user name in the Source area.
◦ To view evidence files:
◦ Click the Evidence tab.
◦ Click a file name to open the file with an appropriate program.
The Evidence tab also displays the Short Match String, which contains up to three hit highlights as a single string.
◦ To view rules that triggered the incident, click the Rules tab.
◦ To view classifications, click the Classifications tab.
Note: For McAfee DLP Endpoint incidents, the Classifications tab does not appear for some incident types.
◦ To view incident history, click the Audit Logs tab.
◦ To view comments added to the incident, click the Comments tab.
◦ To email the incident details, including decrypted evidence and hit highlight files, select Actions → Email Selected Events.
◦ To return to the incident manager, click OK.
Change the view

In addition to using filters to change the view, you can also customize the fields and the order of display. Customized views can
be saved and reused.
When you save the view, you can also save the time and custom filters. Saved views can be chosen from the drop-down list at the
top of the page.
Task
1. To open the Edit View window, click Actions → View → Choose Columns.
2. To move columns to the left or right, use the arrow icons.
3. Use the x icon to delete columns.
4. To apply the customized view, click Update View.
5. To save for future use, click Actions → View → Save View.
Update a single incident

Update incident information such as the severity, status, and reviewer.
The Audit Logs tab reports all updates and modifications performed on an incident.
Task
3. Click an incident.
The incident details window opens.
4. In the General Details pane, perform any of these tasks.
◦ To update the severity, status, or resolution:
◦ From the Severity, Status, or Resolution drop-down lists, select an option.
◦ Click Save.
◦ To update the reviewer:
◦ Next to the Reviewer field, click ...
◦ Select the group or user and click OK.
◦ Click Save.
◦ To add a comment:
◦ Select Actions → Add Comment.
◦ Enter a comment, then click OK.
Update multiple incidents

Update multiple incidents with the same information simultaneously.
Example: You have applied a filter to display all incidents from a particular user or scan, and you want to change the severity of
these incidents to Major.
Task
3. Select the checkboxes of the incidents to update.
To update all incidents displayed by the current filter, click Select all in this page.
◦ To add a comment, select Actions → Add Comment, enter a comment, then click OK.
◦ To send the incidents in an email, select Actions → Email Selected Events, enter the information, then click OK.
You can select a template, or create a template by entering the information and clicking Save.
◦ To export the incidents, select Actions → Export Selected Events, enter the information, then click OK.
◦ To release redaction on the incidents, select Actions → Release Redaction, enter a user name and password, then click OK.
Caution: You must have data redaction permission to remove redaction.
◦ To change the properties, select Actions → Set Properties, change the options, then click OK.
Create email notifications

The process to add email notifications is similar for DLP Incident Manager and DLP Operations.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Incident Manager or Menu → Data Protection → DLP Operations.
2. Select either Incident Tasks or Operational Event Tasks, then select Automatic mail Notification.
If you chose Incident Tasks, you must also select the type of incident, such as Data-in-use/motion.
3. Click Actions → New Rule and enter a name and optional description.
Rules are enabled by default. You can change this setting to delay running the rule.
4. Select which events you want to process, then specify the following information:
◦ Recipients
◦ Subject
◦ Body
Apart from Body, these fields are required. You can insert variables from the drop-down list as needed.
5. Add the email body text.
6. (Optional for DLP Incident Manager) Select the checkbox to attach evidence information to the email.
7. Click Next to add the rule criteria and their Comparison and Value parameters, then click Save.
Create cases
Create a case to group and review related incidents.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Case Management.
3. Enter a title name and configure the options.
4. Click OK.
Assign a reviewer
Assign reviewers to incidents and operational events. Assignments can be by reviewer group or individual reviewer.
Use the Permission Sets feature under User Management to create reviewers.
The process to set reviewers is similar for DLP Incident Manager and DLP Operations.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Incident Manager or Menu → Data Protection → DLP Operations.
2. Select either Incident Tasks or Operational Event Tasks, then select Set Reviewer.
3. Click Actions → New Rule and enter a name and optional description.
Rules are enabled by default. You can change this setting to delay running the rule.
4. Select a reviewer or group, then click Next.
5. Click Next to add the rule criteria and their Comparison and Value parameters, then click Save.
View case information

