ICAP request and ICAP response in same policy using different ICAP vendor servers

Products

ISG Proxy ProxySG Software - SGOS CAS-VA CAS-S500 CAS-S400 CAS-S200 ISG Content Analysis Blue Coat DLP Subscription Data Insight for DLP

Issue/Introduction

Customer wants to use both ICAP Request server and ICAP response server using different vendors

Environment

TEST ENVIRONMENT:

PROXY: EXPLICIT MODE
SGOS: 7.4.1.1 (SGAC)
URL test: dlptest.com
Test file: EICAR File (txt, zip) and normal jpeg image
ICAP request sever: Content Analysis (CAS)
ICAP response server: Checkpoint DLP

Cause

N/A

Resolution

Define default Proxy VPM secure layers:

Access Policy - https://knowledge.broadcom.com/external/article/174668

Content Policy - https://knowledge.broadcom.com/external/article/174669

########### PROXY DEFAULT POLICY: ALLOWED ###########

POLICY

Web SSL Interception (OPTIONAL)

WEB ACCESS LAYER

Policy default rule is already allowed (Proxy > Configuration > Policy services > Default action: Allow)
When Proxy finds a HTTP POST or FTP stor it will send the request to defined ICAP REQUEST server

RULE TO ADD FOR REQUEST ICAP SERVER

Source: Defined
Destination: Defined
Service: Combined Object with objects
Protocol Methods > HTTP/HTTPS > POST, PUT
Protocol Methods > FTP > STOR

Action:

Perform Request Analysis and choose ICAP Request server
or
Combined object: Perform Request Analysis + Allow

WEB CONTENT LAYER:

Send all the downloads to selected ICAP response server

POLICY TRACE

Sending the eicar file on DLPTEST.com results in catching the POST service, sending to ICAP request and response

https://<proxy-ip>:8082/Policy/debug (TRACK: debug added to rules in order to check it's results)

########### PROXY DEFAULT POLICY: DENIED ###########

POLICY

Web SSL Interception (OPTIONAL)

WEB ACCESS LAYER

First rule needs to allow upload on specified Destination, Action needs to combine object of ICAP REQUEST+ALLOW
Later all the other rules are processed according to your specifics

RULE TO ADD FOR REQUEST:

Source: Any

Destination: Any
Service: Combined Object containing:

Protocol Methods > HTTP/HTTPS > POST, PUT
Protocol Methods > FTP > STOR

Action: Combined Object containing

Perform Request Analysis + ALLOW

WEB CONTENT LAYER:

Send all the downloads to ICAP response server

POLICY TEST:

Sending the eicar file on DLPTEST.com results in catching the POST service, sending to ICAP request and response

https://<proxy-ip>:8082/Policy/debug (TRACK: debug added to rules in order to check it's results)

PLEASE NOTE: If the service has been tested correctly, you can remove track debug Policy Trace

Additionally please follow guides to ensure ICAP is not over utilized if you scan all the destinations:

Bypass Scanning for Large Files with The ICAP Best Practices Policy https://knowledge.broadcom.com/external/article?articleId=167532
Updated Content Analysis Best Practice template https://knowledge.broadcom.com/external/article?articleId=262967
ICAP REQMOD Best Practices https://knowledge.broadcom.com/external/article?articleId=244950
Queued ICAP, Slowness or latency https://knowledge.broadcom.com/external/article?articleId=166921
ICAP request and ICAP response in same policy using different ICAP vendor servers https://com/external/article?articleId=266379

Additional Information

Proxy will use one ICAP REQMOD and RESPMOD which are matched as first. If there is rule defined later to additionally use other ICAP REQMOD/RESPMOD it will be omitted because verdict was done by the first ICAP server.

KB articles:

Send to ICAP request server all the uploads before any other rules are processed - https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-1/sg-introduction/configuration_fine_tuning/icap_request_modification/configure_icap_request_policy.html
Does the ProxySG appliance support multiple ICAP devices on the same mode (REQMOD or RESPMOD)? https://knowledge.broadcom.com/external/article/165687