Data Loss Prevention

Hi,

I have DLP 15.0 (not yet the MP1) and I have realized the browser based Google Drive upload is not blocked on proxy - Prevent for Web level. I have the https decryption policy in place on Cisco IronPort. I see the ICAP requests that goes into the Prevent (small file, large file):

10.254.62.10 "CENSOREDtTUC9iZWhhbHA=" 22/Dec/2017:10:11:11:069+0100 "POST https:CENSORED//clients6.google.com:443/upload/drive/v2internal/files HTTP/1.1" 204 59487 "https:CENSORED//drive.google.com/drive/folders/1yxAnaSEkRlRD1Y1rkgXuyCENSORED" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" 203 10544 10.254.87.245 18038 5 1 1 50CB1729-5917-4A0C-BD72-4F080DB14FEB

10.254.62.10 "CENSOREDMLUtTUC9iZWhhbHA=" 22/Dec/2017:14:05:07:228+0100 "PUT https:CENSORED//clients6.google.com:443/upload/drive/v2internal/files HTTP/1.1" 204 48388169 "https:CENSORED//drive.google.com/drive/folders/1dcQWH3gsy-0aRn1Fn_CENSORED" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" 4313 20614 10.254.87.245 25058 5 1 1 89751D1D-DE53-4500-A801-A09E430F7A32

But, I always see action code 5 = ALLOW_WITHOUT_INSPECTION .

I think, I have filter sizes correct, I do not filter the Google domain, but no inspection happens.

Is it error or misconfiguration? Does it improve after 15.0 MP1? Any temporary solution idea?

Thank you,

Pavel

Pavel,

You may want to look at the filters on the Proxy.. it may be listed as part of the acceptible group of sites that is never inspected. (Shopping sites, banking etc)

Please marked solved when possible.

Hi,

Thank's for pointing out, but proxy decrypts and forwards the traffic correctly. Unfortunatelly, I do not understand the internal requirement and conditions of Prevent for Web, it seems to ignore some kind of traffic by design, because the proxy, Cisco IronPort, flags it with some specific way.

Regards,

Pavel