Addendum to 15.1 System Requirements...2020/12/21 · Edge monitoring is supported starting with...

Addendum to 15.1 System Requirements

Most recent update: 21 December 2020 for the following support update:

• Support for OpenJRE 1.8.0_262. See "About upgrading the JRE to the latest version" available in the Symantec DataLoss Prevention Help for information on migrating to the latest JRE version.

All updates since 10 December 2018

The following support was added to Data Loss Prevention 15.1 since the System Requirements Guide was last updatedon 10 December 2018. The date in parentheses indicates when support was added.

IMPORTANTYou must install the latest hotfix for Symantec Data Loss Prevention to ensure that you have the platformsupport as indicated in the following tables. In some cases, platform support as indicated is enabled only whenyou apply the latest hotfix.

Third-party support

• Support for OpenJRE 1.8.0_262. See "About upgrading the JRE to the latest version" available in the Symantec DataLoss Prevention Help for information on migrating to the latest JRE version (21 December 2020)

• Added support for the following Napatech Driver packages (13 May 2020):– Windows: 11.8.1 (driver version 3.15.x)– Linux: 12.1 (driver version 3.19.x)

• Removed support for SICAP for the McAfee Web Gateway proxy. (20 March 2020)• In Table 2-6, the Disk Requirements for the Enforce Server indicated that SSD was required. SSD is only

recommended. The requirements are amended as: 1 TB storage (SSD or SAN, SSD recommended). (26 September2019)

• F5 BIG-IP proxy supported protocols do not include SICAP; ICAP is supported. (18 September 2019)

Endpoint Data Loss Prevention supported macOS operating systems

• macOS 10.15.6 with DLP Agent version 15.1 MP2 (23 July 2020)• macOS 10.15.5 with DLP Agent version 15.1 MP2 (2 June 2020)• macOS 10.15.4 on DLP Agent version 15.1 MP2 (9 April 2020)• macOS 10.15.3 on DLP Agent version 15.1 MP2 (14 February 2020)• macOS 10.15.2 on DLP Agent version 15.1 MP2 (30 December 2019)• macOS 10.15.1 on DLP Agent version 15.1 MP2 with Hotfix 15.1.0208.01002 (11 November 2019)

See the Symantec Support Center article "Configuring MDM profiles for Full Disk Access for macOS 10.15 and DLPAgent support" for additional details:https://support.symantec.com/us/en/article.tech256856.html

• macOS 10.14.6 on DLP Agent version 15.1 MP2 with Hotfix 15.1.0200.1028 (22 August 2019)• macOS 10.14.5 on DLP Agent version 15.1 MP2 (11 June 2019)• macOS 10.14.2 on DLP Agent version 15.1 MP1 (7 January 2019

Endpoint Data Loss Prevention supported Windows operating systems

• Windows 10 Version 2004 (OS build 19041.264) (29 May 2020)

2

https://support.symantec.com/us/en/article.tech256856.htmlhttps://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-7.htmlhttps://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-7.htmlhttps://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-7.htmlhttps://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-7.html

Edge monitoring is supported starting with DLP Agent version 15.1 MP2.• Windows 10 Version 1909 (November 2019 Update) on DLP Agent version 15.1 MP2 (13 January 2020)• Windows 10 Version 1903 (10 May 2019 Update) on DLP Agent version 15.1 MP2 (20 June 2019)• Windows 10 RS5:

– Ensure that you add edpa.exe, wdp.exe, and kvoop.exe to the Windows Defender exclude list.– Paste actions are not monitored in Metro apps.

Applications supported by Endpoint Prevent

• Chrome– Chrome 85 on both Windows and macOS with Symantec Data Loss Prevention 15.1 MP2 (3 September 2020)– Chrome 84 on both Windows and macOS with Symantec Data Loss Prevention 15.1 MP2 (16 July 2020)– Chrome 83 on both Windows and macOS with Symantec Data Loss Prevention 15.1 MP2 (29 May 2020)– Chrome 81 on both Windows and macOS with Symantec Data Loss Prevention 15.1 MP2 (9 April 2020)– Chrome 80 monitoring on Windows and macOS with Symantec Data Loss Prevention 15.1 MP2 (14 February 2020)– Chrome 79 monitoring on Windows and macOS with Symantec Data Loss Prevention 15.1 MP2 (30 December

2019)– Chrome 78 monitoring on Windows and macOS with Symantec Data Loss Prevention 15.1 MP2 (6 November 2019)– Chrome 77 on both macOS and Windows with Symantec Data Loss Prevention 15.1 MP2 (18 September 2019)– Chrome 76 on DLP Agent version 15.1 MP2 on both Windows and macOS (8 August 2019)– Chrome 72 for both macOS and Windows (2 February 2019). For Windows, a hot fix must be applied.

• Edge– Edge (Chromium-based) through version 85 with Symantec Data Loss Prevention 15.1 MP2 (2 September 2020)

• Firefox– Firefox 80 on both Windows and macOS (31 August 2020)– Firefox 79 on both Windows and macOS (3 August 2020)– Firefox 77 and 78 on both Windows and macOS (1 July 2020)– Firefox 75 on both Windows and macOS (9 April 2020)– Firefox 74 monitoring on macOS (17 March 2020)– Firefox 71 on both Windows and macOS with Symantec Data Loss Prevention 15.1 MP2 (9 December 2019)– Firefox 69 on both Windows and macOS (6 August 2019)– Firefox 68 on both Windows and macOS (17 July 2019)– Firefox 67 on both Windows and macOS (11 June 2019)– Firefox 66 on both macOS and Windows (3 April 2019)– Firefox 64 on both macOS and Windows (7 January 2019)

• Safari 12 monitoring with Symantec Data Loss Prevention 15.1 MP1 (8 November 2019)• Microsoft Office Outlook 2019. For macOS, support for Outlook 2019 monitoring requires DLP agent Hotfix

15.1.0106.01005, available from Symantec Support. (20 May 2019)

Operating system requirements for servers

• Support for Red Hat Enterprise Linux 7.9 (3 November 2020)• Support for Red Hat Linux 7.7 starting with Symantec Data Loss Prevention version 15.1 MP2. (17 March 2020)• Support for Red Hat Linux 7.6. Symantec Data Loss Prevention can be installed on Red Hat Linux 7.6 systems. (28

May 2019)

Oracle database support

• Oracle 19c Enterprise

3

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/information-security/data-loss-prevention/15-7/Related-Documents.htmlhttps://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/information-security/data-loss-prevention/15-7/Related-Documents.html

Symantec™ Data Loss Prevention System Requirements and Compatibility Guide

Version 15.1

Last updated: 10 December 2018

Symantec Data Loss Prevention SystemRequirements and Compatibility Guide

Documentation version: 15.1

Legal NoticeCopyright © 2018 Symantec Corporation. All rights reserved.

Symantec, CloudSOC, Blue Coat, the Symantec Logo, the Checkmark Logo, the Blue Coat logo, and theShield Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attributionto the third party (“Third Party Programs”). Some of the Third Party Programs are available under opensource or free software licenses. The License Agreement accompanying the Software does not alter anyrights or obligations you may have under those open source or free software licenses. Please see theThird Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantecproduct for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution,and decompilation/reverse engineering. No part of this document may be reproduced in any form by anymeans without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, AREDISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLYINVALID. SYMANTECCORPORATIONSHALLNOTBELIABLEFOR INCIDENTALORCONSEQUENTIALDAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THISDOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TOCHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as definedin FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial ComputerSoftware - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software andCommercial Computer Software Documentation," as applicable, and any successor regulations, whetherdelivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S. Governmentshall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Chapter 1 About this guide .................................................................... 6About updates to Symantec Data Loss Prevention system

requirements ........................................................................... 6About deprecated platforms ............................................................. 8

Chapter 2 System requirements and recommendations ................ 9Deployment planning considerations .................................................. 9

The effect of scale on system requirements ................................. 10Minimum system requirements for Symantec Data Loss Prevention

servers ................................................................................. 12Single-tier installation minimum hardware requirements ................. 12Very small installation minimum hardware requirements ................. 13Small installation minimum hardware requirements ....................... 14Medium installation minimum hardware requirements .................... 16Large enterprise minimum hardware requirements ........................ 17Operating system requirements for servers ................................. 19

Operating system requirements for OCR Servers ................................ 23Endpoint computer requirements for the Symantec DLP Agent .............. 23

Operating system requirements for endpoint systems .................... 24Memory and disk space requirements for the Symantec DLP

Agent ............................................................................ 29Supported languages for detection ................................................... 29Available language packs ............................................................... 31Oracle database requirements ........................................................ 32Browser requirements for accessing the Enforce Server administration

console ................................................................................ 34Deploying Data Loss Prevention on public cloud infrastructures ............. 34

Deploying Symantec Data Loss Prevention on Amazon WebServices infrastructure ...................................................... 35

Deploying Symantec Data Loss Prevention on MicrosoftAzure ............................................................................ 35

Deploying Symantec Data Loss Prevention on Oracle Cloud ........... 36Virtual server support .................................................................... 36Virtual desktop and virtual application support with Endpoint

Prevent ................................................................................ 37

