All the DLP products I have researched require ICAP capability which the PA doesn't support. Does anyone know of a DLP product (network appliance or VM not client based) that will actually work with the decryption broker solution?
Please don't suggest the Palo Alto DLP as it was not adequate in our testing.
Perhaps I misunderstood your query. My understanding is decryption broker exists specifically to offload encrypt/decrypt traffic to another device, like F5.
So your ask of a decryption broker, while trying to keep all encrypt/decrypt on the PA FW are at odds, to me.
Per this article, it is the opposite. The PA FW decrypts the traffic, sends the unsecure traffic to a 3rd party device for inspection, the traffic comes back to the FW gets re-encrypted and sent out.
You are correct, thanks for jogging the memory. After revisiting that document I recall that we did passthrough of SSL to F5. However, something to look into would be network packet broker with Palo 10.1 here. Not currently seeing the no ICAP limitation here.
Just had a conversation with my SE about this today. Network broker is an upgraded decryption broker but it still won't support ICAP connectivity with devices that require ICAP. ICAP has been a feature request for years but its very limited and slow, so PA probably will never add it.
I looking for DLP products/suggestions that will work with the decryption broker (non ICAP based). We want to get rid of our current proxy as the PA FW will do all plus more than it will do. We just need a DLP solution. We may just have to scrap the network DLP and go with an client agent based DLP solution.
For Agent based go with Symantec as Forcepoint has bugs over bugs than the support is just even worse. Also check with Palo Alto as they have DLP solution as of PANOS 10 as of now that integrates with the firewall and if you use primary microsoft cloud stuff the microsoft has DLP for office 365.
Also symantec dlp can be used also with REST-API and not only ICAP, so you can send the data from palo alto to a server that listens and then use the rest api to send it to Symantec:
For such tasks maybe even the decryption port mirror will be enough without decryption broker if the server that will get the data and send it by rest-api to the dlp is right next to the palo alto firewall:
Thanks for the feedback on Forcepoint as we were planning to check that out. We had a demo of DigitalGuardian earlier in the week which looked really good for an agent based. We have a call with GTB tomorrow. Others on the team are not impressed with Symantec, I have not personally looked at it.
The Palo Alto DLP solution did not pass our testing. It did not support many file types. We wanted to go with this solution but I think it was released prematurely.
We use forcepoint and regret it! Their agent does not work on the new Apple MAC computer devices and it may get fixed in 6 months or year (we have this issue 6 months as of now), so if DigitalGuardian is good and you can upload files without ICAP maybe they will be better but I have not worked with them, so I can't tell.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!