View audit logs, user comments, and incidents assigned to a case.
Task
2. Click on a case ID.
◦ To view incidents assigned to the case, click the Incidents tab.
◦ To view user comments, click the Comments tab.
◦ To view the audit logs, click the Audit Log tab.
4. Click OK.
Update cases
Update case information such as changing the owner, sending notifications, or adding comments.
Notifications are sent to the case creator, case owner, and selected users when:
• An email is added or changed.
• Incidents are added to or deleted from the case.
• The case title is changed.
• The owner details are changed.
• The priority is changed.
• The resolution is changed.
• Comments are added.
• An attachment is added.
Tip: You can disable automatic email notifications to the case creator and owner from Menu → Configuration → Server Settings → Data
Loss Prevention.
Task
2. Click a case ID.
◦ To update the case name, in the Title field, enter a new name, then click Save.
◦ To update the owner:
◦ Next to the Owner field, click ...
◦ Select the group or user.
◦ Click OK.
◦ Click Save.
◦ To update the Priority, Status, or Resolution options, use the drop-down lists to select the items, then click Save.
◦ To send email notifications:
◦ Next to the Send notifications to field, click ...
◦ Select the users to send notifications to.
Note: If no contacts are listed, specify an email server for McAfee ePO and add email addresses for users.
Configure the email server from Menu → Configuration → Server Settings → Email Server. Configure users from Menu → User
Management → Users.
◦ Click Save.
◦ To add a comment to the case:
◦ Click the Comments tab.
◦ Enter the comment in the text field.
◦ Click Add Comment.
4. Click OK.
Assign incidents to a case

Add related incidents to a new or existing case.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Incident Manager.
3. Select the checkboxes of one or more incidents.
Tip: Use options such as Filter or Group By to show related incidents. To update all incidents displayed by the current filter, click
Select all in this page.
4. Assign the incidents to a case.
◦ To add to a new case, select Actions → Case Management → Add to new case, enter a title name, and configure the options.
◦ To add to an existing case, select Actions → Case Management → Add to existing case, filter by the case ID or title, and select the case.
5. Click OK.
Use case: Find policy violations by user

If you have a lot of incidents to review, it can be difficult to find incidents that are related to a particular user. To find related
policy violations, use attributes that identify a user.
Task
3. Select the desired time.
4. Click Actions, then select Filter → Edit Filter.
5. From Available properties, select a user attribute, such as User Name, or User Primary Email or User City.
The following conditions can be selected from the drop-down list: Equals, Not Equals, Value is Blank, Value is Not Blank, Contains, Does not
Contain.
6. Specify the user information in the text field.
If you don't have a user's exact information, select the Sender or Recipient filter, add a Contains or Does not Contain condition, and
type a string that might match some characters in the user's name, or email address.
7. Click Policy Name, then select … to choose policy from the list.
This displays the incidents generated from above user Information and also from the policy selected. Polices that did not
generate any matching incidents are not listed.
8. Click Update Filter.
Incidents that match the filter criteria are displayed.
9. Click the Save link next to the Filter drop-down list.
Results
This filter can be used again for later use.
Use case: Find high-risk incidents

To find high-risk incidents, filter incidents by severity.
Task
2. From the Present drop-down list, select the option for your product
3. From Group by list, select Severity from the drop-down list.
4. Select the severity you want to apply, such as critical or warning.
Results
Incidents that match the filter criteria are displayed.
Use case: Set properties to incidents

