How to customize HTTP status code or add a custom header in Network Prevent for Web Block action response
search cancel

How to customize HTTP status code or add a custom header in Network Prevent for Web Block action response

book

Article ID: 250251

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Web

Issue/Introduction

Whenever HTTP/S communication is blocked by a Response Rule for Network Prevent the detection server it will provide a HTTP (HTML) response body containing the message configured in the Network Prevent: Block rule. By default the HTTP/S response will be provided with status code HTTP 200 OK. 

This behaviour may end up with the configured message not to be displayed on the webpage where the communication is blocked. It is highly dependent on the webpage itself and will differ from one to another. Different webpages react differently to the received messages and will react differently to different status codes.


This article will cover blocking uploads to dlptest.com. By default when the Network Prevent: Block action is triggered no message will be displayed on the page and the upload will appear as stuck with no error. The status circle will continue spinning because the upload was blocked but the status code returned by the Network Prevent for Web was HTTP 200 OK.

 

Environment

15.7 or higher.

Resolution

The HTTP response code returned by the Network Prevent for Web server along with the configured messaged can be customized. At the same time custom headers can be provided if needed. The configuration is performed per webpage (one xml file per webpage) as described in the steps below. Those can be used as a template for other webpages. Although as mentioned above the reaction may differ on different upload portals and finding the right status code, or a header necessary, may require trial and error approach.

1. Connect to the Network Prevent for Web server.

2. Navigate to the following directory:

On Windows:

C:\Program Files\Symantec\DataLossPrevention\DetectionServer\XX.Y.ZZZZZ\Protect\config\icapcustomresponse

On Linux:

/opt/Symantec/DataLossPrevention/DetectionServer/XX.Y/Protect/config/icapcustomresponse/

Replace XX.Y.ZZZZZ with the version of DLP installed. For example 15.8.00000 on Windows, or 15.8 on Linux.

By default the folder contains a pre-configured custom response for Google Drive googleDriveBatch.xml which can be used as the baseline for configuring the responses for other webpages.

3. Create a new xml file in the folder that will contain the configuration for dlptest.com in this example. The name of the file is not relevant.

4. Open the file with a text editor of preference, insert the following lines and save the file:

<CUSTOM_RESPONSE>
    <REQUEST>
        <HOST>EXAMPLE.com</HOST>
    </REQUEST>
    <BLOCK_RESPONSE>
        <STATUS_CODE>403</STATUS_CODE>
        <HEADERS>
            <HEADER>CUSTOM-HEADER: CUSTOM HEADER</HEADER>
        </HEADERS>
    </BLOCK_RESPONSE>
</CUSTOM_RESPONSE>

This above configuration will force the HTTP status code in the response to be 403 Forbidden for example.com webpage. Additionally a custom header CUSTOM-HEADER with value "CUSTOM HEADER" will be provided. Header in this example is optional and not necessary for the dlptest.com webpage.

5. Recycle the Detection Server to apply the changes.

How to start or stop a Detection Server using the Enforce UI (broadcom.com)

6. Attempt the same upload to dlptest.com. Expected result is provided in the screenshot below.