cancel
Showing results for 
Search instead for 
Did you mean: 
sharad01
Level 7

Incidents not coming when Network DLP integrated with Cyberoam over ICAP

Hello Friends,

No incidents are showing on DLP prevent appliance.As i have integrated cyberoam proxy server with Network DLP through ICAP over port 1344.

Integration was successful but when applied policies on Prevent,i didn't see any traffic coming from cyberoam proxy.so unable to find any incidents (alerts) for the policies like credit card / sensitive keywords.Even port is open from both Proxy server to NDLP appliance and vice versa.

0 Kudos
2 Replies
catdaddy
Level 20

Re: Incidents not coming when Network DLP integrated with Cyberoam over ICAP

Successfully moved from Community Support to Data Loss Prevention (DLP) > Discussions

For better assistance and better exposure.

Cliff
McAfee Volunteer
0 Kudos
McAfee Employee

Re: Incidents not coming when Network DLP integrated with Cyberoam over ICAP

Verify that NDLP is listening on port 1344 by running this command:

     netstat -nap | grep 1344 | grep LISTEN

You should see an entry as such:

     tcp   0   0 0.0.0.0:1344  0.0.0.0:*   LISTEN  7745/icap_server

Verify that no one has modified iptables by running this command:

     iptables -S | grep 1344

You should see an output like this:

     -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1344 -j ACCEPT

If either of the above is incorrect, someone has modified the appliance in an unsupported way and I would recommend the appliance be reimaged.

To start testing traffic this you will need to collect a network capture. This can be done by following guidance in KB74074. I would recommend using this command:

     tcpdump -npi eth0 -Xs 65535 port 1344 -w /tmp/icap.pcap

Send traffic through the proxy that contains a specific keyword so you can then search and verify using wireshark that traffic is being sent to the appliance. Ideally you will run a capture on the proxy at the same time to compare the results.

The capture that was already taken is empty so either no traffic was sent across the proxy, the capture was taken incorrectly(the screenshot I see the -p switch was not used so the adapter was not in promiscuous mode), a network issue exists preventing traffic from making it to the NDLP Prevent, or the Proxy is misconfigured. NDLP doesn't have any configuration steps that are required to be taken for ICAP and it will accept all traffic so there isn't anything to configure there.

tcp        0      0 0.0.0.0:1344                0.0.0.0:*                   LISTEN      7745/icap_server