KB Article | Forcepoint Support

Problem Description

Why can there be discrepancies between the trigger counts reported by DLP Endpoints and secondary DLP components (Protector/Email Security Gateway/Web Content Gateway) when using rules with Database Fingerprinting classifiers?


Every Forcepoint DLP component has its own Fingerprinting Database composed of structured and unstructured fingerprints. DLP servers and appliances, such as the Protector, ESG, and WCG, have an exact copy of the structured Fingerprinting DB that is synced with the Management Server's repository. These copies may grow in size to several gigabytes of data and beyond to match the amount of data being fingerprinted.

This consideration is different with the machines that the DLP Endpoint is installed on in order to consider the impact on the client machines. Instead, a special version of the structured Fingerprinting DB, called a FPNE (Fast Proof of Non Existence), is used. This prioritizes the prevention of data loss over the precise reporting of trigger counts, while also reducing false negatives. In some cases, this leads to discrepancies between the trigger counts reported by secondary components and the Endpoints for the same data. The Endpoint is still very effective at preventing data loss, but may identify fewer matches than the appliances due to the optimization of its Fingerprinting DB structure. False positives are a heightened possibility as well.

 Points to consider when database fingerprinting classifiers are used:
  1. Endpoints may show fewer matches in incident reports than appliances due to the fingerprinting technology optimization, but are still extremely efficient in preventing data loss.
  2. When the precise match count is imperative, a second layer of protection can be used over the Network channel in addition to the Endpoints.
  3. For best results with minimal discrepancies, see Database Fingerprinting - Best Practices.

Keywords: DLP Endpoint; Database Fingerprinting; FPNE; DLP Data Security Endpoint; DLP False Positive Incident; DLP Policy Issue; Incorrect Detection

Article Feedback

Thank you for the feedback and comments.