Contents

Supported operating systems for the Remote EDM and IDMIndexers ............................................................................... 39

Third-party software requirements and recommendations ..................... 40

Chapter 3 Product compatibility ......................................................... 44Environment compatibility and requirements for Network Prevent for

Email ................................................................................... 44Proxy server compatibility with Network Prevent for Web ...................... 45SSL monitoring with Network Monitor ............................................... 46Secure ICAP support for Network Prevent for Web using the stunnel

service ................................................................................. 46High-speed packet capture cards .................................................... 47Veritas Data Insight compatibility with Symantec Data Loss

Prevention ............................................................................ 48Integrations with other Symantec products ......................................... 48Network Discover/Cloud Storage Discover compatibility ....................... 51

Supported Box cloud storage targets .......................................... 51Supported file system targets ................................................... 51Supported IBM (Lotus) Notes targets ......................................... 52Supported SQL database targets .............................................. 52Supported SharePoint server targets .......................................... 52Supported Exchange Server targets ........................................... 53Supported file system scanner targets ........................................ 53Supported Documentum (scanner) targets .................................. 54Supported OpenText (Livelink) scanner targets ............................ 54Supported web server (scanner) targets ..................................... 54

Endpoint Prevent supported applications ........................................... 54

5Contents

About this guide

This chapter includes the following topics:

■ About updates to Symantec Data Loss Prevention system requirements

■ About deprecated platforms

About updates to Symantec Data Loss Preventionsystem requirements

System requirements as described in this guide are occasionally updated as new informationbecomes available. You can find the latest version of the Symantec Data Loss PreventionSystem Requirements and Compatibility Guide at the following link to the Symantec SupportCenter article.

http://www.symantec.com/docs/DOC10602

Subscribe to the article at the Support Center to be notified when there are updates.

The following table provides the history of updates to this version of the Symantec Data LossPrevention System Requirements and Compatibility Guide.

Table 1-1 Change history for the Symantec Data Loss Prevention System Requirementsand Compatibility Guide

DescriptionDate

Added Windows and macOS Endpoint monitoring support for Chrome 71.Added DLP Agent support for Windows 10 version 1809. Added DLP Agentsupport for VMware Horizon 7.6.

10 December 2018

Added DLP Agent support on macOS 10.14.1. AddedWindows and macOSEndpoint monitoring support for Chrome 70.

30 November 2018

Added DLP Agent support on Microsoft Windows 10 Version 1607 LTSB.20 November 2018

1Chapter


Table 1-1 Change history for the Symantec Data Loss Prevention System Requirementsand Compatibility Guide (continued)

DescriptionDate

Added Red Hat Enterprise Linux 6.10 support for Symantec Data LossPrevention servers.

Corrected Red Had Enterprise Linux support statement for Symantec DataLoss Prevention on AWS.

14 November 2018

Removed the Oracle 11g end of support date; Oracle changed the ExtendedSupport for 11g to December 2020.

Stated that Oracle 11g is supported through Symantec Data Loss Preventionversion 15.1.

8 November 2018

Added Windows and macOS Endpoint monitoring support for Firefox 63.

Added support for Veritas Data Insight 6.1.3.

2 November 2018

Corrected endpoint support for Windows Server 2008 R2 with SymantecData Loss Prevention 15.1.

Added support for macOS 10.14.

Updated support for Fortinet with ICAP, HTTP, HTTPS.

Added information about deprecation of stunnel for secure ICAP in version15.1.

Updated Azure section to delete note that incorrectly indicates that 3-tierdeployments are not supported.

8 October 2018

Added support for Firefox 61 and 62 as an application supported by EndpointPrevent on both macOS and Windows.

Added version 5.7.1 driver support for Endace DAG 7.5G2/G4 and DAG10X2 high-speed packet capture cards.

11 September 2018

Clarified support for Citrix XenDesktop 7.18 to only includeWindows 10 RS4(version 1803) (64-bit).

10 September 2018

Added support for Google Chrome 69 as an application supported byEndpoint Prevent on both macOS and Windows.

Added support for Oracle version 18c (12.2.x) as a target supported byNetwork Discover/Cloud Storage Discover.

Added support for Citrix XenApp 7.18 and Citrix XenDesktop 7.18.

7 September 2018

Corrected Java requirements for scanning AIX 7.1 targets.4 September 2018

7About this guideAbout updates to Symantec Data Loss Prevention system requirements

Table 1-1 Change history for the Symantec Data Loss Prevention System Requirementsand Compatibility Guide (continued)

DescriptionDate

Added support for macOS 10.13.6 with Symantec Data Loss Prevention 15.0MP1 with Hotfix_15.0.0107.01001.

30 August 2018

Added support for Red Hat Enterprise Linux 7.5 for on-premises SymantecData Loss Prevention servers and the Oracle database.

Added support for Citrix XenDesktop 7.15 Long Term Service Release(LTSR), Update 2 on Windows 10 RS4 (version 1803) (64-bit).

27 August 2018

Added supported operating systems for the Remote EDM and IDM Indexers.21 August 2018

Added compatibility with Veritas Data Insight 6.1.2 for Symantec Data LossPrevention 15.1.

7 August 2018

Resolved issues of incompletely published content in the PDF file.6 August 2018

Added Endpoint Prevent support for Google Chrome version 68.31 July 2018

Added support for macOS 10.13.5 with Symantec Data Loss Prevention 15.0MP1 hot fix 15.0.0107.01001.

Added support for macOS 10.13.5 and 10.13.6 with Symantec Data LossPrevention 15.1.

Added known issues for Firefox version 57 and later running on macOSendpoints.

Clarified support for Oracle 12c Enterprise to include Release 1 (12.1.0.2).

23 July 2018

About deprecated platformsCertain platforms are indicated as “deprecated.” That indicates that while the deprecatedplatform is supported in the current release, Symantec plans to remove support in an upcomingrelease. If your Symantec Data Loss Prevention environment includes a deprecated platform,you should plan on updating the platform to a later supported version or a different supportedplatform as soon as possible.

8About this guideAbout deprecated platforms

System requirements andrecommendations


■ Deployment planning considerations

■ Minimum system requirements for Symantec Data Loss Prevention servers

■ Operating system requirements for OCR Servers

■ Endpoint computer requirements for the Symantec DLP Agent

■ Supported languages for detection

■ Available language packs

■ Oracle database requirements

■ Browser requirements for accessing the Enforce Server administration console

■ Deploying Data Loss Prevention on public cloud infrastructures

■ Virtual server support

■ Virtual desktop and virtual application support with Endpoint Prevent

■ Supported operating systems for the Remote EDM and IDM Indexers

■ Third-party software requirements and recommendations

Deployment planning considerationsInstallation planning and system requirements for Symantec Data Loss Prevention dependon:

2Chapter

■ The type and amount of information you want to protect

■ The amount of network traffic you want to monitor

■ The size of your organization

■ The type of Symantec Data Loss Prevention detection servers you choose to install

These factors affect both:

■ The type of installation tier you choose to deploy (three-tier, two-tier, or single-tier)

■ The system requirements for your Symantec Data Loss Prevention installation

See “The effect of scale on system requirements” on page 10.

The effect of scale on system requirementsSome system requirements vary depending on the size of the Symantec Data Loss Preventionsoftware deployment. Determine the size of your organization and the corresponding SymantecData Loss Prevention deployment using the information in this section.

The key considerations in determining the deployment size are as follows:

■ Number of Enforce Server users

■ Number of detection servers

■ Daily incident volume

■ Amount of network traffic to monitor

■ Size of Exact Data Match profile (EDM) or Indexed Data Match profile (IDM)

■ Size of your Form Recognition profile

The following table outlines five sample deployments based on enterprise size. Review thesesample deployments to understand which best matches your organization’s environment.

Table 2-1 Types of enterprise deployments

LargeMediumSmallVery small(minimumsupportedsystem)

Single tierVariable

3020105N/ANumber ofEnforceServer users

100+50105N/ANumber ofdetectionservers

10System requirements and recommendationsDeployment planning considerations

Table 2-1 Types of enterprise deployments (continued)

LargeMediumSmallVery small(minimumsupportedsystem)

Single tierVariable

100,00050,00010,0005000N/ADaily incidentvolume

>40 Mbps30-40 Mbps30-40 Mbps30-40 Mbps30-40 MbpsVolume ofnetwork trafficto monitor

See theSymantecData LossPreventionAdministrationGuide forinformation aboutEDM and IDMsizing forenterprisedeployments.

See the SymantecData LossPreventionAdministrationGuide forinformation aboutEDM and IDMsizing forenterprisedeployments.

See theSymantecData LossPreventionAdministrationGuide forinformation aboutEDM and IDMsizing forenterprisedeployments.

See the SymantecData LossPreventionAdministrationGuide forinformation aboutEDM and IDMsizing for enterprisedeployments.

EDM 4 million cellsor IDM 250 MB(1400 files). See theSymantec DataLoss PreventionAdministrationGuide forinformation aboutEDM and IDMsizing for enterprisedeployments.

EDM/IDMsize

See articleTECH235074 atthe SymantecSupport Center forinformation aboutForm Recognitionsizing.



See articleTECH235074 at theSymantec SupportCenter forinformation aboutForm Recognitionsizing.

See articleTECH235074 at theSymantec SupportCenter forinformation aboutForm Recognitionsizing.

FormRecognitionprofile size

See “Largeenterpriseminimumhardwarerequirements”on page 17.

See “Mediuminstallationminimumhardwarerequirements”on page 16.

See “Smallinstallationminimumhardwarerequirements”on page 14.

See “Very smallinstallationminimum hardwarerequirements”on page 13.

See “Single-tierinstallationminimumhardwarerequirements”on page 12.

Hardwarerequirements

For additional related information see also Symantec Data Loss Prevention Network Monitorand Prevent Performance Sizing Guidelines, available at the Symantec Support Center athttp://www.symantec.com/docs/DOC8253.

11System requirements and recommendationsDeployment planning considerations

http://www.symantec.com/docs/TECH235074http://www.symantec.com/docs/TECH235074http://www.symantec.com/docs/TECH235074http://www.symantec.com/docs/TECH235074http://www.symantec.com/docs/TECH235074http://www.symantec.com/docs/DOC8253

Minimum system requirements for Symantec DataLoss Prevention servers

All Symantec Data Loss Prevention servers must meet or exceed the minimum hardwarespecifications and run on one of the supported operating systems.

■ See “Single-tier installation minimum hardware requirements” on page 12.

■ See “Very small installation minimum hardware requirements” on page 13.

■ See “Small installation minimum hardware requirements” on page 14.

■ See “Medium installation minimum hardware requirements” on page 16.

■ See “Large enterprise minimum hardware requirements” on page 17.

■ See “Operating system requirements for servers” on page 19.

Note: Requirements for Symantec Data Loss Prevention Virtual Appliances are the same asfor the software server counterparts, except for virtual environment support. See “Virtual serversupport” on page 36.

If the Oracle database for Symantec Data Loss Prevention is installed on a dedicated computer(a three-tier deployment), that system must meet its own set of system requirements.

See “Oracle database requirements” on page 32.

Single-tier installation minimum hardware requirementsThe following table provides the system requirements for branch office or small organizationsingle-tier deployments.

Because single-tier deployments include the Enforce Server, the Oracle database, and thedetection server all on the same computer, the processing and memory requirements arehigher than they might be on dedicated servers in a two- or three-tier deployment.

Table 2-2 Single-tier installation minimum hardware requirements

Single Server InstallationRequired for

Eight-core CPUProcessor

64 GB RAMMemory

3 TB, RAID 5 configuration (with a minimum of fivespindles)

Disk

12System requirements and recommendationsMinimum system requirements for Symantec Data Loss Prevention servers

Table 2-2 Single-tier installation minimum hardware requirements (continued)

Single Server InstallationRequired for

1 copper or fiber 1 Gb Ethernet NIC (if you are usingNetwork Monitor you will need a minimum of twoNICs)

NICs

Very small installation minimum hardware requirementsThe following table provides the system requirements for the smallest supported installationof Symantec Data Loss Prevention. This is a two-tier installation, in which the Enforce Serverand Oracle database are both hosted on the same computer.

Table 2-3 Very small installation minimum hardware requirements

Network Discover/CloudStorage Discover,Network Prevent, CloudPrevent for Email, orEndpoint Prevent

Network MonitorEnforce ServerRequired for

Four-core CPUFour-core CPUTwo-core CPUProcessor

6–8GBRAM (EDM/IDMandForm Recognition profilesize can increase memoryrequirements. See theSymantec Data LossPrevention AdministrationGuide for information aboutEDM and IDM sizing. Seearticle TECH235074 at theSymantec Support Centerfor information about FormRecognition sizing.)

6–8GBRAM (EDM/IDMandForm Recognition profilesize can increase memoryrequirements. See theSymantec Data LossPrevention AdministrationGuide for information aboutEDM and IDM sizing. Seearticle TECH235074 at theSymantec Support Centerfor information about FormRecognition sizing.)

8 GB RAMMemory


http://www.symantec.com/docs/TECH235074http://www.symantec.com/docs/TECH235074

Table 2-3 Very small installation minimum hardware requirements (continued)

Network Discover/CloudStorage Discover,Network Prevent, CloudPrevent for Email, orEndpoint Prevent

Network MonitorEnforce ServerRequired for

140 GB

For Network Discover/CloudStorage Discoverdeployments, approximately150 MB of disk space isrequired to maintainincremental scan indexes.This is based on anoverhead of 5 MB perincremental scan target and50 bytes per item in thetarget.

140 GB500 GB hard drive storage.


Disk

1 copper or fiber 1 Gb/100Mb Ethernet NIC tocommunicate with theEnforce Server.

1 copper or fiber 1 Gb/100Mb Ethernet NIC tocommunicate with theEnforce Server.

One copper or fiber 1Gb/100 Mb Ethernet NIC tocommunicate with detectionservers.

NICs

Small installation minimum hardware requirementsThe following table provides the system requirements for a small installation of Symantec DataLoss Prevention. This is a three-tier installation, in which the Enforce Server and Oracledatabase are hosted on separate computers.

Table 2-4 Small installation minimum hardware requirements

NetworkDiscover/CloudStorage Discover,Network Prevent,Cloud Prevent forEmail, or EndpointPrevent

Network MonitorOracle databaseEnforce ServerRequired for

Four-core CPUFour-core CPUTwo-core CPUTwo-core CPUProcessor


Table 2-4 Small installation minimum hardware requirements (continued)



6–8 GB RAM(EDM/IDM and FormRecognition profilesize can increasememoryrequirements. Seethe Symantec DataLoss PreventionAdministration Guidefor information aboutEDMand IDM sizing.See articleTECH235074 at theSymantec SupportCenter forinformation aboutForm Recognitionsizing.)

6–8 GB RAM(EDM/IDMand FormRecognition profilesize can increasememoryrequirements. Seethe Symantec DataLoss PreventionAdministrationGuidefor information aboutEDMand IDM sizing.See articleTECH235074 at theSymantec SupportCenter forinformation aboutForm Recognitionsizing.)

8 GB RAM8 GB RAMMemory

140 GB

For NetworkDiscover/CloudStorage Discoverdeployments,approximately 150MB of disk space isrequired to maintainincremental scanindexes. This isbased on anoverhead of 5 MBper incremental scantarget and 50 bytesper item in thetarget.

140 GB500 GB - 1 TB

See “Oracle databaserequirements” on page 32.

500 GB hard drivestorage.

For NetworkDiscover/CloudStorage Discoverdeployments,approximately 150MB of disk space isrequired to maintainincremental scanindexes. This isbased on anoverhead of 5 MBper incremental scantarget and 50 bytesper item in thetarget.

Disk



Table 2-4 Small installation minimum hardware requirements (continued)



1 copper or fiber 1Gb/100 Mb EthernetNIC to communicatewith the EnforceServer.

1 copper or fiber 1Gb/100 Mb EthernetNIC to communicatewith the EnforceServer.

N/AOne copper or fiber1 Gb/100 MbEthernet NIC tocommunicate withdetection servers.

NICs

Medium installation minimum hardware requirementsThe following table provides the system requirements for medium installations of SymantecData Loss Prevention. This is a three-tier installation, with the Enforce Server and Oracledatabase hosted on separate computers.

Table 2-5 Medium installation minimum hardware requirements

Network Discover/CloudStorage Discover, NetworkPrevent, Cloud Prevent forEmail, or Endpoint Prevent

Network MonitorOracledatabase

Enforce ServerRequiredfor

Four-core CPUFour-core CPUFour-coreCPU

Two-core CPUProcessor

6–8 GB RAM (EDM/IDM andForm Recognition profile size canincrease memory requirements.See the Symantec Data LossPrevention Administration Guidefor information about EDM andIDM sizing. See articleTECH235074 at the SymantecSupport Center for informationabout Form Recognition sizing.)

6–8GBRAM (EDM/IDMand Form Recognitionprofile size can increasememory requirements.See the Symantec DataLoss PreventionAdministration Guide forinformation about EDMand IDM sizing. Seearticle TECH235074 atthe Symantec SupportCenter for informationabout Form Recognitionsizing.)

16 GB RAM12 GB RAM

(EDM/IDM and FormRecognition profile size canincrease memoryrequirements. See articleTECH235074 at theSymantec Support Centerfor information about FormRecognition sizing.)

Memory


http://www.symantec.com/docs/TECH235074http://www.symantec.com/docs/TECH235074http://www.symantec.com/docs/TECH235074

Table 2-5 Medium installation minimum hardware requirements (continued)

Network Discover/CloudStorage Discover, NetworkPrevent, Cloud Prevent forEmail, or Endpoint Prevent


Enforce ServerRequiredfor

140 GB

For Network Discover/CloudStorage Discover deployments,approximately 150 MB of diskspace is required to maintainincremental scan indexes. This isbased on an overhead of 5 MBper incremental scan target and50 bytes per item in the target.

140 GB500 GB - 1 TB

See “Oracledatabaserequirements”on page 32.

500 GB hybrid storage.


Disk

1 copper or fiber 1 Gb/100 MbEthernet NIC to communicate withthe Enforce Server.

