Forcepoint DLP:

System Engineer
Lab Guide 3
Troubleshooting DLP

March 2023
Public

forcepoint.com
© 2023 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or
reduced to any electronic medium or machine-readable form without prior consent in writing
from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However,
Forcepoint makes no warranties with respect to this documentation and disclaims any implied
warranties of merchantability and fitness for a particular purpose.

Forcepoint shall not be liable for any error or for incidental or consequential damages in
connection with the furnishing, performance, or use of this manual or the examples herein. The
information in this documentation is subject to change without notice.

2 | Forcepoint DLP: System Engineer © Forcepoint 2023

Table of Contents
DLP Virtual Lab Topology .......................................................................................................... 5

8 Troubleshooting DLP............................................................................................................ 7
8.1 Identifying Forcepoint DLP logs ...................................................................................... 7
8.1.1 Locate DLP Manager configuration files. ............................................................. 7
8.1.2 Enable debugging ................................................................................................ 7
8.1.3 Analyze log files ................................................................................................... 8
8.1.4 Disable debugging ............................................................................................... 8
8.1.5 Using DLPServerInfo tool .................................................................................... 8
8.2 Troubleshooting incidents not appearing in dashboard ................................................ 11
8.2.1 Clear DLP UI (tomcat) and Batch Server (jetty) caches .................................... 11
8.2.2 View the old log files .......................................................................................... 12
8.3 Troubleshooting a hanging discovery task.................................................................... 13
8.3.1 Locate a discovery job ID .................................................................................. 13
8.3.2 Delete a discovery job ....................................................................................... 13

9 Managing and Troubleshooting Forcepoint One Endpoint ............................................ 14

9.1 Excluding applications from DLP Endpoint ................................................................... 14
9.1.1 Exclude notepad.exe from DLP scanning .......................................................... 14
9.2 Debugging Forcepoint One Endpoint............................................................................ 15
9.2.1 Using Forcepoint One Endpoint Diagnostics tool .............................................. 15
9.2.2 Use WDEutil command for various tasks........................................................... 16
9.2.3 Edit EndpointClassifier.config.log ...................................................................... 17
9.2.4 Investigate the DebugDump.txt ......................................................................... 17

10 Performing Disaster Recovery........................................................................................... 19

10.1 Performing a DLP backup ............................................................................................. 19
10.1.1 Confirm that the backup task is configured in FSM ........................................... 19
10.1.2 Run the backup ................................................................................................. 19
10.1.3 Confirm the backup completed successfully...................................................... 19
10.2 Performing a Forcepoint DLP Restore .......................................................................... 21
10.2.1 Restore Forcepoint DLP from a backup ............................................................ 21
10.2.2 Deploy the restored environment ...................................................................... 23

Optional Challenge ................................................................................................................... 24

Challenge: Configuring a traffic log timeouts report .............................................................. 24

© Forcepoint 2023 Forcepoint DLP: System Engineer | 3

 This page is intentionally blank.

4 | Forcepoint DLP: System Engineer © Forcepoint 2023

DLP Virtual Lab Topology

Host: FSM Host: DC

IP: 192.168.123.155 IP: 192.168.123.150

OS: Windows Server 2019 OS: Windows Server 2019

Host: Protector
Host: MRSVR
eth0: 192.168.123.191
IP: 192.168.123.159
eth1: 192.168.123.192
OS: Windows Server 2019

Host: Web_Proxy
Host: DLP_Analytics
IP: 192.168.123.152
IP: 192.168.123.194
OS: CentOS
OS: CentOS

Host: Test_PC

IP: 192.168.123.107

© Forcepoint 2023 Forcepoint DLP: System Engineer | 5

Environment Credentials:

These are the credentials that you will use during your training.

FSM server
Domain: Fpcert
Username: Administrator
Password: Forcepoint1!

Windows test machine

Domain: fpcert
Username: tmuller
Password: Forcepoint1!

Forcepoint Security Manager (FSM)

Username: admin
Password: Forcepoint1!

SQL Manager Studio

Username: sa
Password: Forcepoint1!

Web Content Gateway

Username: admin
Password: Forcepoint1!

Protector
Username: root
Password Forcepoint1!

Forcepoint Support Site (https://support.forcepoint.com)

Use your credentials or ask instructor.

6 | Forcepoint DLP: System Engineer © Forcepoint 2023

8 Troubleshooting DLP
8.1 Identifying Forcepoint DLP logs
Scenario:

Your organization needs to create a test machine and wish to copy all the current policies from
the production system but are you unsure if the export process is working. You need to check
the process by enabling logging.

Tasks:

1. Locate DLP Manager configuration files

2. Enable debugging
3. Analyze log files
4. Disable debugging
5. Using DLPServerInfo tool

8.1.1 Locate DLP Manager configuration files.

1. In your Go4Labs environment, resume the session in mRemote, and connect to Security
Manager machine.
2. Open File Explorer. Navigate to c:\Program Files (x86)\Websense\Data Security\tomcat\lib.

