WebSocket connections are created by clients, and the sessions are being passed to the Data Loss Prevention (DLP) device; these sessions are filling up available ICAP sessions. To proactively identify unknown WebSocket sessions, Device Admin' wants to receive an email when unknown WebSocket domains are established.

• ProxySG sending ICAP to DLP for analysis.
• Event Logging Mail Server is configured to deliver emails on the ProxySG/Advance Secure Gateway (ASG).
• Version
  • SGOS 6.5+
  • ASG 6.5+

Use the following code in a Content Policy Language (CPL) Layer in Visual Policy Manager (VPM) or Local Policy File to identify sessions when created in an email notification:

; Identifies Websockets sites that you do not want notification for
define condition known_websockets
     url=[Domain/subdomain]              ;Add a line per domain
end

; Identifies Websockets sessions
define condition websocket_session 
    http.websocket=yes
end

; Create the Email Action to send notification
define action notify_websocket 
    notify_email("Websocket session\", "$(client.address) websocket site: $(url)")                                    ;Will send to all emails in the Maintenance>Event Logging>Mail Tab
end

;Layer to identfies session as a Websockets and initiates email through the Event Log Mail.
 <proxy>
     condition=known_websockets
     condition=websocket_session action.notify_websocket(yes)