Client or Server IP address is displaying as "Unknown" in the CAS Alerts

book

Article ID: 172046

calendar_today

Updated On:

Products

Content Analysis Software - CA ProxySG Software - SGOS

Issue/Introduction

Sandboxing, Predictive Analysis, File reputation threat alerts etc are configured on CAS to notify events promptly over email or syslog, however the client ip address or server ip addresses are missing in the alert. A sample alert for Predictive Analysis is given below:

File determined to be unsafe through Predictive Analysis

File has been dropped.

2018-07-10 02:54:40 (UTC)
Hardware serial number: XXXXXXXXXX
CAS (Version 2.3.1.2(217803)) - http://www.symantec.com Predictive Analysis Vendor: Cylance
Version: 281492156710912

Machine name: CAS
Machine IP address: 10.1.1.1
Server: Unknown
Client:
Unknown

URL: hxxp://testurl/sample.pdf
Threat Score: 9
Threat Details:

 

Resolution

This is due to ProxySG not configured to send Client IP Address and Server (OCS) Address to ICAP server along with the scan request The below configuration needs to be modified on ProxySG to address this issue.

  1. Navigate to Configuration -> Content Analysis -> ICAP -> Locate the ICAP Service and click on Edit.
  2. Enable the Client address and Server address as shown in the snapshot.

 

 

 

Attachments