search cancel

Is there any ICAP traffic being sent to the Network Prevent for Web detection server?

book

Article ID: 175111

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Web

Issue/Introduction

You need to know if your Network Prevent for Web detection server is receiving any ICAP traffic at all for detection, or you need to see if specific URLs are making it to the detection server at all, before any detection takes place. 

Environment

15.x

Resolution

Activate ICAP tracing will show all traffic arriving on the detection server, regardless of policies or incident detection. To activate it,

  • Go to Advanced Setting of the Web Prevent (detection server) and set "Icap.EnableTrace" to true and provide the folder location in "Icap.TraceFolder" field.
  • Ensure that the user ID under which the services run (typically "protect or SymantecDLP") has rights to read and write to the folder specified in the "Icap.TraceFolder" field.
  • After saving the changes, recycle the SymantecDLPDetectionserver Service.

The traces will be generated in the "Icap.TraceFolder". It will have a filename as "timestamp-conn_id". The first line of the trace file provide information about connecting host IP and port along with timestamp. Data read from wire will follow format "<< timestamp no_of_bytes_read". Data written on wire will follow format ">> timestamp no_of bytes_written". The last line should have connection closed being reported.

NOTE: The amount of data generated on enabling traces will be huge. Make sure you have good amount of free space available on disk. Also the content written in file is in clear text.

For more Web Prevent Diagnostics and Troubleshooting refer to this Note:

https://knowledge.broadcom.com/external/article/159426/web-prevent-diagnostics-and-troubleshoot.html