8.1.2 Enable debugging

1. Take a copy of the log4j-dlp.properties file and save to c:\temp. NOTE: Care must be
taken when editing the configuration files.
2. Right-click on the original log4j-dlp.properties Open with Notepad++ in Administrator
mode.
3. Scroll down to Policies Export/Import.

4. Remove the ‘#’ from the beginning of each of the lines starting ‘logger.com’ and save the
file.

© Forcepoint 2023 Forcepoint DLP: System Engineer | 7

5. In Forcepoint Security Manager, navigate to Data > Policy Management > Discovery
Policies > Manage Policies.
6. Select Import/Export > Export > Export Policies.
7. Click Select All. Click OK.

8.1.3 Analyze log files

1. Return to the File Explorer window. Navigate to C:\Program Files (x86)\Websense\Data
Security\tomcat\logs\dlp.
2. Right-click dlp-all.log Open with Notepad++.
3. Scroll through the log file to the correct date/timestamp. Search through the entries looking
for PolicyImportExport.

The export activity shows the export working.

4. Exit Notepad++.

8.1.4 Disable debugging

1. Navigate back to
C:\Program Files (x86)\Websense\Data Security\tomcat\lib\log4j-dlp.properties.
2. Scroll down to Polices Export/Import and replace the hash at the beginning of the lines that
were removed. Save the file.
NOTE: It is important to disable the debugging as soon as you have finished testing to prevent
the log files from increasing in size.

8.1.5 Using DLPServerInfo tool

1. Navigate to C:\Program Files (x86)\Websense\Data Security\support_tools\DLPServerInfo.
2. Run DLPServerInfo.exe as an administrator. The script checks the following:
• Checks which Forcepoint products are installed on the server.
• Obtains copies of specific local files and folders.
• Runs SQL database queries.
• Extracts specific registry values.
• Runs Windows commands to obtain important system information.
• Checks which log topics are set to DEBUG.
• Checks MD5 hashes for common IB files.
• Saves and compresses content under %DSS_HOME%\DLPServerInfo.

8 | Forcepoint DLP: System Engineer © Forcepoint 2023

 • An additional non-archived copy is saved under
%DSS_HOME%\DLPServerInfo\Temp.

DLPServerInfo.log is created under the same folder. Each time the script is run, this folder is
removed and re-created.

3. Open File Explorer and navigate to

C:\Program Files(x86)\Websense\Data
Security\DLPServerInfo\Temp to view the
files collected.

© Forcepoint 2023 Forcepoint DLP: System Engineer | 9

4. Review the output file: log_set_debug.txt. This shows any DLP log configuration files that
have debug still enabled.

You should now be able to:

 Locate DLP manager configuration files

 Enable debugging
 Analyze log files
 Disable debugging
 Use DLPServerInfo tool

10 | Forcepoint DLP: System Engineer © Forcepoint 2023

8.2 Troubleshooting incidents not appearing in dashboard
Scenario:

Your Forcepoint DLP UI appears to be giving inconsistent results, and incidents are not
appearing.

Tasks:

1. Clear DLP UI and Batch Server caches.

2. View the old log files.

8.2.1 Clear DLP UI (tomcat) and Batch Server (jetty) caches

1. Sign out of FSM.
2. Open Windows Power Shell as an administrator.
3. Type the following command and press enter:
cd 'C:\Program Files (x86)\websense\Data
Security\support_tools\TomcatJettyCacheClear'

4. To run the TomcatJettyCacheClear script, type:

.\TomcatJettyCacheClear.ps1

5. Press enter. The script runs to clear the caches.

6. When the script has completed successfully, close Windows Power Shell and reboot the
Security Manager.

© Forcepoint 2023 Forcepoint DLP: System Engineer | 11

8.2.2 View the old log files
1. Navigate to C:\Program Files (x86)\Websense\Data Security\tomcat. The old tomcat logs,
temp and work files are saved in the directory with the date and time added to the name.

2. Navigate to C:\Program Files (x86)\Websense\Data Security\Data-Batch-Server\service-

container\container. The old jetty logs, wbsnWork, and work files are saved in the directory
with the date and time added to the name.

You should now be able to:

 Clear DLP UI and Batch Server caches.

 View the old log files.

12 | Forcepoint DLP: System Engineer © Forcepoint 2023

8.3 Troubleshooting a hanging discovery task
Scenario:

Your environment has a very large amount data to scan through and a Discovery Job is seen to
be hanging. Troubleshoot the issue.

