"Your emails are about to expire" notifications from DLP. However, there are no e-mails in the DLP portal

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk110314
Technical Level
Product	Data Loss Prevention
Version	R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL)
Platform / Model	All
Date Created	28-Feb-2016
Last Modified	20-Mar-2017

Symptoms

"Your emails are about to expire" notifications are sent from Data Loss Prevention blade.
However, there are no quarantined e-mail messages to review in DLP portal.

Cause

The issue is caused by incorrect database query.

Once there is a match for a DLP rule, in which the action is set to "Ask" or "Prevent", an incident is created.

Each incident is saved in a local database and includes the following information:

Incident ID
Sender e-mail address
Creation date
DLP action

On a daily basis, a database query is made searching for incidents, which are over 4 days old. The result, a number of incidents, will be sent to the "sender e-mail address" with a pre-defined text:

"You have X un-handled incidents awaiting for you in the Data Loss Prevention portal.
Click here in order to view and handle them."

Once the user logs in to the DLP portal, a different database query is made to present the pending incidents.

While the DLP portal query filters the incidents based on "DLP action" - "Ask", the daily query does not.

This causes the number of pending incidents written in the expiration notification e-mail to being larger than the actual number of pending incidents.

Solution

Note: To view this solution you need to Sign In .