Data Loss Prevention is not intercepting traffic from a proxy
Last Updated February 05, 2019
SymantecDLP should be generating incidents but the content is being served to the web browser without data being detected.
DLP Network Prevent for Web
DLP Cloud Detection Service for WSS with ICAP
The minimum filter limit may be set too high, in comparison to the size of the HTTP/s request being sent.
For Web Prevent, this is described in the Advanced Settings for Prevent Servers, as per the Admin Guide:
Ignore Requests Smaller Than
Specify the minimum body size of HTTP requests to inspect on this server. The default value is 4096 bytes. HTTP requests with bodies smaller than this number are not inspected.
Edit the Configuration for the Web Prevent Server.
In the event you want to process all the requests of any size, then setting “Ignore request smaller than” field to 1 will ensure that the message will be detected.
Please note that setting this too low in a production environment will have an impact on performance of end-user browsers (too much data will be sent up for detection).
Any changes to this setting require a recycle of the Prevent server for the configuration to take effect.
Note that this issue also impacts DLP Cloud Detection Service when integrated with WSS (BlueCoat Web Proxy, via either REST or ICAP methods).
However, unlike Network Prevent for Web, it is not possible to modify this setting for DLP Cloud Detection Service via the Enforce console. For DLP Cloud Detection customers requiring a lowering of this threshold, please open a ticket with support.
Imported Document ID: TECH221191
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe