Block Filetypes on Edge SWG (ProxySG) using X-Apparent-Data-Types header in ICAP Respmod response
search cancel

Block Filetypes on Edge SWG (ProxySG) using X-Apparent-Data-Types header in ICAP Respmod response

book

Article ID: 262382

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS Advanced Secure Gateway Software - ASG ISG Content Analysis Content Analysis Software

Issue/Introduction

You wish to block filetypes based on 'Apparent Data Type' on the Edge SWG or ProxySG. However, the filetype is not supported & available in the list.

You have ICAP scanning configured with Symantec Content Analysis (CAS) in respmod.

Resolution

We can leverage ICAP respmod response  from ICAP scan to determine the filetype of the content as determined by CAS. Certain apparent filetypes such as MSI are detected by CAS & this information is present in the 'X-Apparent-Data-Types' header of the ICAP response sent by the CAS. We can use the value of this header on the ProxySG to determine the filetype & block the file.

On the ProxySG, create a rule on the Web Access Layer, Under Destination select 'ICAP respmod response header', add the header name as 'X-Apparent-Data-Types' & the Header Regex as 'MSI' (as an example).

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=x7WJ5BX2DPUyTW9gk42VtQ==

Additional Information

An easy way to find out the filetype determined by CAS is by running a test scan on the CAS GUI, under Utilities > Test : Select and Scan Test File

The Response of the test will show the 'X-Apparent-Data-Types' as determined by CAS.