How to check whether file scanned by CAS has been blocked
Article ID: 277559
Updated On:
Products
ISG Content Analysis
CAS-VA
Content Analysis Software
ISG Proxy
ProxySG Software - SGOS
Issue/Introduction
When checking file scanning and ICAP response issues within the Edge SWG (formerly ProxySG) environment, it's crucial to understand how to monitor and verify the process effectively. This article outlines the steps to check file scanning activity/verdicts on both the CAS and Edge SWG sides.
Environment
Content Analysis - 3.1
Resolution
- On the CAS side, you can either check the files are being scanned from CAS management GUI > Statistics > Historical Connection:
Or on the CAS side as well you can check the Recent threat :
- To confirm whether the downloaded file has been blocked or served from proxy access logs you can use the ICAP fields access log on the ProxySG side.
for Reporter will depend on what they send in the access logging and if Icap fields are also sent.
The ICAP Connection logs contain such information, customers can send it to the syslog server …etc.
For example, you can add both these fields s-icap-status and x-icap-respmod-header(X-Apparent-Data-Types) to the access logs to observe the downloaded file type and the ICAP response:
Please refer to ProxySG access log "s-icap-status" ELFF field (broadcom.com)
For more details, you can also refer to Edge SWG (ProxySG) Access Log Fields (broadcom.com)
- There is a possibility to check all processed files on the CAS by checking the CAS-connection log file from Utilities > system logs > cas-connection :
Feedback
Yes
No
Powered by
