2 Replies Latest reply on May 3, 2017 11:30 AM by jhall2

    Incidents not coming when Network DLP integrated with Cyberoam over ICAP

    sharad01

      Hello Friends,

       

      No incidents are showing on DLP prevent appliance.As i have integrated cyberoam proxy server with Network DLP through ICAP over port 1344.

      Integration was successful but when applied policies on Prevent,i didn't see any traffic coming from cyberoam proxy.so unable to find any incidents (alerts) for the policies like credit card / sensitive keywords.Even port is open from both Proxy server to NDLP appliance and vice versa.

        • 2. Re: Incidents not coming when Network DLP integrated with Cyberoam over ICAP
          jhall2

          Verify that NDLP is listening on port 1344 by running this command:

           

               netstat -nap | grep 1344 | grep LISTEN

           

          You should see an entry as such:

           

               tcp   0   0 0.0.0.0:1344  0.0.0.0:*   LISTEN  7745/icap_server

           

          Verify that no one has modified iptables by running this command:

           

               iptables -S | grep 1344

           

          You should see an output like this:

           

               -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1344 -j ACCEPT

           

          If either of the above is incorrect, someone has modified the appliance in an unsupported way and I would recommend the appliance be reimaged.

           

          To start testing traffic this you will need to collect a network capture. This can be done by following guidance in KB74074. I would recommend using this command:

           

               tcpdump -npi eth0 -Xs 65535 port 1344 -w /tmp/icap.pcap

           

          Send traffic through the proxy that contains a specific keyword so you can then search and verify using wireshark that traffic is being sent to the appliance. Ideally you will run a capture on the proxy at the same time to compare the results.

           

          The capture that was already taken is empty so either no traffic was sent across the proxy, the capture was taken incorrectly(the screenshot I see the -p switch was not used so the adapter was not in promiscuous mode), a network issue exists preventing traffic from making it to the NDLP Prevent, or the Proxy is misconfigured. NDLP doesn't have any configuration steps that are required to be taken for ICAP and it will accept all traffic so there isn't anything to configure there.

          tcp        0      0 0.0.0.0:1344                0.0.0.0:*                   LISTEN      7745/icap_server

          1 of 1 people found this helpful