Policy Guide › Troubleshooting User Policies › Triggers Are Not Firing As Expected

Triggers Are Not Firing As Expected

Symptom:

A user policy seems to be malfunctioning and triggers are not firing as expected. For example, emails that should be blocked are allowed to continue, or emails that are benign are inexplicably causing triggers to fire.

Solution 1: Identify which policy is being applied

Identify whose user policy is being applied. Is CA DLP applying the correct policy?

You can identify which policy is being applied in the Information pane of the iConsole Search results screen. If policy is not firing at all and there are no events that you can check in the iConsole, you must artificially generate an event. Send a test email with test triggers configured accordingly in the top level 'Users' policy and in the ExternalSender and UnknownInternalSender policies.

If the wrong user policy is being applied, this is almost always because the email addresses for the user's CA DLP account are not up to date or an internal address is being misinterpreted as an external address. Ask the following questions:

• Do you expect events to be captured on a client machine by a CA DLP endpoint agent?

  If yes, CA DLP always applies the policy for the user currently logged onto Windows. Is the user using the correct logon account?

  If yes, does this logon account have a corresponding account in the CA DLP user hierarchy? If no, are your CA DLP user accounts fully synchronized with the external source used by your organization?

  Important! It is essential that user email addresses on the CMS remain synchronized with, for example, Active Directory!.

  If the endpoint agent is applying the correct user policy but there are still problems, check the policy version (solution 2).

• Do you expect events to be captured by an email server agent?

  If yes, is the email sender a recognized internal user? If CA DLP interprets their address as external, it applies the ExternalSender policy.

  If CA DLP recognizes the sender's address as internal but is unable to find a corresponding account in the CA DLP user hierarchy, it applies the UnknownInternalSender policy.

  In either case, if you know that the sender is internal, you may need to;

  • Check the sender's CA DLP user account. Are the email addresses for this user correct and up to date? You can check a CA DLP user's address aliases in the Administration console. Right-click a user and choose Properties, Addresses.
  • Check how internal addresses are specified for your CA DLP deployment. For example, an internal email address may be inadvertently interpreted as an external address. For details, see Internal and External Email Addresses.
  • Check that the sender has a corresponding account in the CA DLP user hierarchy.

  If the server agent is applying the correct user policy but there are still problems, check the policy version (solution 2).

  Note: For details about how CA DLP identifies event owners, see Whose Policy Gets Applied?

Solution 2: Confirm that the latest policy version being used

If the correct user policy is being applied but there is still a problem, it is possible that the wrong version of that policy is being applied. This can happen if the latest policy changes have not yet been sent down to the endpoint agent on a user's workstation.

You can check this in the Administration console by comparing the policy version number assigned by the CMS with the version reported by the client machine. For details, see Policy Version Numbers.

If the wrong policy version is being applied, choose Tools, Replicate Changes from the menu bar of the Administration console. This causes the latest policies to be replicated down to child machines.

If the policy version is correct but there are still problems, you need to check the policy settings (solution 3).

Solution 3: Check for common errors in the user policy

If the correct version of the correct user policy is being applied but there is still a problem, you now need to check the policy settings. The following settings are often set up incorrectly:

Address Lists: Included, Excluded, Ignored

Are these address lists correct? Do they contain all the required addresses?

Do the specified addresses correspond to the addresses assigned to your CA DLP users and the internal address patterns defined for your organization?

Also, remember that:

• Included items are 'forbidden'. If a trigger uses an Included list, any single item in the list can cause the trigger to fire.
• Excluded items are 'allowed'. If a trigger uses an Excluded list, any item in the list will prevent the trigger from firing. For example, outgoing emails will always cause a trigger to fire unless at least one recipient is on the Excluded list.
• Ignored items are simply ignored by the trigger. They are exempted from normal trigger operations. If detected, they cannot cause the trigger to fire.

  Important! If a trigger detects an Ignored address, it does not immediately ignore the email! Instead, it simply disregards that address while it compares the email against the other trigger criteria (for example, it continues to evaluate any data lookup commands).

File Lists: Included, Excluded

Are these file lists correct? Are you using wildcards correctly? Note also the correct usage for Included and Excluded lists (see above).

Search Text Lists: Included, Excluded

Are your Search Text settings configured correctly? The syntax for search text expression can be complex. You can test whether your triggers are looking for the correct text by sending a test email. Note also the correct usage for Included and Excluded lists (see above).

Data Lookup Commands

Are your Data Lookup commands using the correct syntax?

Check that any specified email addresses correspond to addresses assigned to your CA DLP users and the internal address patterns defined for your organization.

In particular, if your lookup commands test the attributes of email recipients, make sure that the email addresses and account attributes for the recipients are correctly configured on the CMS.

Important! Be aware that data lookup commands are only evaluated after any Included or Excluded list filters have been applied. For example, if a trigger detects that the sender of an email is on the Excluded list, it allows the email to continue and does not perform any further processing. Specifically, it does not evaluate any data lookup commands. This optimization is designed to minimize processing delays.

Control Action

Are the policy triggers invoking the correct control action?

Is the control action using the correct intervention option?

Solution 4: Contact CA Technologies Technical Support

If you have confirmed that the correct is being applied but are unable to identify any obvious errors in the policy itself, contact CA Technical Support. You will normally be asked to supply various diagnostic files, such as:

• XML exports of the relevant policy files. In the User Policy Editor, choose File, Export Policy XML
• WgnCheck dump files
• Log files such as the CA DLP infrastructure log file, wgninfra.out
• EVF exports of problematic events