0 Replies Latest reply on Sep 20, 2017 2:14 PM by johnaldridge

    Coaching on Content Filtering via ICAP?

    johnaldridge

      I've marked this as a question, but I've been informed that what's needed comes down to a feature request.  But, of which product?

       

      I got to tinkering after trying to make sense of this discussion:

      McAfee Web Gateway action on ICAP server response

      And:

      Re: Don´t wait for ICAP Server response

       

      First, I needed to prove a few things to myself.  I grabbed a packet trace of a block from an nDLP ICAP server from the proxy (one for which I was triggering the block [very useful: HTTP Post | DLP Test]).  I could see the "HTTP/1.1 403 Forbidden\r\n", along with the block page coming from the ICAP server—which is the content that was displayed in my browser (by way of MWG).

       

      I then altered the rule to block on the ICAP.ReqMod.Satisfaction, and that did result in a proxy block page—instead of the ReqMod response.

       

      With a bit more tinkering, I cobbled together a combination of the coaching rule sets and the DLP via ICAP rulesets.  And, I was able to get a coaching page to display.  However when I tried to click through, I got the block page from the ICAP server.

       

      With a bit more tinkering, I was able to get coaching to work—but I do not like what it took to make it work.  Guess why?  Because the DLP ICAP server doesn't get to log the the results of the content server—because the DLP ICAP server never gets to look at that content.

       

      Oh, I suppose I could rig logging for this, but that would result in a split solution for those who review the DLP incidents, and I know that's never going to fly.

       

      What would be better is if either, the ICAP product had coaching or there was a variation of ICAP.ReqMod.Satisfaction that ignored the ICAP server's modified response.  I don't think the latter is a great option, but it's better than what I've created so far.  The best would be an ICAP server with a coaching option, which would allow it to log when it prompts for coaching and when it doesn't (if anyone thinks that makes any difference, and some might).  I suppose one might wonder what it would look like if the ICAP protocol had features to facilitate coaching (AFAIK).

       

      Am I missing anything here?  Any other thoughts on the subject?

       


       

       

      Rule Sets
      Data Loss Prevention, Coaching

      [Encourages users to follow web usage guidelines by limiting session times]

      [✘] Disabled [✘] Disabled in Cloud
      Applies to: [✔] Requests [✘] Responses [✔] Embedded Objects
      1: SSL.ClientContext.IsApplied equals true
      2: OR Command.Name does not equal "CONNECT"
      EnabledRuleActionEventsComments
      [✔] EnabledSkip Empty Host Names
      1: URL.Host equals ""
      Stop Rule Set
      [✔] EnabledSkip GET and HEAD requests
      1: Command.Name equals "GET"
      2: OR Command.Name equals "HEAD"
      Stop Rule Set
      [✔] EnabledSkip Requests That Do Not Carry Information
      1: Body.Size equals 0
      2: AND List.OfString.IsEmpty(URL.Parameters) equals true
      Stop Rule SetOnly requests that contain some data will be sent to the ICAP server
      [✔] EnabledSkip Body That Is Greater Than 50 MB
      1: Body.Size greater than 52428800
      Stop Rule SetOnly requests that contain some data will be sent to the ICAP server
      [✔] EnabledSkip Requests to Internal IP Addresses
      1: URL.Destination.IP is in range list RFC 1918 Internal IPs
      Stop Rule Set
      Coaching With URL Configuration
      [✔] Enabled [✘] Disabled in Cloud
      Applies to: [✔] Requests [✔] Responses [✔] Embedded Objects
      1: Quota.Coaching.IsActivationRequest.Strict<Data Loss Prevention> equals true
      2: OR Quota.Coaching.SessionExceeded<Data Loss Prevention> equals false
      3: OR ICAP.ReqMod.Satisfaction<Lab DLP Servers> equals true
      EnabledRuleActionEventsComments
      [✔] EnabledRedirecting After Starting New Coaching Session
      1: Quota.Coaching.IsActivationRequest.Strict<Data Loss Prevention> equals true
      Redirect<Redirection After Coaching Session Activation, nDLP>This rule redirects the user back to the requested URL after the user started a new session by pushing the button in the HTML Session template.
      [✔] EnabledCheck If Coaching Session Has Been Exceeded
      1: Quota.Coaching.SessionExceeded<Data Loss Prevention> equals true
      Block<Action Coaching Blocked, nDLP>This rule shows a block html site for Coaching after the session for Coaching has been exceeded and one of the URLs is in the URL blocklist.

       

      Message was edited by: John Aldridge (added description of coaching rules)