PA and icap?

Reply
L1 Bithead

Re: PA and icap?

Dyang, my recommendation is that Palo Alto work with top DLP vendors to figure out some sort of DLP solution, doesn't have to be ICAP. The Palo Alto strategy is not realistic for most customers and I've seen PA lose a number of engagements to customers who want a real DLP strategy. The fact that Palo Alto doesn't integrate with anyone out of the box is an issue. I haven't run into a customer yet that wants to create custom connectors with the API. If you put anything in Gartner, which I don't, at least Checkpoint has a more robust DLP strategy.

That's just my 2 cents. We work with a ton of customers and a lot of PA customers and this (and global protect) are my only two complaints against the platform.

L5 Sessionator

Re: PA and icap?

Agreed - we have reached out to vendors such as Symantec to see if there's something that we can do to at least provide a viable solution for our customers.  We have not made any progress to-date, but you'll certainly hear about it once there is something to report!

L6 Presenter

Re: PA and icap?

Regarding those scores, thanks ;-)

Regarding those proxies another example is wildfire.

Even if PA hardware design most likely cannot be used with a ICAP and then continue (that is client click on a link, PA downloads the file, sends it to ICAP, gets the response and if negative (that is nothing bad was found) it will forward the file to the client) at least not with +10Gbit/s speeds (because the mgmtplane would need to be part of this) it perhaps should be possible to make it a one way the same way as with wildfire (this way, as with wildfire, the files can be buffered by the mgmtplane and it in some extend doesnt matter if the file was scanned now or a few seconds later (due to high load)).

That is client downloads file but instead of sending it to wildfire the PA device will send it as ICAP to a ICAP server. The response will then later be attached to the log. This wont bring you DLP (as in prevention) but at least DLD (as in detection) - the question here might be if this is enough (at least it would be enough for those who accept DLD)?

Perhaps something for PA to consider for upcoming hardware releases?

Same goes (if we speak about DLP) with that 7 bytes limit (your signature must look for 7 bytes or more)...

Highlighted
L4 Transporter

Re: PA and icap?

Hey All I have the Symantec DLP 11.6 deployed with PAN in a few places.  For the integration Symantec uses PCAP (SPAN or Mirror Ports to do network detection and the response is to markup the messages (ICAP and X-Forward for Web and Email) What we recommend is creating a FlexReponse (Symantec Specific) which makes an XML call can take a quick action on the user (so far this isn't fast enough to stop because we don't have a way to instantly send the user a block page or at least haven't found it).  @jmahoney I think we should put a thread together like the SIEM one with a point person assigned for each DLP platform. Just like ArcSight and RSA and others put their SIEM integration and docs on the forum there should be an integration for each documented here. 

For Symantec Email Prevent there is no integration required, for Web Prevent this ICAP integration will likely need to be supplemented with a better FlexResponse.

As for the others, without ICAP we'd need a way to call the XML quickly to do something, (Block URL is the most common). But without doing a commit.

Anyway happy to work on this with you guys on it we are a CPSP and ASC and Go to Partner with Symantec DLP at least.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!