Troubleshooting the interaction between Network protection in BEST and DLP solutions
This article explores the interaction between network protection mechanisms in BEST and Data Loss Prevention (DLP) solutions, focusing on how they function alongside Windows Filtering Platform (WFP) technologies.
Network protection includes firewalls, intrusion detection systems, and access controls to secure data flow. The Windows Filtering Platform (WFP) supports this by allowing developers to create custom filters and traffic rules.
DLP solutions prevent sensitive information from being transferred outside the organization. They work by monitoring and controlling data in motion, data at rest, and data in use.
Confirming an incompatibility case
To confirm an incompatibility case follow these steps:
To generate the WFP State file:
Open the Command Prompt as an administrator
Run the following command:
netsh.exe wfp show state file=wfp_state.xml
.
Ensure that the
wfp_state.xml
file is included in the collected system trace (ST).Bitdefender will review the list of TCP Stream Filters, and compare it with the dci4 sublayer weights to identify any incompatibilities.
Note
Make sure the
wfp_state.xml
file is present in the collected system trace (ST).
Troubleshooting compatibility issues between BEST and DLP solutions
WFP's filtering model involves layers and sub-layers where filters are applied based on priority and weight. This model determines whether network traffic is permitted or blocked. Filters can return Permit, Block, or Continue actions, with Block actions taking precedence over Permit actions.
DLP and BEST network protection may sometimes conflict, particularly when different policies apply. For instance, a policy might permit traffic for operational reasons, while DLP aims to block it due to sensitivity concerns. In such cases, WFP's arbitration rules and configurable override policies dictate the final action.
We use two priority levels for managing network traffic at layers FWPM_LAYER_STREAM_V4
and FWPM_LAYER_STREAM_V6
, set at 256
and 65280
.
To troubleshoot any possible issues involving BEST and DLP solutions you need to follow this compatibility guidelines:
Single Priority Level DLP: Must have a priority level within the
256
and65280
range to work smoothly.Two Priority Levels DLP: Both levels must either be within or outside the
256
and65280
range to work smoothly.
Tip
When selecting priority levels (weights) for network traffic rules, it's best to choose them equidistant from the ends of the range (0 to 65535). For example, use values like 0+X and 65535-X. This helps ensure compatibility with other solutions and prevents conflicts.
For solutions with only one priority level (sublayer), it's recommended to choose a value close to the midpoint of the range [0, 65535], which is around 32768. This helps maintain balance and compatibility with other network configurations.