With Symantec DLP, the ProxySG appliance acts as a gateway only. Once the Proxy-side configurations are done correctly, web requests (destination objects) configured, by policy, for ICAP_REQMOD scan will mandatorily get sent to DLP, and ProxySG will allow the web access only after the Symantec Network Prevent server returns the requisite verdict. So, if a specific destination object gets accessed through the ProxySG, it's either that that object had been sent to DLP and DLP returned an allow verdict or that the specific destination object was exempted from ICAP_REQMOD scan. There is never a middle ground. Consequently, the case of less traffic reaching DLP shouldn't exist.

For the web traffic flow when ProxySG is integrated with ICAP devices, please refer to the Tech. Article with URL below.

Traffic flow when ProxySG is integrated with ICAP devices

For the correct ProxySG - DLP integration, please refer to the config. doc. attached.

Configuring request and response mode services

For the full details on configuring the proxy server, refer to the integration documentation already provided in earlier exchanges. Please note that the configurations below are correct and should be followed.

To configure a proxy server:

REQMOD. On your proxy server, create an ICAP REQMOD service that forwards requests to the Network Prevent for Web Server. If your proxy server supports different protocols, configure it to handle the wanted protocols.

For REQMOD mode, an ICAP service on the proxy server should look like:

icap://ip_address|FQDN[:port]/reqmod

RESPMOD. On your proxy server, create an ICAP RESPMOD service that forwards responses to the Network Prevent for Web Server. If your proxy server supports different protocols, configure it to handle the wanted protocols.

For RESPMOD mode, an ICAP service on the proxy server should look like:

icap://ip_address|FQND[:port]/respmod

Where:

ip_address|FQDN identifies the Network Prevent for Web Server using either an IP address or fully qualified domain name.

Port is the port number to which Network Prevent for Web Server listens. Specifying the port number is optional when the default ICAP port (1344) is used.

/reqmod is required for correct functionality in REQMOD mode.

/respmod is required for correct functionality in RESPMOD mode.

Examples:

icap://X.X.X.45/reqmod
icap://X.X.X.45:1344/reqmod
icap://netmonitor1.example.com/reqmod
icap://X.X.X.45/respmod
icap://X.X.X.45:1344/respmod
icap://netmonitor1.example.com/respmod

Note that the port that is specified in the ICAP service definition on the proxy must match the port on which Network Prevent for Web Server listens.

To create a DLP REQMOD ICAP Policy, please refer to How to create an DLP REQMOD ICAP Policy

With all of the above guidance, you can fully tell whether, or not, a destination object gets to DLP. You'll also able to see whether the specific destination object was configured to be sent to DLP or not. Finally, you are able to see the ProxySG requests that got to DLP, by inspecting the Access logs on the DLP side.

To see the Network Prevent for web logs, please go to the below location, in the DLP environment.

/var/log/Symantec/DataLossPrevention/Detection Server/15.1//WebPrevent_Access0.log

For identifying the log fields, please refer to the guidance in the Tech. doc. with URL below.

Network Prevent for Web Access Log Files and Fields