Tasks:

1. Locate a discovery job ID

2. Delete a discovery job

8.3.1 Locate a discovery job ID

1. In Forcepoint Security Manager, navigate to Data > Policy Management > Discovery
Policies > Network Discovery Tasks.
2. Start the Out of Place Health Data task and click OK.
3. Connect to the Supplemental Server.
4. Open File Explorer and navigate to c:\Program Files (x86)\Websense\Data
Security\DiscoveryJobs. There will be a folder for each discovery job running.

8.3.2 Delete a discovery job

1. Select a folder and open definition.xml with Notepad.
2. Copy the discovery job id.
3. Open the command prompt as Administrator.
4. Type the following:
cd %dss_home%
cd packages
cd Services
Python WorkSchedulerWebServiceClient.pyc -o deleteJob -j <discovery id>
5. Exit the command prompt window.

You should now be able to:

 Locate a discovery job ID

 Delete a discovery job

© Forcepoint 2023 Forcepoint DLP: System Engineer | 13

9 Managing and Troubleshooting Forcepoint One
Endpoint
9.1 Excluding applications from DLP Endpoint
Scenario:

You have recently installed F1E but some of the endpoints are not blocking data in the way you
expect. You need to troubleshoot the issue.

Tasks:

• Exclude notepad.exe from DLP endpoint scanning.

9.1.1 Exclude notepad.exe from DLP scanning

1. Open the Windows test machine and open FTKW.txt.
2. Open CMD as an administrator and enter the following:
tasklist /m /fi "imagename eq notepad.exe"
3. Look for QIPCAP64.DLL and then copy the results from tasklist to FTKW.txt.
4. Connect to the Security Manager and open the FSM console.
5. Navigate to Settings > General > Endpoint > Advanced and add notepad.exe to the list of
applications. Click Save and Deploy.
6. Open the Windows test machine and right-click on the F1E icon in the system tray. Open the
Forcepoint DLP Endpoint and click Update.
7. Reboot the Windows test machine and then reconnect to it.
8. Open FTKW.txt.
9. Open CMD as an administrator and enter the following:
tasklist /m /fi "imagename eq notepad.exe"
10. Compare the new task list results to the original results.

You should now be able to:

 Exclude notepad.exe from DLP endpoint scanning.

14 | Forcepoint DLP: System Engineer © Forcepoint 2023

9.2 Debugging Forcepoint One Endpoint
Scenario:

You have noticed that some policies are not being triggered on endpoint. Collect log information
to assist troubleshooting the issue.

Tasks:

1. Use F1E Diagnostics Tool

2. Use WDEutil command for various tasks.
3. Edit EndpointClassifier.config.log.
4. Investigate DebugDump.txt.

9.2.1 Using Forcepoint One Endpoint Diagnostics tool

1. Connect to the Windows test machine. Navigate to the system tray.
2. Right-click the Forcepoint One Endpoint icon. Select Open Forcepoint One Endpoint
Diagnostics.

3. Click Collect Endpoint Info button. The script progress will display.

© Forcepoint 2023 Forcepoint DLP: System Engineer | 15

4. Locate the ClientInfo zipped folder on the desktop.

This folder can be provided to Forcepoint Technical Support to assist them with troubleshooting
any issues.

9.2.2 Use WDEutil command for various tasks

The following steps are required to collect logs on endpoints running pre Forcepoint One
version.

1. Connect to the Windows test machine.

2. Open CMD as an administrator and enter the following:
cd c:\program files\websense\websense endpoint
wdeutil -set DisableAntiTampering=true -password Forcepoint1!
wdeutil -stop wsdlp –password Forcepoint1!

16 | Forcepoint DLP: System Engineer © Forcepoint 2023

9.2.3 Edit EndpointClassifier.config.log
1. Navigate to C:\Program Files\Websense\Websense Endpoint\conf and open
EndpointClassifier.log.config with Notepad++.
2. Change the following log topics from “error” to “debug”
PolicyLogic
TransactionMonitor
TransactionLogic
PolicyEngine
EndPointClassifier CAREFUL! Do not change EndPointClassifierService
3. Save EndpointClassifier.log.config, and then when prompted to open as an administrator,
click Yes and Save.
4. Create a folder named temp in C:\Program Files\Websense\Websense Endpoint.
5. Open CMD as an administrator and enter the following:
cd c:\program files\websense\websense endpoint
wdeutil -start wsdlp
6. Trigger policies that will be detected by the DLP Endpoint, for example, try to upload the
FTKW.txt document that you created to dlptest.com.
7. Open CMD as an administrator and enter the following:
wdeutil -stop wsdlp -password Forcepoint1!