You can change incident properties such as the severity to help search for and track certain incidents.
The properties are Severity, Status, Resolution, Reviewing Group, and Reviewing User.
Task
3. Click an incident.
The Incident Details window opens.
4. In the General Details pane, perform any of these tasks, then click Save.
◦ To update the severity, status, or resolution, select the options you want from the drop-down list, then click Save.
◦ Click ... next to the Reviewer field, select the group or user, then click OK.
5. Select Actions → Add Comment.
6. Enter a comment, then click OK.
Use case: Filter incidents by date, destination, and user

Create a filter that identifies incidents sent within the last 24 hours by a particular user.
Task
1. In McAfee ePO, select Menu → Data Protection → DLP Incident Manager.
2. Select Data-in-use/motion from Present.
3. Select Last 24 hours from the Time drop-down list.
4. In Filters, click Edit.
5. In Destination equals add the required destination.
6. Select Username equals and add the name you want to look for.
7. Select Update Filter.
8. In the left-hand panel select Group-by, and choose Rule Set from the drop-down list.
Assign incident viewing permissions to users in an Active Directory
Select users from the Active Directory who can view incidents in the DLP Incident Manager.
Before you begin

Register an Active Directory server in McAfee ePO.
Task
2. Select the role you want to edit, then click the Edit link under Name and users.
3. Click Add, select the Active Directory users you want to add, then click OK.
4. Click Save.
5. In Data Loss Prevention, click the Edit link.
6. Select Incident Management, then click User can view all incidents.
7. Click Save.
Assign case management viewing permissions to a user

Allow a specific user to view their cases in DLP Case Management.
Before you begin

Create a user in McAfee ePO and assign a permission set to the user.
Task
1. In McAfee ePO, select Menu → User Management → Permission Sets and select the permission set that the user belongs to.
2. Click the Edit link under Name and users.
3. Select the recently created user, and click Save.
4. In Data Loss Prevention, click the Edit link.
5. Select Case Management, and click Users can view cases assigned to them.
6. Click Save.
Monitoring system health and status

Use the Appliance Management dashboard in McAfee ePO to manage your appliances, view system health status, and get detailed
information about alerts.
For information about McAfee DLP Prevent or McAfee DLP Monitor appliance status reported in Appliance Management system
health cards, see the latest version of the McAfee Data Loss Prevention Product Guide.
For information specifically relating to the Appliance Management options, see the Appliance Management online Help.
McAfee DLP dashboards

McAfee DLP 10.x and later add four incident-related charts in McAfee ePO dashboards. You can create new dashboards that
contain any of the McAfee DLP charts.
• DLP: Number of Incidents per day (data in-use/in-motion) in a line chart format
• DLP: Number of Incidents per severity (data in-use/in-motion) in a pie-chart format
• DLP: Number of Incidents per type (data in-use/in-motion) in a pie-chart format
• DLP: Number of Incidents per rule set (data in-use/in-motion) in a bar chart format
Appliance Management dashboard

The Appliance Management dashboard combines the Appliances tree view, System Health cards, Alerts and Details panes.
The dashboard shows the following information for all of your managed appliances.
The information bar includes the appliance name, the number of currently reported alerts, and other information specific to the
reported appliance.
McAfee DLP appliance events
McAfee DLP appliances send events to the Client Events log or the DLP Operations log.
Client Events log events

Some events include reason codes that you can use to search log files.
Tip: Best practice: Regularly purge the Client Events log to stop it becoming full.
Event
UIIDevent text Description
15001
LDAP query failure The
query
failed.
Reasons
are
provided
in
the
event
description
15007
LDAP directory synchronization Directory
synchroniza
status.
210003usage reached critical level

Resource McAfee
DLP
Prevent
cannot
analyze
a
message
because
the
directory
is
critically
full.
210900ISO upgrade success

