Data Loss Prevention

 View Only

  • 1.  DLP ICAP response?

    Posted Sep 07, 2016 08:04 AM

    Hello, we're using BlueCoat proxy servers w/ Symv14.0 Web Prevent.  What is the ICAP response DLP returns to the proxy when an ICAP request is to be denied (blocked) based on the policy response rule?  Is it a code such as 204? ( I don't believe that is the exact code based on the RFC documentation i've been reading)



  • 2.  RE: DLP ICAP response?

    Trusted Advisor
    Posted Sep 07, 2016 09:48 AM

    hello,

     DLP will return an ICAP code 200 because ICAP processing was ok (or other code if there was any ICAP errors of course).

    but HTTP request content will be modified with response rule message (defautl one is "Content blocked due to policy violation") instead of returning exact same content as the one sent in initial ICAP request from proxy to DLP and web site destination is removed.

     

    ----

    Typical ICAP response for blocking (first ICAP parts / then HTTP request part // initial HTTP request included in proxy ICAP request sent to DLP contains a document attached to it)

    ICAP/1.0 200 OK

    Cache-Control: no-cache

    ISTag: "Vontu14.0"

    Encapsulated: res-hdr=0, res-body=141

     

    HTTP/1.1 200 OK

    Cache-Control: no-cache

    Date: Wed, 07 Sep 2016 13:41:16 GMT

    Content-Type: text/html; charset=UTF-8

    Content-Length: 39

     

    Content blocked due to policy violation

     

     Regards.

     



  • 3.  RE: DLP ICAP response?
    Best Answer

    Posted Sep 19, 2016 02:01 PM

    Thanks Stephane, I'm troubleshooting issues with Network Prevent for Web and inconsistent blocking

    based on websites.  In packet capture logs, HTTP and ICAP codes weren't reflective of the success of the block response, it was the text which indicated the upload should be blocked. In your example: Content blocked due to policy violation