DLP product that will integrate with PA decryption broker?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

DLP product that will integrate with PA decryption broker?

L2 Linker

All the DLP products I have researched require ICAP capability which the PA doesn't support.  Does anyone know of a DLP product (network appliance or VM not client based) that will actually work with the decryption broker solution?


Please don't suggest the Palo Alto DLP as it was not adequate in our testing.


L5 Sessionator

I have a few customers using F5 as the hardware to encrypt/decrypt broker traffic. The F5 supports ICAP, which is utilized by Symantec for DLP. 

Help the community! Add tags and mark solutions please.

L2 Linker

I would prefer to keep all the encrypt/decrypt on the PA FW.  We also don't have F5's.  We currently have McAfee DLP Prevent but are looking for a new solution that will integrate with the PA FW.


L5 Sessionator

Perhaps I misunderstood your query. My understanding is decryption broker exists specifically to offload encrypt/decrypt traffic to another device, like F5. 


So your ask of a decryption broker, while trying to keep all encrypt/decrypt on the PA FW are at odds, to me. 

Help the community! Add tags and mark solutions please.

L2 Linker

Per this article, it is the opposite.  The PA FW decrypts the traffic, sends the unsecure traffic to a 3rd party device for inspection, the traffic comes back to the FW gets re-encrypted and sent out.    


L5 Sessionator

You are correct, thanks for jogging the memory. After revisiting that document I recall that we did passthrough of SSL to F5. However, something to look into would be network packet broker with Palo 10.1 here. Not currently seeing the no ICAP limitation here.

Help the community! Add tags and mark solutions please.

L2 Linker

Just had a conversation with my SE about this today.  Network broker is an upgraded decryption broker but it still won't support ICAP connectivity with devices that require ICAP.  ICAP has been a feature request for years but its very limited and slow, so PA probably will never add it.  


I looking for DLP products/suggestions that will work with the decryption broker (non ICAP based).  We want to get rid of our current proxy as the PA FW will do all plus more than it will do.  We just need a DLP solution.  We may just have to scrap the network DLP and go with an client agent based DLP solution.



For Agent based go with Symantec as Forcepoint has bugs over bugs than the support is just even worse. Also check with Palo Alto as they have DLP solution as of PANOS 10 as of now that integrates with the firewall and if you use primary microsoft cloud stuff the microsoft has DLP for office 365.






Also symantec dlp can be used also with REST-API and not only ICAP, so you can send the data from palo alto to a server that listens and then use the rest api to send it to Symantec:









For such tasks maybe even the decryption port mirror will be enough without decryption broker if the server that will get the data and send it by rest-api to the dlp is right next to the palo alto firewall:



Thanks for the feedback on Forcepoint as we were planning to check that out.  We had a demo of DigitalGuardian earlier in the week which looked really good for an agent based.  We have a call with GTB tomorrow.  Others on the team are not impressed with Symantec, I have not personally looked at it.  


The Palo Alto DLP solution did not pass our testing.  It did not support many file types.  We wanted to go with this solution but I think it was released prematurely.  



We use forcepoint and regret it! Their agent does not work on the new Apple MAC computer devices and it may get fixed in 6 months or year (we have this issue 6 months as of now), so if DigitalGuardian is good and you can upload files without ICAP maybe they will be better but I have not worked with them, so I can't tell.

I read somewhere else about ForecPoint's poor service, so I will certainly share this info with my friends.  DigitalGuardian we haven't tested, so I can only say it looked good from a demo perspective.  It is client agent based which we are considering moving too.


We currently use McAfee WebGate with their prevent DLP.  McAfee's DLP only supports ICAP so it forces you to pretty much use it with their WebGate.  We want to get rid of WebGate and go with PA URL Filtering.  To do this, we need a DLP solution, so we were looking for an appliance to do this at the edge but seems they all only support ICAP.  Not sure why they can't be route based but I don't design them so.  

Also you mentioned that you don't have F5 BIG-IP as it can use internal servers to forward to DLP with ICAP or the F5 have a nice product SSL orchestrator that is like the palo alto decryption broker but also with ICAP support. If you use any other ADC/load balancer you may check if they support icap as the Citrix ADC/Netscaler also supports.



You may ask a test of the support just to have the basic overview if they are good.


Like symantec dlp network monitor many dlp vendors support tcp sniffing of traffic, so if it decrypted they will catch it and maybe use this together with agent?

L5 Sessionator

ICAP doesn't look like it will be supported by PAN-OS from all I've seen, and our architecture isn't set up super well to offload a large number of sessions for DLP and waiting on a reply. It doesn't appear NPB handles explicit TCP proxies (5 tuple change) and TCP syn-cookies in the chain aren't supported. So, some thoughts to help you now:


ICAP is an old and outdated method that vendors keep using for some reason instead of service insertion. Symantec won't change, Forcepoint is dubious at best. However, Symantec can use TAP for DLP monitoring only (no prevent), Forcepoint has an inline server that can decrypt; Digital Guardian, GTB Technologies and Forcepoint also push DLP to endpoint too. What if there were a way to use Palo decryption broker for an ICAP based DLP solution?


You CAN use a squid proxy server running our 5 tuple preserver script to forward on to ICAP-functionality DLP engine. Just saying.

Help the community! Add tags and mark solutions please.

Retired Member
Not applicable

What DLP can you recommend now that you have tested several?

We have gotten evaluations from GTB, DigitalGuardian and tomorrow McAfee's client version.  We all really like GTB's product.  They are the only ones that have a machine that will do what I am asking, but based on the demo, we are looking more at the client app vs network appliance.  We will still use the network appliance for email DLP.

We will probably be doing a proof of concept evaluation in the next few weeks.  I will share what we go with.

  • 16 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!