Appliance Appliance
Appliance ISO upgrade failed upgrade
Appliance downgrading to lower version events:
Internal install image updated successfully •
Failed to update internal install image 983
—
Appliance
ISO
upgrade
failed.
Detailed
logs
can
be
found
under /
Event
rescue/
logs/.
•
984
—
Appliance
ISO
upgrade
success.
The
appliance
was
successfu
upgraded
to
a
higher
version.
•
985
—
Appliance
downgrad
to
lower
version.
This
event
is
sent
when
the
downgrad
attempt
is
initiated.
Upgrade
success
or
failure
events
are
sent
after
the
upgrade
is
complete
If
a
clean
upgrade
or
downgrad
is
requested
Event
the
success
or
failure
event
is
sent
after
the
McAfee
ePO
connectio
is
establishe
Internal
installation
image
updates
using
SCP
events:
•
986
—
Internal
installatio
image
was
updated
successfu
•
987
—
Failed
to
update
the
internal
installatio
image.
220000
User logon A
user
logged
on
to
the
appliance:
•
354
—
GUI
Event
logon
successfu
•
355
—
GUI
logon
failed.
•
424
—
SSH
logon
successfu
•
425
—
SSH
logon
failed.
•
426
—
Appliance
console
logon
successfu
•
427
—
Appliance
console
logon
failed.
•
430
—
User
switch
successfu
•
431
—
User
switch
failed.
220001
User logoff A
user
logged
off
the
appliance:
•
356
Event
—
GUI
user
logged
off.
•
357
—
The
session
has
expired.
•
428
—
The
SSH
user
logged
off.
•
429
—
The
appliance
console
user
logged
off.
•
432
—
The
user
logged
off.
220900Install
Certificate •
Certificate
installatio
success
•
Certificate
installatio
failed:
<reason>
A
certificate
might
not
install
due
to
one
Event
of
the
following
reasons:
•
Bad
passphra
•
No
private
key
•
Chain
error
•
Bad
certificate
•
Expired
certificate
•
Not
yet
valid
•
Bad
signature
•
Bad
CA
certificate
•
Chain
too
long
•
Wrong
purpose
•
Revoked
•
Bad
or
missing
CRL
The
reason
is
also
reported
in
the
syslog.
If
Event
the
reason
does
not
match
any
of
the
available
reasons,
it
gives
the
default
Certificate
installation
failed
event.
DLP Operations log events
Event
19100
Policy Change Appliance
Manageme
successfully
pushed
a
policy
to
the
appliance.
19500
Policy Push Failed Appliance
Manageme
failed
to
push
a
policy
to
the
appliance.
19105 Replication Failed

Evidence •
An
evidence
file
could
not
Event
be
encrypted
•
An
evidence
file
could
not
be
copied
to
the
evidence
server.
19501Failed
Analysis •
Possible
denial-
of-
service
attack.
•
The
content
could
not
be
decompo
for
analysis.
19402
DLP Prevent Registered The
appliance
successfully
registered
with
McAfee
ePO.
19403
DLP Monitor Registered The
appliance
successfully
registered
with
McAfee
ePO.
Maintenance and troubleshooting
Use the appliance console for general maintenance tasks such as changing network settings and performing software updates.
Troubleshooting options, sanity checks, and error messages are available to help you identify and resolve problems with a
McAfee DLP Prevent or McAfee DLP Monitor appliance.
Troubleshooting tips
For more information about troubleshooting and maintenance tasks, and information about McAfee DLP Prevent or McAfee DLP
Monitor client and operational events, see the McAfee Data Loss Prevention Product Guide.
The appliance failed to register with McAfee ePO

Verify the network connection is working, and any static routes that you created are correct. Ping the default gateway and
McAfee ePO from the appliance console to test your network connection.
Important: If the registration continues to fail, call technical support. Do not attempt the registration again.
You can check the connection status for all your physical and virtual appliances using the Appliance Management feature in McAfee
ePO.
To restore a failed connection, open the System Tree and select the McAfee DLP Prevent or McAfee DLP Monitor appliance that has
lost the connection. Then select Action → Agent → Wake Up Agents and click OK.
McAfee DLP Prevent or McAfee DLP Monitor registration failures

