cancel
Showing results for 
Search instead for 
Did you mean: 

Incidents not coming when Network DLP integrated with Cyberoam over ICAP

Hello Friends,

No incidents are showing on DLP prevent appliance.As i have integrated cyberoam proxy server with Network DLP through ICAP over port 1344.

Integration was successful but when applied policies on Prevent,i didn't see any traffic coming from cyberoam proxy.so unable to find any incidents (alerts) for the policies like credit card / sensitive keywords.Even port is open from both Proxy server to NDLP appliance and vice versa.

2 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Incidents not coming when Network DLP integrated with Cyberoam over ICAP

Successfully moved from Community Support to Data Loss Prevention (DLP) > Discussions

For better assistance and better exposure.

Cliff
McAfee Volunteer
Highlighted
McAfee Employee jhall2
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Incidents not coming when Network DLP integrated with Cyberoam over ICAP

Verify that NDLP is listening on port 1344 by running this command:

     netstat -nap | grep 1344 | grep LISTEN

You should see an entry as such:

     tcp   0   0 0.0.0.0:1344  0.0.0.0:*   LISTEN  7745/icap_server

Verify that no one has modified iptables by running this command:

     iptables -S | grep 1344

You should see an output like this:

     -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1344 -j ACCEPT

If either of the above is incorrect, someone has modified the appliance in an unsupported way and I would recommend the appliance be reimaged.

To start testing traffic this you will need to collect a network capture. This can be done by following guidance in KB74074. I would recommend using this command:

     tcpdump -npi eth0 -Xs 65535 port 1344 -w /tmp/icap.pcap

Send traffic through the proxy that contains a specific keyword so you can then search and verify using wireshark that traffic is being sent to the appliance. Ideally you will run a capture on the proxy at the same time to compare the results.

The capture that was already taken is empty so either no traffic was sent across the proxy, the capture was taken incorrectly(the screenshot I see the -p switch was not used so the adapter was not in promiscuous mode), a network issue exists preventing traffic from making it to the NDLP Prevent, or the Proxy is misconfigured. NDLP doesn't have any configuration steps that are required to be taken for ICAP and it will accept all traffic so there isn't anything to configure there.

tcp        0      0 0.0.0.0:1344                0.0.0.0:*                   LISTEN      7745/icap_server

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community