Data Loss Prevention is not intercepting traffic from a proxy
Article ID: 160431
Updated On:
Products
Issue/Introduction
SymantecDLP should be generating incidents but the content is being served to the web browser without data being detected.
Environment
DLP Network Prevent for Web
DLP Cloud Detection Service for ICAP (with WSS)
Cause
The minimum filter limit may be set too high, in comparison to the size of the HTTP/s request being sent.
For Web Prevent, this is described in the Advanced Settings for Prevent Servers, as per the Admin Guide:
| Ignore Requests Smaller Than | Specify the minimum body size of HTTP requests to inspect on this server. The default value is 4096 bytes. HTTP requests with bodies smaller than this number are not inspected. |
Resolution
Edit the Configuration for the Web Prevent Server.
In the event you want to process all the requests of any size, then setting “Ignore request smaller than” field to 1 will ensure that the message will be detected.
Please note that setting this too low in a production environment will have an impact on performance of end-user browsers (too much data will be sent up for detection).
Any changes to this setting require a recycle of the Prevent server for the configuration to take effect.
Note that this issue also impacts DLP Cloud Detection Service when integrated with WSS (BlueCoat Web Proxy, via ICAP).
However, unlike Network Prevent for Web, it is not possible to modify this setting for DLP Cloud Detection Service via the Enforce console. For DLP Cloud Detection customers requiring a lowering of this threshold, please open a ticket with support.
Feedback