1 copper or fiber 1Gb/100 Mb EthernetNIC to communicatewith the Enforce Server.

N/A1 copper or fiber 1 Gb/100Mb Ethernet NIC tocommunicate with detectionservers.

NICs



Large enterprise minimum hardware requirementsThe following table provides the system requirements for large installations of Symantec DataLoss Prevention. This is a three-tier installation, with the Enforce Server and Oracle databasehosted on separate computers.

Table 2-6 Large enterprise minimum system requirements

Network Discover/CloudStorageDiscover, NetworkPrevent, Cloud Prevent forEmail, or Endpoint Prevent


Enforce ServerRequiredFor

Eight-core CPUEight-core CPUSix-core CPUFour-core CPUProcessor


Table 2-6 Large enterprise minimum system requirements (continued)




8–16 GBRAM (EDM/IDM andForm Recognition profile sizecan increase memoryrequirements. See theSymantec Data LossPrevention AdministrationGuide for information aboutEDM and IDM sizing.

See article TECH235074 atthe Symantec Support Centerfor information about FormRecognition sizing.

8–16 GB RAM(EDM/IDM and FormRecognition profile sizecan increase memoryrequirements. See theSymantec Data LossPreventionAdministration Guide forinformation about EDMand IDM sizing.

See article TECH235074at the Symantec SupportCenter for informationabout Form Recognitionsizing.

32 GB RAM16 GB RAM

(EDM/IDM and FormRecognition profile size canincrease memoryrequirements. See theSymantec Data LossPrevention AdministrationGuide for information aboutEDM and IDM sizing.

See article TECH235074 atthe Symantec SupportCenter for informationabout Form Recognitionsizing.

Memory

140 GB

For Network Discover/CloudStorage Discoverdeployments, approximately 1GB of disk space is requiredto maintain incremental scanindexes. This is based on anoverhead of 5 MB perincremental scan target and50 bytes per item in the target.

140 GB500 GB - 1 TB

See “Oracledatabaserequirements”on page 32.

1 TB SSD storage.

For NetworkDiscover/Cloud StorageDiscover deployments,approximately 1 GB of diskspace is required tomaintain incremental scanindexes. This is based onan overhead of 5 MB perincremental scan target and50 bytes per item in thetarget.

DiskRequirements

To communicate with theEnforce Server:

1 copper or fiber 1 Gb/100 MbEthernet NIC

To communicate with theEnforce Server:

1 copper or fiber 1Gb/100 Mb Ethernet

For network trafficmonitoring (pick one):

1 copper or fiber 1Gb/100 Mb EthernetNIC.

N/ATo communicate withdetection servers:

1 copper or fiber 1 Gb/100Mb Ethernet NIC

NICs



Table 2-6 Large enterprise minimum system requirements (continued)




N/ASee “High-speed packetcapture cards”on page 47.

N/AN/AHigh-speedpacketcapture cards



Operating system requirements for serversSymantec Data Loss Prevention servers can be installed on a supported Linux or Windowsoperating system. Different operating systems can be used for different servers in aheterogeneous environment.

Note: If you are using Windows Server 2012 R2, you must install two patches. See “Installingpatches for Windows Server 2012 R2” on page 21.

Symantec Data Loss Prevention supports the following 64-bit operating systems for EnforceServer and detection server computers:

■ Microsoft Windows Server 2008 R2 SP1, Enterprise Edition

■ Microsoft Windows Server 2008 R2 SP1, Standard Edition

■ Microsoft Windows Server 2012 R2, Datacenter Edition with patch. See “Installing patchesfor Windows Server 2012 R2” on page 21.

■ Microsoft Windows Server 2012 R2, Standard Edition with patch. See “Installing patchesfor Windows Server 2012 R2” on page 21.

■ Microsoft Windows Server 2016, Standard Edition

■ Microsoft Windows Server 2016, Datacenter Edition

■ Red Hat Enterprise Linux 6.8, 6.9, and 6.10

■ Red Hat Enterprise Linux 7.1 through 7.5

■ Oracle Linux 7.3 and 7.4

Symantec Data Loss Prevention supports the 64-bit operating system for detection servercomputers on Microsoft Windows Server 2016, Core.


Operating system requirements for Single Server deploymentsSymantec Data Loss Prevention supports the following 64-bit operating systems for SingleServer deployments:

■ Microsoft Windows Server 2008 R2 SP1, Enterprise Edition

■ Microsoft Windows Server 2008 R2 SP1, Standard Edition



■ Microsoft Windows Server 2016, Standard Edition

■ Microsoft Windows Server 2016, Datacenter Edition

■ Red Hat Enterprise Linux 6.8, 6.9, and 6.10

■ Red Hat Enterprise Linux 7.1 through 7.5

■ Oracle Linux 7.3 and 7.4

English language and localized versions of both Linux and Windows operating systems aresupported.

See “Supported languages for detection” on page 29.

See also the Symantec Data Loss Prevention Administration Guide for detailed informationabout supported languages and character sets. You can find the Symantec Data LossPrevention Administration Guide at the Symantec Support Center here:http://www.symantec.com/docs/DOC9261.

Operating system requirements for the domain controller agentThe domain controller agent enables you to resolve user names from IPv4 addresses in HTTP/Sand FTP incidents. See the Symantec Data Loss Prevention Installation Guide for domaincontroller agent installation details.

Symantec Data Loss Prevention supports the following operating systems for the domaincontroller agent:

■ Microsoft Windows Server 2008 R2, Enterprise Edition (64-bit)

■ Microsoft Windows Server 2008 R2, Standard Edition (64-bit)

■ Microsoft Windows Server 2008 R2 SP1, Enterprise Edition (64-bit)

■ Microsoft Windows Server 2008 R2 SP1, Standard Edition (64-bit)

■ Microsoft Windows Server 2012, Datacenter Edition (64-bit)

■ Microsoft Windows Server 2012, Standard Edition (64-bit)





Installing patches for Windows Server 2012 R2If you use Windows Server 2012 R2, you must install two Microsoft patches, KB2919355 andKB2919442.

To find out if patch KB2919355 is installed:1. Go toWindows System and Security.

2. Click View install updates in theWindows upgrade section.

3. Confirm that patch 2919355 is installed.

If patch2919355 is not installed go to step1 and complete the followingsteps. If it is installed, go to step 2:1. Go to

https://support.microsoft.com/en-us/kb/2919355

and install KB2919355.

2. Go to

https://support.microsoft.com/en-us/kb/2919442

and install KB2919442.

Linux partition guidelinesMinimum free space requirements for Linux partitions vary according to the specific details ofyour Symantec Data Loss Prevention installation. The table below provides general guidelinesthat should be adapted to your installation as circumstances warrant. Symantec recommendsusing separate partitions for the different file systems, as indicated in the table. If you combinemultiple file systems onto fewer partitions, or onto a single root partition, make sure the partitionhas enough free space to hold the combined sizes of the file systems listed in the table.

Note: Partition size guidelines for detection servers are similar to those for Enforce Serverwithout an Oracle database.

See Table 2-8 on page 22.


https://support.microsoft.com/en-us/kb/2919355https://support.microsoft.com/en-us/kb/2919442

Table 2-7 Linux partition minimum size guidelines—Enforce Server with Oracle database

Description and commentsMinimum free spacePartition

Store the Oracle installation tools, Oracleinstallation ZIP files, and Oracle critical patchupdate (CPU) files in /home.

6 GB/home

The Oracle installer and installation tools requirespace in this directory.

1.2 GB/tmp

Contains installed programs such as SymantecData Loss Prevention, the Oracle server, andthe Oracle database. The Oracle databaserequires significant space in this directory. Forimproved performance, you may want to mountthis partition on different disks/SAN/RAID fromwhere the root partition is mounted.

500 GB for Small/Medium installations

1 TB for Large installations

/opt

Contains logs, EDM/IDM indexes, FormRecognition indexes, incremental scan indexes,and network packet capture directories.

Note: The /var/spool/pcap and/var/SymantecDLP/drop_pcap directoriesmust reside on the same partition or mountpoint.


46 GB for Large installations

/var

This must be in its own ext2 or ext3 partition,not part of soft RAID (hardware RAID issupported).

100 MB/boot

If you need to have the memory dump in caseof system crash (for debugging), you may wantto increase these amounts.

Equal to RAMswap

Table 2-8 Linux partition minimum size guidelines—Enforce Server without a database,or detection server

Description and commentsMinimum size guidelinesPartition

Contains installed programs such as SymantecData Loss Prevention and the Oracle client.

10 GB/opt


Table 2-8 Linux partition minimum size guidelines—Enforce Server without a database,or detection server (continued)

Description and commentsMinimum size guidelinesPartition

Contains logs, EDM/IDM indexes, FormRecognition indexes, incremental scan indexes,and network packet capture directories.

Note: The /var/spool/pcap and/var/Symantec/DataLossPrevention/drop_pcapdirectories must reside on the same partition ormount point.


46 GB for Large installations

/var

This must be in its own ext2 or ext3 partition,not part of soft RAID (hardware RAID issupported).

100 MB/boot

If you need to have the memory dump in caseof system crash (for debugging), you may wantto increase these amounts.

