Data Loss Prevention

I know there is webprevent0.log, but is there any other logs or reference that we should check?

we are integrating a web gateway with server but somehow test violation failed to be triggered...

does it means the DLP did not accept the data or the data being forwarded is not enough?

There are several factors I would cross-check in this case:

1.) Connection Validation:

Perform a netstat -ano | find "1344" to identify whether: (a) there is port listening on the Web Prevent on 1344 & (b) there is a active Proxy-WebPrevent session in "ESTABLISHED" state.

2.) Traffic Validation

Once the connection and active data transfer is verified - install & run packet capture (I would run wireshark) with a IP/Port filter to identify that we are receiving traffic from the proxy

3.) Type of Traffic Validation

We know there is traffic however we need to ensure that the same is not encrypted or traffic under some kind of an unsupported encapsulation. This could be verified by simply examining the wireshark packet. You could even go to an extent of searching the "confidential keywords" you are attempting to upload for testing in wireshark. Ideally just the "find option" in wireshark works else you could also try tcp contains testkeyword in the filters section of wireshark.

4.) Policy Application and other checks once we know the right traffic is reaching the Web Prevent Servers.

Hi leadvue

Thanks for tips, we have done the wireshark capture from the web gateway and manage to solve the issue.

so basically at DLP server end we can only check below:

1) webprevent_0.log

2) Web prevent ICAP set to 'any'

3) netstat information

let me know if there are other info we can see from the DLP server side

thanks again!