Attach additional ICAP services to EdgeSWG/ProxySG (Fireeye, Symantec DLP) and use them in parallel to scan traffic
search cancel

Attach additional ICAP services to EdgeSWG/ProxySG (Fireeye, Symantec DLP) and use them in parallel to scan traffic

book

Article ID: 263508

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS Advanced Secure Gateway Software - ASG Content Analysis Software Data Loss Prevention

Issue/Introduction

Customer wants to add additional ICAP service to existing EdgeSWG/ProxySG configuration and combine two services to scan the configured traffic in parallel

  • Existing ICAP service: Symantec DLP 
  • Additional ICAP service that needs to be added: Fireeye NR

 

Environment

Edge SWG configured with ICAP services.

Cause

N/A

Resolution

Both Symantec DLP and Fireeye NR AV scanning follow the ICAP RFC, so the service can be configured on Proxy with standard ICAP server configuration. 

 

How to add new ICAP server (CAS, Fireeye, DLP)?

  • Add the ICAP server via Proxy > Content Analysis > ICAP > New.
  • Fill the fields with the information provided from ICAP service provider such as the service URL, maximum number of connections, etc.
  • The Edge SWG (ProxySG) can detect the settings by connecting to a provided service URL using the "Sense settings" button.

  • Click OK and save the settings
  • In order for the URLs to be scanned you would need to create a rule in your Policy

 

For more information, see the documentation Edge SWG Administration Guide 7.3.x – Configure ICAP service

 


If you have multiple ICAP servers defined on Proxy from the same vendor (e.g. 10 x Content Analysis, 5 x Fireeye, 3 x Symantec DLPs) you can group each of the different types of ICAP servers into their vendor specific Service Groups.

  • Go to Proxy > Content Analysis > Service Groups > New.
  • Add ICAP server instances from the same vendor into Service Members

 

 

WARNING: Do not put different service vendors into one service group because they won't scan the URLs in parallel. For example, you wouldn't put both CAS and DLP in the same service group.

When using a Service Group in the ICAP Policy rule, The Edge SWG (ProxySG) will use only one of the ICAP servers from the defined group list (based on best availability of resources or on assigned weight to the connection).

For more information, see the documentation Edge SWG Administration Guide 7.3.x – Configure ICAP service groups 

If you want to use multiple ICAP services for scanning in your Policy:

  • Each scanning type must be on it's own layer.
  • Create a rule for each type of ICAP server or ICAP service per layer

then set in the Web VPM:

Destination: <defined by user list of URLs or categories that needs scanning>

Action: Perform Response Analysis > Choose the defined Service Groups or one ICAP server   (ICAP should be from same vendor)

 

FOR EXAMPLE: To scan traffic with Symantec DLP and Fireeye simultaneously, they need two separate layers, each with a scanning rule, in order to scan the traffic in parallel.

 

Additional Information

For more information regarding ICAP configuration on the Edge SWG (Proxy SG) see the Administration Guide