Equal to RAMswap

Operating system requirements for OCR ServersSymantec supports deployment of OCR Servers on theWindows operating system. The sameWindows servers supported for installation of the Enforce Server are supported for installationof OCR Servers.

See “Operating system requirements for servers” on page 19.

For more information onOCRServer system requirements and sizing guidelines, see "SymantecData Loss Prevention OCR Server System Requirements and OCR Server Sizing Estimator"at http://www.symantec.com/docs/doc10612.

Endpoint computer requirements for the SymantecDLP Agent

If you install Endpoint Prevent, the endpoint computers on which you install the Symantec DLPAgent must meet the requirements that are described in the following sections.

■ See “Operating system requirements for endpoint systems” on page 24.

■ See “Memory and disk space requirements for the Symantec DLP Agent” on page 29.

23System requirements and recommendationsOperating system requirements for OCR Servers

http://www.symantec.com/docs/doc10612

Operating system requirements for endpoint systemsEndpoint Data Loss Prevention can operate on Endpoint systems that use the followingoperating systems:

Table 2-9 Endpoint Data Loss Prevention supported Windows operating systems

DLP version15.1

DLP version15.0

DLP version14.6

DLP version14.5

DLP version14.0

VersionOperatingsystem

NoNoYesNoYes2003 SP2R2

WindowsServer

YesYesYesYesYes2008 R2WindowsServerEnterpriseor Standard(64-bit)

YesYesYesYesYes2012 R2

YesYesYes (on DLPAgentversions 14.6MP1 andMP2)

NoNoNo servicepack

MicrosoftWindowsServer 2016Standard orDatacenterEdition(64-bit)

NoNoYesYesYesNo servicepack

Windows 7Enterprise,Professional,Ultimate(32-bit)

YesYesYesYesYesSP1

NoNoYesYesYesNo servicepack

Windows 7Enterprise,Professional,Ultimate(64-bit)

YesYesYesYesYesSP1

NoNoNoNoNoUnpatchedWindows 8EnterprisePCoperatingsystem(32-bit)

24System requirements and recommendationsEndpoint computer requirements for the Symantec DLP Agent

Table 2-9 Endpoint Data Loss Prevention supported Windows operating systems(continued)

DLP version15.1

DLP version15.0

DLP version14.6

DLP version14.5

DLP version14.0


NoNoYesYesYesUnpatchedWindows 8EnterprisePCoperatingsystem(64-bit)

YesYesYesYesYesUnpatchedWindows8.1Enterprise,Pro PCoperatingsystem(64-bit)

YesYesYesYesYesUpdate 1




Table 2-9 Endpoint Data Loss Prevention supported Windows operating systems(continued)

DLP version15.1

DLP version15.0

DLP version14.6

DLP version14.5

DLP version14.0


YesYesYesYes (14.0.1)UnpatchedWindows10Enterprise,Pro PCoperatingsystem(64-bit)

DeprecatedYesYesYesVersion1511(NovemberUpdate)

DeprecatedYesYesYesNoVersion1607(AnniversaryUpdate)

YesYesYes (on DLPAgent version14.6 MP1 andMP2)

NoNoCreatorsUpdate(version1703)

YesYesYes (on DLPAgent version14.6 MP1 andMP2)

NoNoVersion1709 (FallCreatorsUpdate)

YesYes (on DLPAgent version15.0 MP1)

NoNoNoVersion1803 (April2018Update)[build#17134.48]

Yes(onDLPAgentversion15.1MP1)

NoNoNoNoVersion 1607LTSB

Yes (on DLPAgent version15.1 MP1)

NoNoNoNoVersion1809

For additional details about Windows 10 Creators Update support, refer to the articleTECH240808 at the Symantec Support Center.


http://www.symantec.com/docs/TECH240808

Table 2-10 Endpoint Data Loss Prevention supported macOS operating systems

DLP version 15.1DLP version 15.0DLPversion14.6DLP version14.5

DLP version14.0

Operatingsystem

NoNoNoNoYesApple macOS10.8 (64-bit)

NoNoYesYesYesApple macOS10.9 (64-bit)

NoDeprecatedYesYesYesApple macOS10.10 (64-bit)

Yes■ Through 10.11.5■ 10.11.6 on on

15.0 MP1 withHotfix_15.0.0101

■ Through10.11.5

■ 10.11.6 on14.6 MP2 withHotfix_14.6.0205

YesNoApple macOS10.11 (64-bit)

Yes■ Through 10.12.5■ 10.12.6 on 15.0

MP1 withHotfix_15.0.0101

■ Through10.12.5 onDLP Agentversion 14.6MP1

■ 10.12.6 on14.6 MP2 withHotfix_14.6.0205

Yes (on DLPAgent version14.5 MP1)

NoApple macOS10.12 (64-bit)


Table 2-10 Endpoint Data Loss Prevention supported macOS operating systems (continued)

DLP version 15.1DLP version 15.0DLPversion14.6DLP version14.5

DLP version14.0

Operatingsystem

Yes (through10.13.6)

■ 10.13.1 on DLPAgent version15.0

■ 10.13.2 on version15.0 MP1 withHotfix_15.0.0101



■ 10.13.5 on version15.0 MP1 withHotfix_15.0.0107.01001

■ 10.13.6 on version15.0 MP1 withHotfix_15.0.0107.01001

See additional detailsfollowing this table.

■ 10.13.1 onDLP Agentversion 14.6MP2

■ 10.13.2 on14.6 MP2 withHotfix_14.6.0205

■ 10.13.3 on14.6 MP2 withHotfix_14.6.020510.13.4 on14.6 MP2 withHotfix_14.6.0205

See additionaldetails followingthis table.

NoNoApple macOS10.13 (64-bit)

10.14.1 on version15.1 MP1

See additionaldetails following thistable.

NoNoNoNoApple macOS10.14 (64-bit)

Additional details about macOS support are available in the following Symantec Support Centerarticles:

■ Known issues using macOS 10.13 with DLP Agent versions 14.6 MP2 and 15.0

■ DLP Agents deployed with MDM profiles on macOS 10.13.2 not loading

■ Monitoring macOS applications where SIP is enabled

■ Use Application File Access to monitor Safari on macOS 10.12.4 and later

■ Known issues upgrading from macOS 10.13.6 to macOS 10.14 with DLP Agent versions15.1

Symantec DLP Agents can also be installed on supported localized versions of theseWindowsand macOS operating systems.


http://www.symantec.com/docs/TECH247906http://www.symantec.com/docs/TECH250016http://www.symantec.com/docs/TECH235226http://www.symantec.com/docs/TECH240510http://www.symantec.com/docs/TECH251779http://www.symantec.com/docs/TECH251779

See “Supported languages for detection” on page 29.

See also the Symantec Data Loss Prevention Administration Guide for detailed informationabout supported languages and character sets.

Memory and disk space requirements for the Symantec DLP AgentThe Symantec DLP Agent software reserves a minimum of 25 MB to 30 MB of memory on theEndpoint computer, depending on the actual version of the software. The DLP Agent softwaretemporarily consumes additional memory while it detects content or communicates with theEndpoint Prevent server. After these tasks are complete, the memory usage returns to theprevious minimum.

The initial Symantec DLP Agent installation consumes approximately 70 MB to 80 MB of harddisk space. The actual minimum amount depends on the size and number of policies that youdeploy to the endpoint computer. Additional disk space is then required to temporarily storeincident data on the endpoint computer until the Symantec DLP Agent sends that data to theEndpoint Prevent server. If the endpoint computer cannot connect to the Endpoint Preventserver for an extended period of time, the Symantec DLP Agent will continue to consumeadditional disk space as new incidents are created. The disk space is freed only after the agentsoftware reconnects to the Endpoint Prevent server and transfers the stored incidents.

Supported languages for detectionSymantec Data Loss Prevention supports a large number of languages for detection. Policiescan be defined that accurately detect and report on the violations that are found in content inthese languages.

Table 2-11 Languages supported by Symantec Data Loss Prevention

Version 15.1Version 15.0Version 14.6Version 14.xLanguage

YesYesYesYesArabic

YesYesYesYesBrazilian Portuguese

YesYesYesYesChinese (traditional)

YesYesYesYesChinese (simplified)

YesYesYesYesCzech

YesYesYesYesDanish

YesYesYesYesDutch

YesYesYesYesEnglish

29System requirements and recommendationsSupported languages for detection

Table 2-11 Languages supported by Symantec Data Loss Prevention (continued)

Version 15.1Version 15.0Version 14.6Version 14.xLanguage

YesYesYesYesFinnish

YesYesYesYesFrench

YesYesYesYesGerman

YesYesYesYesGreek

YesYesYesYesHebrew

YesYesYesYesHungarian

YesYesYesYesItalian

YesYesYesYesJapanese

YesYesYesYesKorean

YesYesYesYesNorwegian

YesYesYesYesPolish

YesYesYesYesPortuguese

YesYesYesYesRomanian

YesYesYesYesRussian

YesYesYesYesSpanish

YesYesYesYesSwedish

Yes*Yes*Yes*Yes*Turkish

*Symantec Data Loss Prevention cannot be installed on a Windows operating system that islocalized for the Turkish language, and you cannot choose Turkish as an alternate locale.

