Data Loss Prevention

 View Only
  • 1.  Blocking Http/https policy

    Posted Sep 11, 2017 12:52 PM

    Hi All,

    I trying to block data with DLP using WSA as ICAP. The communication betewen WSA and Enforce server works according the tests inside the WSA, but when we try a test of data not allowed to outside, the system do not blocked it. The scenario is the following: existe one enforce server and Monitoring server as single tier. This server has Windows 2012 and allocate the Oracle database too. The license that exists are for prevent email and web. The polcies under email works with SMG and works fine. The WSA is model WSA-S190-K9. I Attached some screenshots of the policy for block http and the ICAP.

    The test is sending an email using gmail mailbox attaching a file in excel format.

    Hope you help me,

     

    Carlos Espinoza



  • 2.  RE: Blocking Http/https policy

    Trusted Advisor
    Posted Sep 11, 2017 07:36 PM

    Carlos,

    What is the setting for the Web Prevent server on the minimum number of Bytes it will inspect.

    You should change this to under 512 bytes.. then make sure to send a larger amount of data.

    Also an easy test site si to use this..

    http://www.mattshell.net/rsa-dlp.htm

     

    Keep in mind that Gmail is sometimes difficult to test, cause the way it send the data in bursts.

     

    Good Luck,

    Ronak

    Please Makred solved when possible



  • 3.  RE: Blocking Http/https policy

    Posted Sep 12, 2017 04:38 PM

    Thank you Ronak,

     

    But my tested continuing without blocking by the Servers. I tested the page that you indicate me and the page never was blocked.

    Well, I think that WSA doesn't pass data to the enforce server.

    Regards,

    Carlos



  • 4.  RE: Blocking Http/https policy

    Trusted Advisor
    Posted Sep 12, 2017 08:49 PM

    Carlos,

    Have you unchecked the box for Trial Mode on the Web Prevent server?

    Make sure it is NOT checked.

    Good Luck,

    Ronak

    Please Makred solved when possible



  • 5.  RE: Blocking Http/https policy

    Posted Sep 13, 2017 03:31 PM

    Ronak,

    This box I unselect before that I created the case. 

    Give me time to attach the screenshot in this case

    Regards,

    Carlos



  • 6.  RE: Blocking Http/https policy

    Posted Sep 14, 2017 10:48 AM

    Ronak,

    Thank you for your answers. Attached you will find the ICAP screenshot in Monitor Server and a new policy that I modified for http protocol. If you find anything that this not in rule please let me know.

    Regards,

     

    Carlos 



  • 7.  RE: Blocking Http/https policy
    Best Answer

    Trusted Advisor
    Posted Sep 14, 2017 11:11 PM

    Carlos,

    Overall.. everything looks right.

    Make sure to recycle the web prevent server if you uncheck the box... 

    Is it detecting ANYTHING?.. creatingin an incident but not blocking?

    I question if the Proxy server is really talking to the DLP server.

    What do you see in the DLP logs, make sure there is a communication string of opening the ICAP connection to the Proxy server.

    If that looks good, make sure the policy works on CCN along with the Keyword.

    If you have CCN's set to narrow you will need to have a CCN and a keyword.

    Amex Visa, etc. Make sure it's a realy CCN .. fakes will be omitted since it wil not pass a luhn check.

     

    Good Luck,

    Ronak

    Please Makred solved when possible



  • 8.  RE: Blocking Http/https policy

    Posted Oct 05, 2017 01:16 PM

    OK Ronak,

     

    I will close this case with solution, I haven't results get, but is clear that my configuration is right, thank you for your support.

    Best Regards,

    Carlos Espinoza