McAfee DLP Prevent or McAfee DLP Monitor registration events are available from the DLP Operations log in McAfee ePO.
Event ID UI event text Description
19402 DLP Prevent Registered The appliance successfully registered

with McAfee ePO.
19403 DLP Monitor Registered The appliance successfully registered

with McAfee ePO.
No events are registered if the McAfee DLP Prevent or McAfee DLP Monitor appliance is unregistered. You can get more
information from /var/log/messages.
Email delivery issues

If email is not delivered, check whether it is blocked by a McAfee DLP Prevent appliance. Go to the DLP Incident Manager on McAfee
ePO to check if there is any corresponding incident for the message.
If email notification is configured on McAfee ePO as a Reaction, the sender is notified.
Check if the Smart Host can receive email if:
• McAfee DLP Prevent could not connect to the Smart Host to send the message.
• The connection to Smart Host was dropped during a conversation.
Email rejection issues

If a Smart Host is not configured, McAfee DLP Prevent cannot accept email messages because it has nowhere to send them to.
Web Gateway and McAfee DLP Prevent ICAP issues

Check the McAfee DLP Web Settings category settings in DLP Appliance Management in the Policy Catalog. McAfee DLP Prevent processes
ICAP and ICAPs traffic based on selected services from secure ICAP, unencrypted.
If neither are selected, the ICAP server on McAfee DLP Prevent does not accept any connection.
If only secure ICAP is enabled, ensure that the ICAP client is ICAPs capable.
You can select the modes in which McAfee DLP Prevent can operate for the ICAP traffic from REQMOD and RESPMOD. If any of
the modes are deselected, that traffic is ignored by the McAfee DLP Prevent appliance and is not processed. Both REQMOD and
RESPMOD cannot be disabled at the same time.
LDAP and Logon Collector issues
If there are communication issues between the McAfee DLP Prevent or McAfee DLP Monitor appliance and the Active Directory
while querying user information:
• Check the Active Directory credentials configured on McAfee ePO.
• If SSL is selected, check that Active Directory accepts secure connections.
If you configured Active Directory to use Global Catalog ports, check that at least one of these attributes is replicated to the Global
Catalog server from the domains in the forest:
• Proxy addresses
• Mail
If a McAfee DLP Prevent or McAfee DLP Monitor appliance needs to use NTLM authentication for ICAP traffic, these LDAP
attributes must also be replicated:
• configurationNamingContext
• netbiosname
• msDS-PrincipalName
For Logon Collector, check the Logon Collector certificate on the McAfee DLP Prevent or McAfee DLP Monitor appliance.
Installation failures
• Dependency issues — There might be a dependency issue if the following extensions are missed:
◦ Common UI package
◦ Appliance Management Extension
◦ Data Loss Prevention Management Extension
• Upgrade issues — the following error occurs if you install the same version or earlier version of the extension: Can't upgrade the
extension dlp-prevent-server-app to <version x.x.x.x > because <version x.x.x.x> is already installed.
Policy push failures

Policy push events are also available from the DLP Operations log in McAfee ePO.
If policy push fails, details can be obtained from the McAfee DLP Prevent or McAfee DLP Monitor appliance at /wk/mca/
ame_policy_DLPPS___1000_error.log
System health
The Appliance Management dashboard in McAfee ePO provides information to manage your appliances, view system health status,
and get detailed information about alerts.
System health show status of:
• Evidence Queue
• Email and web requests (McAfee DLP Prevent)
• Packet analysis (McAfee DLP Monitor)
• CPU usage
• Memory
• Disk
• Network
Displays errors or warnings that relate to:
• System health
• Evidence queue size
• Policy enforcement
• Communication between McAfee ePO and McAfee DLP Prevent and McAfee DLP Monitor appliances.
Incident Manger issues

Issues with user, LDAP, or certificate installation are listed under Client Events Log.
1. In McAfee ePO, go to the System Tree.