For additional information about specific languages, see the Symantec Data Loss PreventionRelease Notes.

A number of capabilities are not implied by this support:

■ Technical support provided in a non-English language. Because Symantec Data LossPrevention supports a particular language does not imply that technical support is deliveredin that language.

■ Localized administrative user interface (UI) and documentation. Support for a languagedoes not imply that the UI or product documentation has been localized into that language.

30System requirements and recommendationsSupported languages for detection

However, even without a localized UI, user-defined portions of the UI such as pop-upnotification messages on the endpoint can still be localized into any language by enteringthe appropriate text in the UI.

■ Localized content. Keywords are used in a number of areas of the product, including policytemplates and data identifiers. Support for a language does not imply that these keywordshave been translated into that language. Users may, however, add keywords in the newlanguage through the Enforce Server administration console.

■ New file types, protocols, applications, or encodings. Support for a language does not implysupport for any new file types, protocols, applications, or encodings that may be prevalentin that language or region other than what is already supported in the product.

■ Language-specific normalization. An example of normalization is to treat accented andunaccented versions of a character as the same. The product already performs a numberof normalizations, including standard Unicode normalization that should cover the vastmajority of cases. However, it does not mean that all potential normalizations are included.

■ Region-specific normalization and validation. An example of this is the awareness that theproduct has of the format of North American phone numbers, which allows it to treat differentversions of a number as the same, and to identify invalid numbers in EDM source files.Support for a language does not imply this kind of functionality for that language or region.

Items in these excluded categories are tracked as individual product enhancements on alanguage- or region-specific basis. Contact Symantec Technical Support for additionalinformation on language-related enhancements or plans for the languages not listed.

Available language packsYou can install any of the available language packs for your Symantec Data Loss Preventiondeployment. Language packs provide a limited set of non-English languages for the EnforceServer administration console user interface and online Help. Note that these language packsare only needed to provide a translated user interface and online Help; they are not neededfor data detection. Language packs also contain translated versions of selected SymantecData Loss Prevention documentation.

As they become available, language packs for Symantec Data Loss Prevention are distributedalong with the software products they support. You can also download and add a languagepack to an installation. Language packs do not require any additional purchase or license.Consult the Symantec Data Loss Prevention Administration Guide for details on how to addand enable a language pack. Language packs are distributed in theSymantec_DLP_15.1_Lang_Pack-ML.zip file on the Symantec FileConnect website. Whenyou extract the contents of the ZIP file, the individual language pack files have names in theform:

Symantec_DLP_15.1_Lang_Pack_.zip

31System requirements and recommendationsAvailable language packs

Table 2-12 lists available language packs.

Table 2-12 Language packs and corresponding locale codes

Locale codeLanguage

PT_BRBrazilian Portuguese

ZH_CNChinese (Simplified)

ZH_TWChinese (Traditional)

FR_FRFrench

DE_DEGerman

IT_ITItalian

JA_JPJapanese

KO_KRKorean

ES_MXMexican Spanish

RU_RURussian

Note: Not all language packs are available when a product is first released.

Oracle database requirementsSymantec Data Loss Prevention supports the following Oracle databases:

■ Oracle 11g (11.2.0.4)

Note:Symantec Data Loss Prevention version 15.1 is the last version that supports Oracle11g. Symantec recommends that you plan to upgrade to Oracle Database 12c StandardEdition 2 to ensure that the database is compatible with the next Symantec Data LossPrevention version. Before you upgrade your system and install Oracle 12c SE2, you mustensure that your environment is ready for update. For environment requirements, see theSymantec Support Center article "Support for Oracle 12c SE2 with Symantec Data LossPrevention 15, and steps for upgrading" at http://www.symantec.com/docs/TECH247450.

■ Oracle 12c Enterprise Release 1 (12.1.0.2) and Release 2 (12.2.0.1)Oracle 12.1.0.2 and 12.2.0.1 are tested with the Symantec Data Loss Prevention schema.You must obtain software and support from Oracle. For implementation details, see the

32System requirements and recommendationsOracle database requirements


Symantec Data Loss Prevention Oracle 12c Enterprise Implementation Guide, availablehere:http://www.symantec.com/docs/DOC9260

■ Oracle 12c Standard Edition 2 Release 2 (12c SE2 R2) (12.2.0.1)Symantec provides Oracle 12.2.0.1 with Symantec Data Loss Prevention.See the Symantec Data Loss Prevention Oracle 12c Standard Edition 2 Release 2Installation and Upgrade Guide to install Oracle, available here:http://www.symantec.com/docs/DOC10713

Symantec supports the Standard Edition 2 of the Oracle Database, but the Symantec DataLoss Prevention database schema is supported on all editions of Oracle.

Symantec Data Loss Prevention requires the Oracle database to use the AL32UTF8 characterset. If your database is configured for a different character set, the installer notifies you andcancels the installation.

You can install Oracle on a dedicated server (a three-tier deployment) or on the same computeras the Enforce Server (a two-tier or single-tier deployment):

■ Three-tier deployment.System requirements for a dedicated Oracle server are listed below. Note that dedicatedOracle server deployments also require that you install the Oracle 12c Client on the EnforceServer computer to communicate with the remote Oracle 12c SE2 instance.

■ Single- and two-tier deployments.When installed on the Enforce Server computer, the Oracle system requirements are thesame as those of the Enforce Server.See “Single-tier installation minimum hardware requirements” on page 12.See “Very small installation minimum hardware requirements” on page 13.

If you install Oracle on a dedicated server, that computer must meet the following minimumsystem requirements for Symantec Data Loss Prevention:

■ One of the following operating systems:

■ Microsoft Windows Server 2008 R2 Standard or Enterprise (64-bit)

■ Microsoft Windows Server 2008 R2 SP1 Standard or Enterprise (64-bit)

■ Microsoft Windows Server 2012 R2 Standard, Enterprise, or Datacenter (64-bit)

■ Microsoft Windows Server 2016 Standard or Datacenter (64-bit)

■ Red Hat Enterprise Linux 6.9 (64-bit)

■ Red Hat Enterprise Linux 7.1 through 7.5 (64-bit)

■ Oracle Linux 7.3

■ 8-32 GB of RAM

33System requirements and recommendationsOracle database requirements

http://www.symantec.com/docs/DOC9260http://www.symantec.com/docs/DOC10713

■ 8-16 GB of swap space (equal to RAM up to 16 GB)

■ 500 GB – 1 TB of disk space for the Enforce database

On a Linux system, if the Oracle database is on the same computer as the Enforce Server,then the /opt file system must have at least 500 GB of free space for small or mediuminstallations. 1 TB of free space is required for large installations. If Oracle is installed on adifferent computer from the Enforce Server, then the /opt file system must have at least 10GB of free space, and the /boot file system must have at least 100 MB of free space.

The exact amount of disk space that is required for the Enforce Server database depends onvariables such as:

■ The number of policies you plan to initially deploy

■ The number of policies you plan to add over time

■ The number and size of attachments you want to store (if you decide to store attachmentswith related incidents)

■ The length of time you intend to store incidents

See the Symantec Data Loss Prevention Administration Guide for more information aboutdeveloping policies.

See the Symantec Data Loss Prevention Oracle Installation and Upgrade Guide for moreOracle installation information.

Browser requirements for accessing the EnforceServer administration console

You can access the Enforce Server administration console using any of the following browsers:

■ Microsoft Internet Explorer 10 or 11

■ Mozilla Firefox 54 through 59, and Firefox Enterprise (ESR) 50 through 52.

You must be using Adobe Flash Player, minimally version 27, to view the Folder Risk Reportfor Network Discover/Cloud Storage Discover (Incidents > Discover > Folder Risk Report).

Deploying Data Loss Prevention on public cloudinfrastructures

Symantec supports deployment of Data Loss Prevention servers on Amazon Web Services(AWS), Microsoft Azure, and Oracle Cloud public clouds.

34System requirements and recommendationsBrowser requirements for accessing the Enforce Server administration console

Deploying Symantec Data Loss Prevention on AmazonWeb Servicesinfrastructure

Table 2-13 lists the servers and operating systems that are supported for deployment of DataLoss Prevention on AWS.

Table 2-13 Deploying Symantec Data Loss Prevention 12.5 - 15.1 on AWS

Operating systemsData Loss Prevention servers

Microsoft Windows Server 2012 R2 with patch

Microsoft Windows Server 2016

Red Hat Enterprise Linux 6.8, 6.9, and 6.10

Red Hat Enterprise Linux 7.1 through 7.5

Note: The RHEL 6.x and 7.x AWSAMI distributionsrequire an additional package. See the referencebelow.

Enforce Server with Oracle database on the samecomputer (two-tier deployments)

Cloud Prevent for Email

Network Prevent for Web

Network Prevent for Email

Endpoint Prevent

Network Discover/Cloud Storage Discover

For more information, see Deploying the Symantec Data Loss Prevention on Amazon WebServices (AWS) Infrastructure at http://www.symantec.com/docs/DOC9520.

Note: Three-tier Data Loss Prevention deployments are not supported on AWS.

Deploying Symantec Data Loss Prevention on Microsoft AzureTable 2-14 lists the servers and operating systems that are supported for deployment of DataLoss Prevention on Microsoft Azure.