9.2.4 Investigate the DebugDump.txt

1. Navigate to C:\Program Files\Websense\Websense Endpoint, open and inspect the most
recent DebugDump.txt file. Look for the policies that were just triggered.
2. Navigate to C:\Program Files\Websense\Websense Endpoint\Logs, open and investigate
the EndpointClassifier.log. Look for the policies that were just triggered. Note: You can find
the transaction ID in the folder: C:\Program Files\Websense\Websense Endpoint/temp.
3. Navigate to C:\Program Files\Websense\Websense Endpoint\conf and open
EndpointClassifier.log.config. Open the find function, select the Match Case setting, and
search for “debug”; replace it with “error”.
4. Save EndpointClassifier.log.config, and then when prompted to open as an administrator,
click Yes and Save.
5. Open CMD as an administrator and enter the following:
wdeutil -start wsdlp
wdeutil -set DisableAntiTampering=false -password Forcepoint1!

© Forcepoint 2023 Forcepoint DLP: System Engineer | 17

You should now be able to:

 Use Forcepoint One Endpoint Diagnostics Tool

 Use WDEutil command for various tasks
 Edit EndpointClassifier.config.log.
 Investigate DebugDump.txt.

18 | Forcepoint DLP: System Engineer © Forcepoint 2023

10 Performing Disaster Recovery
10.1 Performing a DLP backup
Scenario:

You have configured your DLP environment and now need to ensure that in the event of a
disaster that you are able to recover your DLP data and configuration without loss to business
operations.

Tasks:

1. Confirm that the backup task is configured in FSM.

2. Run the backup.
3. Confirm the backup completed successfully.

10.1.1 Confirm that the backup task is configured in FSM

1. On the Security Manager machine, navigate to the folder: C:\Forcepoint\My_Share\backup.
2. Open the folder properties for the new folder and confirm that all users have full read/write
access.
3. Sign in to the FSM and navigate to Data > Settings > General > Backup.
4. Configure the backup task:
Path:\\FP-SEC-SVR\My_Share\backup
Domain:fpcert
Username:Administrator
Password:Forcepoint1!
5. Click OK to save your changes.
6. Sign out of FSM.

10.1.2 Run the backup

1. Open Windows Task Scheduler from the taskbar.
2. Click on Task Scheduler Library and locate Websense Triton AP-Data Backup in
the list of tasks.
3. Right-click the Websense Triton AP-Data Backup task and click Run. The status of the
task will change to Running.

10.1.3 Confirm the backup completed successfully

1. Navigate to the backup folder and confirm that DSSBackup has been created.
2. Open the folder and explore the backup folder structure.

© Forcepoint 2023 Forcepoint DLP: System Engineer | 19

You should now be able to:

 Confirm that the backup task is configured in FSM.

 Run the backup.
 Confirm the backup completed successfully.

20 | Forcepoint DLP: System Engineer © Forcepoint 2023

10.2 Performing a Forcepoint DLP Restore
Scenario:

You have your DLP backup folder and want to restore your system in the new DLP
environment.

Tasks:

1. Restore Forcepoint DLP from a backup.

2. Deploy the restored environment.

10.2.1 Restore Forcepoint DLP from a backup

1. Sign out of FSM.
2. From the Start menu, open Forcepoint Security Setup.

3. On the Modify Installation window, for Forcepoint DLP, click the Modify link. The
Forcepoint DLP Installer opens.

4. Click the Modify button.

5. The IP address should already be selected. Click Next.

© Forcepoint 2023 Forcepoint DLP: System Engineer | 21

6. Enter the details for the local administrator.
Username: fpcert\administrator
Password: Forcepoint1!
7. Enter the details for the SQL administrator.
Username: sa
Password: Forcepoint1!
8. Click Next.
9. On the Restore Data From Backup window, select the checkbox Load Data From
Backup.
10. Click the Browse button.
11. Navigate to C:\Forcepoint\My_Share\backup\DSSBackup\.

12. Select the most recent backup folder.

13. Click Clear Forensics since last backup, if you do not want to keep the old forensics data.

14. Click Next.

15. Click Install to start the restore. The restore will run automatically.
16. Once the installation has finished, click the Finish button.
17. Close Forcepoint Security Setup.

22 | Forcepoint DLP: System Engineer © Forcepoint 2023

10.2.2 Deploy the restored environment
1. Sign in to Forcepoint Security Manager.
2. Click Deploy to deploy your changes. Your DLP environment is restored.

You should now be able to:

 Restore Forcepoint DLP from a backup.

 Deploy the restored environment.

© Forcepoint 2023 Forcepoint DLP: System Engineer | 23

Optional Challenge
Challenge: Configuring a traffic log timeouts report
One of the managers is concerned that some confidential documents have been sent outside
the organization and this has not been recorded as an incident in Forcepoint Security Manager.
As this uses the Document Reference policy that contains a regular expression, you think that
the Policy Engine may timeout before it has processed the transaction.

 Use the traffic log to investigate timeouts.

For further help see:
The Forcepoint DLP traffic log (administrator help).

24 | Forcepoint DLP: System Engineer © Forcepoint 2023