2. Select the checkbox next to the McAfee DLP Prevent or McAfee DLP Monitor appliance.
3. Select Actions, then go to Agent → Show Client Events.
Incidents are not showing in the DLP Incident Manager
1. Use the Remote Desktop Protocol (RDP) to access McAfee ePO.
2. Go to Services.
3. Confirm that the McAfee ePO Event Parser is running. If it has stopped or paused, restart it to resolve the issue.
McAfee DLP Prevent and McAfee DLP Monitor send logging information to the local syslog, and one or more remote logging
servers if you have them enabled. Syslog entries contain information about the device itself (the vendor, product name, and
version), the severity of the event, and the date the event occurred.
Note: Use settings in the General category of the Common Appliance policy to set up remote logging servers.
Managing with the McAfee DLP appliance console

Use administrator credentials to open the appliance console to edit network settings you entered in the Setup Wizard and
perform other maintenance and troubleshooting tasks.
You can add your own text to appear on the top of the appliance console or SSH logon screen using the Custom Logon Banner option
in McAfee ePO (Menu → Policy Catalog → DLP Appliance Management → General.
Table 1: Appliance console menu options
Option Definition
Graphical configuration wizard Open the graphical configuration wizard.

Note: If you log on using SSH, the graphical configuration
wizard option is not available.
Shell Open the appliance Shell.
Enable/Disable SSH Enable or disable SSH as a method of connecting to the

appliance.
Generate MER Create a Minimum Escalation Report (MER) to send to McAfee

Support to diagnose problems with the appliance.
Power down Shut down the appliance.
Reboot Restart the appliance.
Rescue Image Create a rescue image for the appliance to boot from.
Reset to factory defaults Reset the appliance to its factory default settings.
Change password Change the administrator account password.
Logout Log off the master appliance.
Accessing the appliance console

The appliance console allows you to perform various maintenance tasks. There are different ways to access the console
depending on the type of appliance you have.
Table 1: Methods for accessing the console
Virtual
Method appliance Hardware appliance
XSSH X
XvSphere
Client
Virtual
Method appliance Hardware appliance
Local X
KVM
(keyboard,
monitor,
mouse)
RMM X
Serial X
port
Replace the default certificate

You can replace the self-signed certificate with one issued by a certificate authority (CA) so that other hosts on the network can
validate the appliance's SSL certificate.
Before you begin