Table 2-14 Deploying Symantec Data Loss Prevention on Microsoft Azure

Operating systemsData Loss Prevention servers

Windows Server 2012 R2 with patch

Windows Server 2016

Red Hat Enterprise Linux 6.8 and 6.9

Red Hat Enterprise Linux 7.2 and, 7.4

Enforce Server with Oracle database

Cloud Prevent for Email

Network Prevent for Web


Endpoint Prevent

Network Discover/Cloud Storage Discover

Symantec supports the use of the Azure load balancer to balance the endpoint clientconnections to the Endpoint Server.

35System requirements and recommendationsDeploying Data Loss Prevention on public cloud infrastructures


Deploying Symantec Data Loss Prevention on Oracle CloudSymantec Data Loss Prevention is supported in the following environments:

■ Oracle Cloud IaaS

■ Oracle Bare Metal Cloud with managed Virtual Machine (VM) instances

Table 2-15 lists the servers and operating systems that are supported for deployment of DataLoss Prevention on Oracle Cloud Infrastructure as a Service.

Table 2-15 Deploying Symantec Data Loss Prevention on Oracle Cloud Infrastructure as aService

Operating systems and configurationData Loss Prevention servers

Oracle Linux 7.3 with RHCK kernelEnforce Server with Oracle database on the samecomputer (two-tier deployments)


Endpoint Prevent

Network Discover

Note: Three-tier Data Loss Prevention deployments are not supported on Oracle.

Virtual server supportSymantec supports running Symantec Data Loss Prevention servers on VMware ESXi 6.xand Windows Hyper-V virtualization products, provided that the virtualization environment isrunning a supported operating system.

Note: Symantec Data Loss Prevention Virtual Appliances are supported in a virtualizationenvironment on VMware ESXi 5.5.0 Update 2 and VMware ESXi 6.5.

See “Operating system requirements for servers” on page 19.

At a minimum, ensure that each virtual server environment matches the system requirementsfor servers described in this document.

See “Minimum system requirements for Symantec Data Loss Prevention servers” on page 12.

Consider the following support information when configuring a virtual server environment:

■ Endpoint Prevent servers are supported only for configurations that do not exceed therecommended number of connected agents.

36System requirements and recommendationsVirtual server support

■ Symantec does not support running the Oracle database server on VMware ESXi 5.x,VMware ESXi 5.x, and VMware ESX 6.x virtual hardware. If you deploy the Enforce Serverto a virtual machine, you must install the Oracle database using physical server hardware.

■ Symantec supports running the Enforce Server and Oracle database server in a WindowsHyper-V environment.

■ Symantec does not support Single Server installations on virtual machines.

A variety of factors influence virtual machine performance, including the number of CPUs, theamount of dedicated RAM, and the resource reservations for CPU cycles and RAM. Thevirtualization overhead and guest operating system overhead can lead to a performancedegradation in throughput for large datasets compared to a system running on physicalhardware. Use your own test results as a basis for sizing deployments to virtual machines.

See the Symantec Data Loss Prevention Network Monitor and Prevent Performance SizingGuidelines, available at the Symantec Support Center athttp://www.symantec.com/docs/DOC8253, for additional information about running NetworkPrevent servers on virtual machines.

Virtual desktop and virtual application support withEndpoint Prevent

You can deploy the DLP Agent on Citrix and VMware virtual machines to monitor virtualdesktops and prevent remote users from copying sensitive data that is accessible through avirtual desktop.

Citrix virtualization supportThe DLP agent is supported to run on the following Citrix XenDesktop virtual workstations andCitrix XenApp server configurations:

■ Citrix XenApp

■ Citrix XenApp 6.5 on Windows Server 2008 Enterprise Edition R2 (64-bit)

■ Citrix XenApp 7.6 onWindows Server 2008 Enterprise Edition R2 (64-bit) andWindowsServer 2012 R2 Standard Edition




37System requirements and recommendationsVirtual desktop and virtual application support with Endpoint Prevent




■ Citrix XenApp 7.15 on Windows Server 2016 Standard Edition

■ Citrix XenApp 7.15 Long Term Service Release (LTSR), Update 2 on Windows Server2016 Standard Edition




Note: Files saved from Microsoft Office (using Save As) to client drives hosted on CitrixXenApp 7.13 through 7.18 are not monitored. However, if you are running Citrix XenApp7.13 or later with version 7.12 Virtual Delivery Agent (VDA), files saved to client drives(using Save As) are monitored. You can find steps on enabling monitoring for thesesave operations at the following Symantec Support Center article:


■ Citrix XenDesktop

■ Citrix XenDesktop 7.6 on Windows 7 SP1 (32-bit or 64-bit)

■ Citrix XenDesktop 7.9 on Windows 7 SP1 (32-bit or 64-bit), Windows 8.0, 8.1, andWindows 10 (64-bit)

■ Citrix XenDesktop 7.12 on Windows 7 SP1 (32-bit or 64-bit) and Windows 10 (64-bit)



■ Citrix XenDesktop 7.15 on Windows 7 SP1 (64-bit) and Windows 10 RS2 (64-bit)

■ Citrix XenDesktop 7.15 Long Term Service Release (LTSR), Update 2 on Windows 7SP1 (64-bit) and Windows 10 RS4 (version 1803) (64-bit)

■ Citrix XenDesktop 7.16 on Windows 10 RS2 (64-bit)

■ Citrix XenDesktop 7.17 on Windows 10 RS3 (version 1703) (64-bit)

■ Citrix XenDesktop 7.18 on Windows 10 RS4 (version 1803) (64-bit)

38System requirements and recommendationsVirtual desktop and virtual application support with Endpoint Prevent


Note: Files saved from Microsoft Office (using Save As) to client drives hosted on CitrixXenDesktop 7.13 through 7.18 are not monitored. However, if you are running CitrixXenDesktop 7.13 or later with version 7.12 Virtual Delivery Agent (VDA), files saved toclient drives (using Save As) are monitored. You can find steps on enabling monitoringfor these save operations at the following Symantec Support Center article:


VMware virtualization supportSymantec supports running the Symantec DLP Agent software on virtual workstations usingone of the following:

■ VMware Workstation 6.5.x

Note: VMware Workstation 6.5.x is deprecated in Symantec Data Loss Prevention 15.0.

■ VMware View 4.6

■ VMware Horizon View 6.0.1 and 6.2.1

■ VMware Horizon View 7.1, 7.3.1, 7.4, and 7.6.

■ VMware Fusion 7 (macOS)

■ Hyper-V and Hyper-V (WS 2012 R2)

Supported operating systems for the Remote EDMand IDM Indexers

You can install the Remote EDM Indexer and the Remote IDM Indexer on the followingWindowsoperating systems:

■ Windows 7 (32-bit) Enterprise, Professional, Ultimate editions

■ Windows 7 (32-bit) (SP1) Enterprise, Professional, Ultimate editions

■ Windows 7 (64-bit) Enterprise, Professional, Ultimate editions

■ Windows 7 (64-bit) (SP1) Enterprise, Professional, Ultimate editions

■ Windows 8.1 (64-bit) Enterprise, Professional

■ Windows 8.1 Update 1 (64-bit) Enterprise, Professional



39System requirements and recommendationsSupported operating systems for the Remote EDM and IDM Indexers


■ Windows 10 Update [1511] (64-bit] Enterprise, Professional

■ Windows 10 Red Stone Update [1607 - RS1] (64-bit] Enterprise, Professional

■ Microsoft Windows 10 Creators Update (RS2 v1703)



Third-party software requirements andrecommendations

Symantec Data Loss Prevention requires certain third-party software. Other third-party softwareis recommended. See:

■ Table 2-16 for required software

■ Table 2-17 for required Linux RPMs

■ Table 2-18 for recommended software

Table 2-16 Required third-party software

DescriptionRequired forSoftware

Adobe Reader is required for readingthe Symantec Data Loss Preventiondocumentation.

Download from Adobe.

All systemsAdobe Reader

Required to support the reportingsystem.

The correct version of Tomcat isautomatically installed on the EnforceServer by the Symantec DLP InstallationWizard and does not need to beobtained or installed separately.

Enforce ServerApache Tomcat version 8

The Symantec DLP Installation Wizardautomatically installs the correct JREversion.

All serversJava Runtime Environment (JRE)1.8.0_181

Required SDK for Folder Risk Reporting.Network Discover/Cloud StorageDiscover Server

Flex SDK 4.6

40System requirements and recommendationsThird-party software requirements and recommendations

http://www.adobe.com

Table 2-16 Required third-party software (continued)

DescriptionRequired forSoftware

Provides high-speed monitoring.

Symantec supports

■ Multiple capture ports per NapatechNetwork capture card

■ NT40A01 Napatech NetworkAccelerator

■ NT40E3 and NT20E2 10 gigabitinterfaces

■ Multi-threaded packet capture■ Napatech hardware filtering■ Napatech third-generation card

drivers for Windows and RHELplatforms

■ Virtualized Data Loss PreventionNetwork Monitor with capture cardsas PCI pass-through devices in theVMware ESXi platform

Napatech cards are not supported onSingle Server installations.

