Enterprise DLP
Configure ICAP Forwarding
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
Configure ICAP Forwarding
Configure Internet Content Adaption Protocol (ICAP) forwarding to integrate your
existing on-premises third party DLP solutions with Enterprise Data Loss Prevention (E-DLP).
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLP
Release Notes for more
information.
Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
Enterprise DLP
generates an audit log initial configure ICAP
forwarding and when you modify an existing ICAP forwarding configuration. Enterprise DLP does not generate an audit log when you test the connectivity
between Enterprise DLP and your ICAP server.
Enterprise DLP supports ICAP forwarding for inline inspection from traffic
forwarded from NGFW and Prisma Access tenants (Managed by Panorama or Strata Cloud Manager).
Enterprise DLP doesn't support ICAP forwarding for Email DLP, Endpoint DLP,
or SaaS Security traffic.
- Log in to Strata Cloud Manager.Select ManageConfigurationData Loss PreventionSettingsICAP and toggle the Disabled radio button to enable ICAP for your Enterprise DLP tenant.Select the Type of ICAP connection you're using (ICAP or ICAPS).The primary difference between the ICAP and ICAPS protocols is that ICAP uses SSL/TLS encryption to secure communication between Enterprise DLP and your ICAP server, while ICAP does not.For the Server REQMOD URL, enter the URL of your ICAP server that accepts ICAP requests for your on-premises third party DLP solution.Your ICAP server URL can also include the port number your ICAP server uses for communication. If you don't enter a port number in the server URL, Enterprise DLP uses port 1344 for unsecured ICAP connections and port 11344 for secured ICAPS connections.For the Server Certificate, drag and drop or click Browse File to upload a signed certificate authority (CA) certificate to enable authentication and communication between Enterprise DLP and ICAP server.Enterprise DLP supports CA certificates in PEM format.Enterprise DLP requires you upload a CA certificate for ICAP connections.Test the connection between Enterprise DLP and your ICAP server.Enterprise DLP requires you test the connection between Enterprise DLP and ICAP server before you can save your ICAP forwarding configuration. The connectivity test must be Success to Save your ICAP forwarding configuration.
- Success—Enterprise DLP successfully connected to your ICAP server.
- Failed—Enterprise DLP couldn't successfully connect to your ICAP server due one of the following reasons.
- You configured the ICAP server network information incorrectly. Review your ICAP server URL, port, and server certificate to confirm you entered the correct information. Test the connectivity again after your review.
- You entered your ICAP server configuration correctly but Enterprise DLP couldn't connect to your ICAP server due to an internal issue. Test the connectivity again.
Save your ICAP forwarding configuration.