SSH must be enabled.
To replace the certificate, you can either:
• Upload a new certificate and private key.
• Download a certificate signing request (CSR) from the appliance, have it signed by a CA, and upload the certificate that the CA
gives you.
Tip: Best practice: Downloading a CSR from the appliance ensures that the appliance's private key cannot be inadvertently
exposed.
Only ECDSA and RSA certificates and keys are allowed in the uploaded file. The certificate must be suitable for use as both a TLS
server and a TLS client and the upload must include the whole certificate chain. Uploads can be in the following formats:
• PEM (Base64) — Certificate chain and private key or certificate chain only
• PKCS#12 — Certificate chain and private key
• PKCS#7 — Certificate chain only
If the upload format is PKCS#12 or PKCS#7, the correct file endings must be used:
• PKCS#12 must have the file ending .p12 or .pfx.
• PKCS#7 must have the file ending .p7b.
The certificate might fail to install if:
• The certificate is not usable for its intended role.
• The certificate has expired.
• The uploaded file does not contain the CA certificates that it needs to verify it.
• The certificate uses an unsupported public key algorithm, such as DSA.
If installation fails, detailed information is available in the appliance syslog. To view it, log on to the appliance console, select the
Shell option, and type $ grep import_ssl_cert /var/log/messages.
Task
1. In a browser, go to https://APPLIANCE:10443/certificates/ and select one of the CSR links for download.
Two files are available: one contains an RSA public key (the file ending in .rsa.csr) and the other contains an ECDSA public key
(the file ending in .ec.csr).
2. Follow your CA's instructions to get the request signed.
3. Use an SFTP client, such as winscp, to copy the file to the /home/admin/upload/cert directory on the appliance.
The Client Events log reports whether the installation succeeded or failed.
The file installs automatically.
Error messages
If the appliance is not configured correctly, it tries to identify the problem and sends a temporary or permanent failure message.
The text in parentheses in the error message provides additional information about the problem. Some error messages relay the
response from the Smart Host so the McAfee DLP Prevent response contains the IP address, which is indicated by x.x.x.x.
For example, 442 192.168.0.1 : Connection refused indicates that the Smart Host with the address 192.168.0.1 did not accept the
SMTP connection.
Table 1: Temporary failure messages
Recommen
Cause
Text action
The
451initial setup was not completed. Register
(The the
system appliance
has with
not a
been McAfee
registered ePO
with server
an using
ePO the
server) Graphical
Configuration
Wizard
option
in
the
appliance
console.
The
451configuration applied from McAfee ePO did not specify any DNS servers. Configure
(No at
DNS least
servers one
have DNS
been server
configured) in
the
General
category
of
the
Common
Appliance
policy.
The
451configuration applied from McAfee ePO did not specify a Smart Host. Configure
(No a
Smart Smart
Host Host
has in
been the
configured) McAfee
Recommen
Cause
Text action
DLP
Prevent
Email
Settings
policy
category.
The
451configuration applied from McAfee ePO was incomplete. •
(Policy Ensure
OPG that
file the
not Data
found Loss
in Prevention
configured extension
is
location)
installed.
•
Configure
a
Data
Loss
Prevention
policy.
•
Contact
your
technical
support
represent
The
configura
OPG
file
must
be
applied
with
the
policy
OPG
file.
The
451configuration applied from McAfee ePO was incomplete. •
(Configuration Ensure
OPG that
file the
not Data
found Loss
in Prevention
configured extension
is
location)
installed.
•
Configure
Recommen
Cause
Text action
a
Data
Loss
Prevention
policy.
•
Contact
your
technical
support
represent
The
configura
OPG
file
must
be
applied
with
the
policy
OPG
file.
This
451error occurs when both these conditions are met: Check
• (LDAP
McAfee DLP Prevent contains a rule that specifies a sender as a member of an LDAP user group. that
• server
McAfee DLP Prevent is not configured to receive group information from the LDAP server that contains that user group. the
configuration LDAP
missing) server
is
selected
in
the
Users
and
Groups
policy
category.
A451
policy contains LDAP sender conditions, but cannot get the information from the LDAP server because: Check
(Error
• McAfee DLP Prevent and the LDAP server have not synchronized. that
• resolving
The LDAP server is not responding. the
sender LDAP
based server
policy) is
available.
The
451cryptographic self-tests required for FIPS compliance failed Contact
(FIPS your
test technical
failed) support
representa
Recommen
Cause
Text action
The
451registered documents server is unavailable. Check
(Unable your
to configuratio
verify to
data confirm
against that
the the
registered server
document is
server) available,
and
the
details
you
entered
are
correct.
McAfee
442 DLP Prevent could not connect to the Smart Host to send the message, or the connection to Smart Host was dropped Check
during
x.x.x.x:a conversation. that
Connection the
refused Smart
Host
can
receive
email.
Table 2: Permanent failure messages
Cause
Error Action
McAfee
550 DLP Prevent refused the connection from the source MTA. Check
Host / that
domain the
is MTA
not is
permitted in
the
list
of
permitted
hosts
in
the
McAfee
DLP
Prevent
Email
Settings
policy
category.
Cause
Error Action
The
550Smart Host did not accept a STARTTLS command but McAfee DLP Prevent is configured to always send email over a TLS Check
connection.
x.x.x.x: the
Denied TLS
by configuratio
policy. on
TLS the
conversation host.
required
Table 3: ICAP error messages
Action
Cause
Error
Check
The
500 your configuration to confirm that the server is available, and the details you entered are correct.
registered
(Unable
documents
to
server
verify
isdata
unavailable.
against
the
registered
document
server)
This
500 that the LDAP server is selected in the Users and Groups policy category.
Check
error
(LDAP
occurs
server
when
configuration
both
missing)
these
conditions
are
met:
•
McAfee
DLP
Prevent
contains
a
rule
that
specifies
an
end-
user
as
a
member
of
an
LDAP
user
group.
Action
Cause
Error
•
McAfee
DLP
Prevent
is
not
configured
to
receive
group
information
from
the
LDAP
server
that
contains
that
user
group.
A
Check
500 that the LDAP server is available.
policy
(Error
contains
resolving
LDAP
end-
sender
user
conditions,
based
but
policy)
cannot
get
the
information
from
the
LDAP
server
because:
•
McAfee
DLP
Prevent
and
the
LDAP
server
have
not
synchronized.
•
The
LDAP
server
is
Action
Cause
Error
not
responding.
Configuration backups
In McAfee DLP 10.x and later, you can create backups of your configuration data that can be restored. However, appliance
settings are not backed up. Backup tasks are run as needed from the backend, and cannot be scheduled.
The following components are included in a McAfee DLP 10.x and later backup.
• The SQL database.
• The installed extensions.
• Keys for McAfee ePO agent-server communication and the repositories.
• All products that have been checked into the Master Repository.
• The server configuration settings for Apache, the SSL certificates needed to authorize the server to handle agent requests, and
console certificates.
To create a backup of your McAfee DLP 10.x and later configuration, see KB66616.
COPYRIGHT
Copyright © 2019 McAfee, LLC
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.

