Customer wants to add additional ICAP service to existing EdgeSWG/ProxySG configuration and combine two services to scan the configured traffic in parallel
Edge SWG configured with ICAP services.
N/A
Both Symantec DLP and Fireeye NR AV scanning follow the ICAP RFC, so the service can be configured on Proxy with standard ICAP server configuration.
How to add new ICAP server (CAS, Fireeye, DLP)?
For more information, see the documentation Edge SWG Administration Guide 7.3.x – Configure ICAP service
If you have multiple ICAP servers defined on Proxy from the same vendor (e.g. 10 x Content Analysis, 5 x Fireeye, 3 x Symantec DLPs) you can group each of the different types of ICAP servers into their vendor specific Service Groups.
WARNING: Do not put different service vendors into one service group because they won't scan the URLs in parallel. For example, you wouldn't put both CAS and DLP in the same service group.
When using a Service Group in the ICAP Policy rule, The Edge SWG (ProxySG) will use only one of the ICAP servers from the defined group list (based on best availability of resources or on assigned weight to the connection).
For more information, see the documentation Edge SWG Administration Guide 7.3.x – Configure ICAP service groups
If you want to use multiple ICAP services for scanning in your Policy:
then set in the Web VPM:
Destination: <defined by user list of URLs or categories that needs scanning>
Action: Perform Response Analysis > Choose the defined Service Groups or one ICAP server (ICAP should be from same vendor)
FOR EXAMPLE: To scan traffic with Symantec DLP and Fireeye simultaneously, they need two separate layers, each with a scanning rule, in order to scan the traffic in parallel.
For more information regarding ICAP configuration on the Edge SWG (Proxy SG) see the Administration Guide