Understanding logging and alerting for ICAP

Describes logs and alerts related to ICAP activities.

Errors and Response Logs

Files being sent via ICAP will have an Action tag of ICAP under the Audit tab on the API Logs page (located under Analyze > Logs > API).



The Details section of the log entry will include the appropriate code and description as well as other responses with content modified.

  • 204 - ICAP DLP Policy Passed
  • 400 - Bad ICAP Request
  • 404 - ICAP Service not found
  • 405 - ICAP method (REQMOD/RESPMOD) not allowed
  • 408 - ICAP request timeout
  • 500 - ICAP server error
  • 501 - ICAP method not implemented
  • 502 - ICAP proxy error
  • 503 - ICAP server connection limit exceeded
  • 505 - ICAP v1.0 not supported by ICAP server
  • All other responses with content modified - ICAP DLP Policy Failed
  • If there is no response from the ICAP server for more than 60 seconds for a given transaction, the Details will display ICAP Server Unresponsive.

Clientside Errors

Errors generated by Forcepoint ONE SSE that are not response codes from the ICAP server will be displayed on the Health Dashboard. This includes:
  • All 4xx/5xx responses from ICAP server.
  • If the ICAP server certificate has expired or is invalid, then will display as Invalid ICAP server certificate
  • If the server is unresponsive, then will display as ICAP Server unreachable