If you have configured the ICAP REQMOD service for DLP on the appliance, review these policy best practices to ensure
high volumes of requests to the DLP do not affect performance.
Exclude Long-Running Streams
Long-running or infinite streams can keep the limited number of connections the DLP server can maintain busy, leading to
the queuing subsequent requests. Use the following CPL to exclude these known long-running streams.
To exclude Microsoft Azure URLs:
url.host.is_numeric=yes url.path.substring="servicebus/webstream" request.icap_service(no)
For more information, see the knowledge base article: Article ID: 173392
To exclude streams to stream.launchdarkly.com:
url.domain=stream.launchdarkly.com request.icap_service(no) response.icap_service(no)
url.domain=clientstream.launchdarkly.com request.icap_service(no) response.icap_service(no)
Monitor Long-Running Streams
Additional long-running streams might need to be excluded. Use event log messages to monitor these streams. No
additional configuration is required to display the long-running streams information.
Messages for long-running streams have the following format:
ICAP long scanning reqmod transaction for url using service_name for N seconds and M bytes
ICAP long scanning reqmod transaction finished for url using service_name for N seconds and M bytes
• url is the URL of the long-running stream
• N is the number of seconds since the start of the ICAP transaction.
• M is how many bytes sent to ICAP service before the transaction is assumed to be a long running transaction.
See the following example:
2020-03-06 21:29:23-00:00UTC "ICAP long scanning reqmod transaction for http://10.169.3.235/policy using cas1
after 60 seconds and 1684703331 bytes" 0 3D0003:96 opp_action.cpp:822
2020-03-06 21:29:44-00:00UTC "ICAP long scanning reqmod transaction finished for http://10.169.3.235/policy
using cas1 after 81 seconds and 2274059168 bytes" 0 3D0003:96 opp_action.cpp:822