Data Loss Prevention is not intercepting traffic from a proxy

book

Article ID: 160431

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Web Data Loss Prevention Cloud Detection Service

Issue/Introduction

SymantecDLP should be generating incidents but the content is being served to the web browser without data being detected.

NA

Cause

The minimum filter limit may be set too high, in comparison to the size of the HTTP/s request being sent.

For Web Prevent, this is described in the Advanced Settings for Prevent Servers, as per the Admin Guide:

Ignore Requests Smaller Than Specify the minimum body size of HTTP requests to inspect on this server. The default value is 4096 bytes. HTTP requests with bodies smaller than this number are not inspected.

 

 

 

Environment

DLP Network Prevent for Web

DLP Cloud Detection Service for WSS with ICAP

Resolution

Edit the Configuration for the Web Prevent Server.

In the event you want to process all the requests of any size, then setting “Ignore request smaller than” field to 1 will ensure that the message will be detected.

Please note that setting this too low in a production environment will have an impact on performance of end-user browsers (too much data will be sent up for detection).

Any changes to this setting require a recycle of the Prevent server for the configuration to take effect.

 

Note that this issue also impacts DLP Cloud Detection Service when integrated with WSS (BlueCoat Web Proxy, via either REST or ICAP methods).

However, unlike Network Prevent for Web, it is not possible to modify this setting for DLP Cloud Detection Service via the Enforce console. For DLP Cloud Detection customers requiring a lowering of this threshold, please open a ticket with support.