Mcafee Data Loss Prevention 11.0.000 Migration Guide (Mcafee Epolicy Orchestrator) 9-17-2019

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mcafee Data Loss Prevention 11.0.000 Migration Guide (Mcafee Epolicy Orchestrator) 9-17-2019

Uploaded by

Copyright:

Available Formats

McAfee Data Loss Prevention

11.0.000 Migration Guide (McAfee

Configuring system components 13

Classifying sensitive content 16

Protecting with rules, rule sets, and policies 22

Scanning data with McAfee DLP Discover 10.x and later 31

Monitoring and reporting 36

Maintenance and troubleshooting 51

Differences between versions

Table 1: Terminology differences

McAfee Network DLP 9.3.x McAfee DLP 10.x and later

Concept • Dictionary definition

Action rule Reaction

Policy Rule set

Group Permission set

Migrating physical appliances

Installing McAfee DLP Prevent appliances

Plan your configuration

Identify network ports

Figure 1. Model 4400 appliance port configuration

* If the appliance has a fiber NIC:

1. Ethernet port or fiber port — Unused

* If the appliance has a fiber NIC:

Figure 3. Model 6600 appliance port configuration

Install the extensions

Configure network information

Set up the appliance

Install the appliance

1. Configure an evidence server to store the files that trigger a rule.

McAfee DLP Prevent appliances

Register an LDAP server

Create end-user definitions

Users, groups, and permission sets

Administrator rights in McAfee ePO

Create a permission set

Create a McAfee DLP permission set

The Common Appliance Management policy

Add an evidence server to store incidents

Before you begin

Create classification criteria

Create document properties

Before you begin

From concepts to definitions

Table 1: Regular expressions

For more information about Google RE2, see https://support.google.com/a/answer/1371417?hl=en.

Create or import a dictionary definition

Create a keyword-based dictionary definition

Advanced pattern definitions

Create a definition based on an advanced pattern

Create a regex-based definition

Create a general classification definition

McAfee DLP Prevent rule reactions and definitions

Rule type Description

Web Protection Stores

Email Protection Add

Note: Rule reactions do not apply to McAfee DLP Monitor.

Create a rule set

Create an email address list definition

Create a network address range

Create a URL list definition

Create a network port range

Assign a policy to a McAfee DLP Prevent appliance

Table 1: Expected behavior