WebSocket connections are created by clients, and the sessions are being passed to the Data Loss Prevention (DLP) device; these sessions are filling up available ICAP sessions. To proactively identify unknown WebSocket sessions, Device Admin' wants to receive an email when unknown WebSocket domains are established.
Use the following code in a Content Policy Language (CPL) Layer in Visual Policy Manager (VPM) or Local Policy File to identify sessions when created in an email notification:
; Identifies Websockets sites that you do not want notification for
define condition known_websockets
url=[Domain/subdomain] ;Add a line per domain
end
; Identifies Websockets sessions
define condition websocket_session
http.websocket=yes
end
; Create the Email Action to send notification
define action notify_websocket
notify_email("Websocket session\", "$(client.address) websocket site: $(url)") ;Will send to all emails in the Maintenance>Event Logging>Mail Tab
end
;Layer to identfies session as a Websockets and initiates email through the Event Log Mail.
condition=known_websockets
condition=websocket_session action.notify_websocket(yes)