DLP product that will integrate with PA decryption broker?

cancel
Showing results for 
Search instead for 
Did you mean: 

DLP product that will integrate with PA decryption broker?

L2 Linker

All the DLP products I have researched require ICAP capability which the PA doesn't support.  Does anyone know of a DLP product (network appliance or VM not client based) that will actually work with the decryption broker solution?

 

Please don't suggest the Palo Alto DLP as it was not adequate in our testing.

14 REPLIES 14

L4 Transporter

I have a few customers using F5 as the hardware to encrypt/decrypt broker traffic. The F5 supports ICAP, which is utilized by Symantec for DLP. 

Help the community! Add tags & mark solutions please.

L2 Linker

I would prefer to keep all the encrypt/decrypt on the PA FW.  We also don't have F5's.  We currently have McAfee DLP Prevent but are looking for a new solution that will integrate with the PA FW.

 

L4 Transporter

Perhaps I misunderstood your query. My understanding is decryption broker exists specifically to offload encrypt/decrypt traffic to another device, like F5. 

 

So your ask of a decryption broker, while trying to keep all encrypt/decrypt on the PA FW are at odds, to me. 

Help the community! Add tags & mark solutions please.

L2 Linker

Per this article, it is the opposite.  The PA FW decrypts the traffic, sends the unsecure traffic to a 3rd party device for inspection, the traffic comes back to the FW gets re-encrypted and sent out.    

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-broker/decryption-br...

L4 Transporter

You are correct, thanks for jogging the memory. After revisiting that document I recall that we did passthrough of SSL to F5. However, something to look into would be network packet broker with Palo 10.1 here. Not currently seeing the no ICAP limitation here.

Help the community! Add tags & mark solutions please.

L2 Linker

Just had a conversation with my SE about this today.  Network broker is an upgraded decryption broker but it still won't support ICAP connectivity with devices that require ICAP.  ICAP has been a feature request for years but its very limited and slow, so PA probably will never add it.  

 

I looking for DLP products/suggestions that will work with the decryption broker (non ICAP based).  We want to get rid of our current proxy as the PA FW will do all plus more than it will do.  We just need a DLP solution.  We may just have to scrap the network DLP and go with an client agent based DLP solution.

 

 

For Agent based go with Symantec as Forcepoint has bugs over bugs than the support is just even worse. Also check with Palo Alto as they have DLP solution as of PANOS 10 as of now that integrates with the firewall and if you use primary microsoft cloud stuff the microsoft has DLP for office 365.

 

 

https://docs.paloaltonetworks.com/enterprise-dlp.html

 

 

Also symantec dlp can be used also with REST-API and not only ICAP, so you can send the data from palo alto to a server that listens and then use the rest api to send it to Symantec:

 

 

 

 

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-s...

 

 

 

For such tasks maybe even the decryption port mirror will be enough without decryption broker if the server that will get the data and send it by rest-api to the dlp is right next to the palo alto firewall:

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-decryption-port-mirr...

Thanks for the feedback on Forcepoint as we were planning to check that out.  We had a demo of DigitalGuardian earlier in the week which looked really good for an agent based.  We have a call with GTB tomorrow.  Others on the team are not impressed with Symantec, I have not personally looked at it.  

 

The Palo Alto DLP solution did not pass our testing.  It did not support many file types.  We wanted to go with this solution but I think it was released prematurely.  

 

Jesse

We use forcepoint and regret it! Their agent does not work on the new Apple MAC computer devices and it may get fixed in 6 months or year (we have this issue 6 months as of now), so if DigitalGuardian is good and you can upload files without ICAP maybe they will be better but I have not worked with them, so I can't tell.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!