Toronto Data Loss Prevention User Group

 View Only

  • 1.  Icap error in WebPrevent_Operational.log in Symantec DLP

    Posted Jan 18, 2018 12:07 PM

    Hello,

    Checked the WebPrevent_Operational.log. Found the below

    16/Jan/18:16:21:01:498-0500 [INFO] (ICAP_CONNECTION.1201) Connection (cid=17021) opened from host(172.24.25.2:27428).

    16/Jan/18:16:21:01:498-0500 [INFO] (ICAP_CONNECTION.1203) Connection stat: REQMOD=0, RESPMOD=0, OPTIONS=0, OTHERS=5.

    16/Jan/18:16:32:12:901-0500 [INFO] (ICAP_CONNECTION.1202) Connection (cid=17021) closed(EOF).

    This error was generated when the user was trying to send 14GB data over the network. Connection goes like this from User->proxy servers->load balancers(172.24.25.2:27428)-> DLP. Above log states clearly that the connection is open from load balancer side, after a certain period we receive EOF. Is it because of filesize we are using??  Also we are able to send smaller files. This is the first time we are facing this issue.

    Please help.



  • 2.  RE: Icap error in WebPrevent_Operational.log in Symantec DLP

    Posted Jan 18, 2018 01:40 PM

    One question on the size comes to mind,  is this one single large file or Zip archive?  or a lot of smaller files sent in a burst.
    If the first is there a limit YOU have found? Also what are the stats on the Web prevent (RAM/CPU) we are dealing with here?

     



  • 3.  RE: Icap error in WebPrevent_Operational.log in Symantec DLP
    Best Answer

    Trusted Advisor
    Posted Jan 18, 2018 07:12 PM

    hello

     Are you sure there is an error (this message in an INFO one so not raising any error on DLP side) ? Receiving EOF is quite normal at end of ICAP request from proxy. Do you have any issue to transfer file to destination web site ?

    If you get some errors  you could:

    - increase log level to get more information

    - check on proxy side/lolad balancer if there is any timeout on request ?

    - do test on your own (especially if it was raised by a third party) with a huge site as timeout could also comes from browser side if transfer is too long/slow

     

     Regards

     



  • 4.  RE: Icap error in WebPrevent_Operational.log in Symantec DLP

    Trusted Advisor
    Posted Jan 19, 2018 02:49 PM

    Vishnu,

    You may be able to configure the proxy to ONLY send a certain amount of data, this is also configurable on the DLP side to ONLY look at the first 30MB.

    As mentioned above if the file is a ZIP file or encapsulated, the system will need to expand the file and then inspect the data.. this is a ery intensive and can also be causing the issue.

     

    Also keep in mind that an INFO alert is not necessaily a bad thing.

     

    Good Luck

    Ronak

    PLEASE MARKED SOLVED WHEN POSISBLE