Incidents not coming when Network DLP integrated with Cyberoam over ICAP
No incidents are showing on DLP prevent appliance.As i have integrated cyberoam proxy server with Network DLP through ICAP over port 1344.
Integration was successful but when applied policies on Prevent,i didn't see any traffic coming from cyberoam proxy.so unable to find any incidents (alerts) for the policies like credit card / sensitive keywords.Even port is open from both Proxy server to NDLP appliance and vice versa.
Verify that no one has modified iptables by running this command:
iptables -S | grep 1344
You should see an output like this:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1344 -j ACCEPT
If either of the above is incorrect, someone has modified the appliance in an unsupported way and I would recommend the appliance be reimaged.
To start testing traffic this you will need to collect a network capture. This can be done by following guidance in KB74074. I would recommend using this command:
tcpdump -npi eth0 -Xs 65535 port 1344 -w /tmp/icap.pcap
Send traffic through the proxy that contains a specific keyword so you can then search and verify using wireshark that traffic is being sent to the appliance. Ideally you will run a capture on the proxy at the same time to compare the results.
The capture that was already taken is empty so either no traffic was sent across the proxy, the capture was taken incorrectly(the screenshot I see the -p switch was not used so the adapter was not in promiscuous mode), a network issue exists preventing traffic from making it to the NDLP Prevent, or the Proxy is misconfigured. NDLP doesn't have any configuration steps that are required to be taken for ICAP and it will accept all traffic so there isn't anything to configure there.