search cancel

Get Notifications of WebSocket Connections through Email

book

Article ID: 175444

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

WebSocket connections are created by clients, and the sessions are being passed to the Data Loss Prevention (DLP) device; these sessions are filling up available ICAP sessions. To proactively identify unknown WebSocket sessions, Device Admin' wants to receive an email when unknown WebSocket domains are established.

Environment

  • ProxySG sending ICAP to DLP for analysis.
  • Event Logging Mail Server is configured to deliver emails on the ProxySG/Advance Secure Gateway (ASG).
  • Version
    • SGOS 6.5+
    • ASG 6.5+

Resolution

Use the following code in a Content Policy Language (CPL) Layer in Visual Policy Manager (VPM) or Local Policy File to identify sessions when created in an email notification:

; Identifies Websockets sites that you do not want notification for
define condition known_websockets
     url=[Domain/subdomain]              ;Add a line per domain
end

; Identifies Websockets sessions
define condition websocket_session 
    http.websocket=yes
end

; Create the Email Action to send notification
define action notify_websocket 
    notify_email("Websocket session\", "$(client.address) websocket site: $(url)")                                    ;Will send to all emails in the Maintenance>Event Logging>Mail Tab
end

;Layer to identfies session as a Websockets and initiates email through the Event Log Mail.
 <proxy>
     condition=known_websockets
     condition=websocket_session action.notify_websocket(yes)