All the DLP products I have researched require ICAP capability which the PA doesn't support. Does anyone know of a DLP product (network appliance or VM not client based) that will actually work with the decryption broker solution?
Please don't suggest the Palo Alto DLP as it was not adequate in our testing.
I read somewhere else about ForecPoint's poor service, so I will certainly share this info with my friends. DigitalGuardian we haven't tested, so I can only say it looked good from a demo perspective. It is client agent based which we are considering moving too.
We currently use McAfee WebGate with their prevent DLP. McAfee's DLP only supports ICAP so it forces you to pretty much use it with their WebGate. We want to get rid of WebGate and go with PA URL Filtering. To do this, we need a DLP solution, so we were looking for an appliance to do this at the edge but seems they all only support ICAP. Not sure why they can't be route based but I don't design them so.
Also you mentioned that you don't have F5 BIG-IP as it can use internal servers to forward to DLP with ICAP or the F5 have a nice product SSL orchestrator that is like the palo alto decryption broker but also with ICAP support. If you use any other ADC/load balancer you may check if they support icap as the Citrix ADC/Netscaler also supports.
You may ask a test of the support just to have the basic overview if they are good.
Like symantec dlp network monitor many dlp vendors support tcp sniffing of traffic, so if it decrypted they will catch it and maybe use this together with agent?
ICAP doesn't look like it will be supported by PAN-OS from all I've seen, and our architecture isn't set up super well to offload a large number of sessions for DLP and waiting on a reply. It doesn't appear NPB handles explicit TCP proxies (5 tuple change) and TCP syn-cookies in the chain aren't supported. So, some thoughts to help you now:
ICAP is an old and outdated method that vendors keep using for some reason instead of service insertion. Symantec won't change, Forcepoint is dubious at best. However, Symantec can use TAP for DLP monitoring only (no prevent), Forcepoint has an inline server that can decrypt; Digital Guardian, GTB Technologies and Forcepoint also push DLP to endpoint too. What if there were a way to use Palo decryption broker for an ICAP based DLP solution?
You CAN use a squid proxy server running our 5 tuple preserver script to forward on to ICAP-functionality DLP engine. Just saying.
We have gotten evaluations from GTB, DigitalGuardian and tomorrow McAfee's client version. We all really like GTB's product. They are the only ones that have a machine that will do what I am asking, but based on the demo, we are looking more at the client app vs network appliance. We will still use the network appliance for email DLP.
We will probably be doing a proof of concept evaluation in the next few weeks. I will share what we go with.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!