HTTP detection does not work on the DLP Endpoint Agent, while HTTPS detection works
search cancel

HTTP detection does not work on the DLP Endpoint Agent, while HTTPS detection works

book

Article ID: 260303

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Web

Issue/Introduction

You may see a situation where for the same set of policies, on an endpoint monitored with the DLP Endpoint Agent, HTTP detection does not work for a specific set of policies. For the same policies, HTTPS detection works without any issues. 

 

Cause

Review the design of your policies and especially whether you have any Recipient Matches Pattern exception in the policies that is using an IP address, either a specific address or an address range. 

The IP address-based Recipient Matches Pattern exceptions will only work for HTTP but not for HTTPS. The reason for this is that for HTTP detection, the Agent sees a destination IP address along the destination hostname, as in the below example from the DLP Agent log:

HTTP(S) Details :
URL : http://dlptest.com/wp-admin/admin-ajax.php

Network Info Details :
(...)
Destination IP : 172.16.2.2
Destination Port : 8080
Destination Host Name : dlptest.com

While for HTTPS, the Destination IP field is empty:

HTTP(S) Details :
URL : https://dlptest.com/https-post/

Network Info Details :
(...)
Destination IP :
Destination Port : 0
Destination Host Name : dlptest.com

This difference between HTTP and HTTPS detection in the DLP Agent is expected and part of the Agent's design. It's the reason why Recipient Matches Pattern exceptions based on IP address will only work for HTTP, but not for HTTPS, creating an inconsistent detection across these two protocols. 

Resolution

Because of the above, it is not recommended to use IP address-based Recipient Matches Pattern exceptions in policies for whitelisting endpoint web traffic, especially if the endpoints are behind a web proxy for network access. In such a situation, the Agent will see the IP address of the web proxy instead of the actual IP address of the destination website, and may then falsely match the Recipient exception on the HTTP channel. That will result in lack of detection on the HTTP channel, while HTTPS for the same website will create an incident. 

Instead, it's more recommended to use Network Filters in Agent Configuration as they provide you with more flexibility when it comes to whitelisting specific IP ranges or HTTP/HTTPS domains while monitoring individual destination addresses from the same range. 

Powered by Wolken Software