Napatech NT20E2, NT4E, NT40A01,and NT40E3 high-speed packet capturecard

Napatech driver package 8.0.3(driver version 3.5.1) (WindowsServer 2012 R2 and WindowsServer 2016) and driver package8.1.0 (driver version 3.5.0) (RHEL6x/7x)

Windows packet capture library.

Download from winpcap.org.

Required for Windows-based NetworkMonitor Server. WinPcap 4.1.3 isrequired for Microsoft Windows Server2012.

Recommended for all Windows-baseddetection servers.

WinPcap 4.1.3

Endace cards are not supported onSingle Server installations.

Download from Endace.

See “Medium installation minimumhardware requirements” on page 16.

Detection servers equipped with anEndace network measurement card.

Endace card driver 5.3.1

Virtualization software.

Download from VMware.

Required to run supported componentsin a virtualized environment.

See “Virtual server support” on page 36.

VMware

Provides directory services for Windowsdomain networks.

Required versions for connecting toActive Directory.

Microsoft Active Directory 2003,2008 R2, 2012, 2012 R2, or 2016


http://www.winpcap.org/install/default.htmhttp://www.endace.comhttps://www.vmware.com/download/vi

In addition to the Linux Minimal Installation, Linux-based Symantec Data Loss Preventionservers require the Red Hat Package Managers (RPM) listed in Table 2-17.

Table 2-17 Required Linux RPMs

Required RPMsLinux-based servers

aprapr-utilbinutilscompat-libstdc++-33expatlibicuXorg-x11*

*Required only for graphical installation.Console-mode installation does not require an Xserver.

Enforce Server

Oracle server

aprapr-utilcompat-libstdc++-33expatlibicuXorg-X11*

*Required only for graphical installation.Console-mode installation does not require an Xserver.

Network Monitor Server

Red Hat Enterprise Linux version 6 has these additional dependencies:

■ compat-openldap

■ compat-expat1

■ compat-db43

■ openssl098e

Red Hat Enterprise Linux version 7 has these additional 64-bit only package dependencies:

■ compat-openldap-1:2.3.43-5.el7

■ compat-db47-4.7.25-28.e17

■ libpng12

■ compat-libtiff3

Note: SeLinux must be disabled on all Linux-based servers.


Symantec recommends the third-party software listed in Table 2-18 for help with configuringand troubleshooting your Symantec Data Loss Prevention deployment.

Table 2-18 Recommended third-party software

DescriptionLocationSoftware

Use Wireshark (formerly Ethereal) to verify thatthe detection server NIC receives the correct trafficfrom the SPAN port or tap. You can also useWireshark to diagnose network problems betweenother servers.

Download the latest version from Wireshark.

Any server computerWireshark

Use in combination with Wireshark to verify thatthe detection server Endace NIC receives thecorrect traffic from the SPAN port or tap. Dagsnapis included with Endace cards, and is not requiredwith non-Endace cards.

Network Monitor Server computers thatuse Endace cards

dagsnap

Troubleshooting utilities. Recommended fordiagnosing problems on Windows servercomputers.

Download the latest version from Microsoft.

Any Windows server computerSysinternals Suite

An LDAP browser is recommended for configuringor troubleshooting Active Directory or LDAP.

Enforce ServerLDAP browser


http://www.wireshark.orghttp://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

Product compatibility


■ Environment compatibility and requirements for Network Prevent for Email

■ Proxy server compatibility with Network Prevent for Web

■ SSL monitoring with Network Monitor

■ Secure ICAP support for Network Prevent for Web using the stunnel service

■ High-speed packet capture cards

■ Veritas Data Insight compatibility with Symantec Data Loss Prevention

■ Integrations with other Symantec products

■ Network Discover/Cloud Storage Discover compatibility

■ Endpoint Prevent supported applications

Environment compatibility and requirements forNetwork Prevent for Email

The Network Prevent for Email Server is compatible with a wide range of enterprise-gradethird-party SMTP-compliant MTAs and hosted email services. Consult your MTA vendor orhosted email service for specific support questions.

Network Prevent for Email Server can integrate with an MTA or hosted email service thatmeets the following requirements:

■ The MTA or hosted email service must be capable of strict SMTP compliance. It must beable to send and receive mail using only the following command verbs: HELO (or EHLO),RCPT TO, MAIL FROM, QUIT, NOOP, and DATA.

3Chapter

■ When running the Network Prevent for Email Server in reflecting mode, the upstream MTAmust be able to route messages to the Network Prevent for Email Server only once foreach message.

You can use an SMTP-compliant MTA that routes outbound messages from your internal mailinfrastructure to the Network Prevent for Email Server. For reflecting mode compatibility, theMTA must also be able to route messages that are returned from the Network Prevent forEmail Server out to their intended recipients.

Network Prevent for Email Server attempts to initiate a TLS connection with a downstreamMTA only when the upstream MTA issues the STARTTLS command. The TLS connectionsucceeds only if the downstream MTA or hosted email service supports TLS. It must alsoauthenticate itself to the Network Prevent for Email Server. Successful authentication requiresthat the appropriate keys and X509 certificates are available for each mail server in the proxiedmessage chain.

See the Symantec Data Loss Prevention MTA Integration Guide for Network Prevent for Emailfor information about configuring TLS support for Network Prevent for Email servers operatingin forwarding mode or reflecting mode.

Proxy server compatibility with Network Prevent forWeb

Network Prevent for Web Servers use a standard Internet Content Adaptation Protocol (ICAP)interface and support many proxy servers. Table 3-1 indicates the servers and the protocols.

Symantec Data Loss Prevention also supports secure ICAP (SICAP).You can set up secureICAP with Blue Coat ProxySG through the Enforce Server administration console. You canset up other proxies with secure ICAP using stunnel. Use of stunnel for secure ICAP isdeprecated in Symantec Data Loss Prevention version 15.1 and will be removed in a subsequentrelease. See “Secure ICAP support for Network Prevent for Web using the stunnel service”on page 46.

Table 3-1 Network Prevent for Web supported proxy servers

Configuration informationSupported protocolsProxy

Blue Coat product documentationICAP, SICAP, HTTP, HTTPS,or FTP proxy

Blue Coat ProxySG versions 6.6.x and6.7 for Network Prevent for Web

Cisco IronPort product documentation

9.1.x and 10.5.x support Secure ICAP

10.1.x does not support SICAP

ICAP, HTTP, HTTPSCisco IronPort S-Series versions 9.1.x,10.1.x, and 10.5.x

45Product compatibilityProxy server compatibility with Network Prevent for Web

Table 3-1 Network Prevent for Web supported proxy servers (continued)

Configuration informationSupported protocolsProxy

See the "Using the F5 Proxy with SymantecData Loss Prevention Network Prevent forWeb" at the Symantec Support Center at


for information on integrating the F5 BIG-IPSystem with Network Prevent for Web as anICAP client-server solution.

SICAP, HTTP, HTTPSF5 BIG-IP System version 12.0.x,version 13.1.0.8.

FortiGate-VM product documentationICAP, HTTP, HTTPSFortinet FortiGate-VM 5.6.x4206150

Secure Web documentation (particularly thechapter that describes setting up Secure Webwith a DLP Solution)

ICAP, SICAP, HTTP, HTTPS,or FTP proxy

McAfee Web Gateway (formerlySecure Computing Secure WebWebwasher) version 7.7.x

See the Symantec Data Loss PreventionIntegration Guide for Squid Web Proxy

ICAP, HTTP, HTTPSSquid Web Proxy versions 3.5.x

See the Symantec Web GatewayImplementation Guide

ICAP, HTTP, HTTPSSymantecWebGateway version 5.2.x

Does not support redaction.

Only supports "Block HTTP/HTTPS".

RESPMOD is not supported.

Websense blocks the traffic only when the sizeof the Symantec Data Loss Prevention rejectionmessage (in the response rule) is larger than512 bytes. If the rejection message is less than512 bytes, an incident is generated but thenetwork traffic is not blocked.

ICAP, HTTP, HTTPS, FTPWebsense Appliance V5000 andV10000, withWebsenseWeb Securityversion 8.4

SSL monitoring with Network MonitorSymantec has certified Network Monitor to monitor Blue Coat SSL Visibility Appliance.

For details, see the article TECH231642 at the Symantec Support Center.

Secure ICAP support for Network Prevent for Webusing the stunnel service

Support for stunnel is deprecated in version 15.1 and will be removed in a subsequent release.

46Product compatibilitySSL monitoring with Network Monitor


Beginning with Symantec Data Loss Prevention 15.1, you can reconfigure your system to useintegrated Secure ICAP for Network Prevent for Web instead of stunnel. See the SymantecData Loss Prevention Administration Guide or online Help for configuration details.

High-speed packet capture cardsThis topic describes the high-speed packed capture cards that are supported for NetworkMonitor.

Table 3-2 Supported high-speed packet capture cards

Driver versionVersionCard

5.7.1DAG 7.5 G2/G4 (PC

Addendum to 15.1 System Requirements...2020/12/21 · Edge monitoring is supported starting with...

Documents

Transcript of Addendum to 15.1 System Requirements...2020/12/21 · Edge monitoring is supported starting with...