Viewing deployment status
After making policy configuration or settings changes, click Deploy to deploy the changes in the network.
Click the magnifying glass icon next to the Deploy button to display the Deployment Process page, which shows the status of the deployment. On this page, the Status column shows the deployment progress status, which can be:
- In progress
- Succeeded
- Failed
See Troubleshooting for tips on how to solve failed deployments.
Error Handling
If you receive the following warning message on the Data Protection Service module:
This service is not connected to Forcepoint CASB. Incident reporting and policy enforcement will be affected for cloud channels. See “Explain this page” for more information.
This means that there is a connection issue, and DLP Cloud API and Cloud Data Discovery channels will not enforce DLP policies, and the DLP Cloud Proxy channel might not report incidents to the Forcepoint Security Manager.
To resolve this issue:
Check the log file, and determine which of the two possible error scenarios is relevant, and then proceed accordingly. Note that the exact content of the log messages might change.
Option 1: Two different CASB tenant IDs cannot be associated with the same Data Protection Service (global_tenant_id)
Log mesage:
neo_tenants_status_code":526,"neo_tenants_status_message":"aborting since tenant_id (xxxxxxxxxxxx) already exists with different CASB Account ID:xxxxxxxxxxxx
This indicates that the Forcepoint Security Manager is already connected to Forcepoint CASB using one CASB tenant ID, while Data Protection Service is trying to connect to Forcepoint CASB using a second CASB tenant ID.
In this case, the Security Manager successfully deploys the configuration to Data Protection Service, however the Forcepoint CASB cloud agents are not able to enforce DLP policies.
To see the CASB tenant ID associated with the Security Manager, go to Services > Cloud Applications tab, where it is listed at the top of the Module Connection Status section, or check the log file.
To fix the problem:
- Reconnect Forcepoint Security Manager to Forcepoint CASB in the Cloud Applications tab, and check to make sure that the displayed CASB tenant ID is different than the one used before.
- Click Deploy, and then check the Deployment page to make sure that the warning message about Data Protection Service is no longer displayed, and that the deployment is marked as successful.
If after reconnecting to Forcepoint CASB the same CASB tenant ID that prompted the warning is still displayed in the Cloud Applications tab, contact Forcepoint Support to request that your Security Manager connection to Forcepoint CASB and the Data Protection Service connection to Forcepoint CASB be associated with the same CASB tenant ID.
Option 2: Two different Data Protection Service (global_tenant_id) instances cannot be associated with the same CASB tenant ID
Log mesage:
neo_tenants_status_code":526,"neo_tenants_status_message":"aborting since casbTenantId (xxxxxxxxxxxx) already exists with different tenantId:xxxxxxxxxxxx
This indicates that the CASB tenant ID is already associated with an instance of Data Protection Service (global_tenant_id), and Forcepoint Security Manager is now trying to connect it to an using a different Data Protection Service ID.
Contact Forcepoint Support to request that your Security Manager connection to Forcepoint CASB and the Data Protection Service connection to Forcepoint CASB be associated with the same CASB tenant ID.
Option 3: Other issues from Forcepoint CASB side
Errors originating on Forcepoint CASB cannot be resolved within Forcepoint DLP, and require you to contact Forcepoint Support for assistance.
As an example, the log message might includes the following message regarding absence of a required ID parameter:
casb_tenants_status_code":526,"casb_tenants_status_message":"Tenant id: xxxxxxxxxxxx has DPS but with no sfAccountId (null/undefined)"