How to configure DLP Network Prevent for Web to detect file uploads to a MOVEit SFTP server?
search cancel

How to configure DLP Network Prevent for Web to detect file uploads to a MOVEit SFTP server?


Article ID: 218360


Updated On:


Data Loss Prevention Network Prevent for Web


The Progress MOVEit SFTP software offers integration with external DLP servers to perform content inspection on uploaded files and possibly perform a block of the upload. As per MOVEit's vendor, Symantec DLP is one of the officially certified DLP softwares for an integration with MOVEit, as described on their website:

In that integration, MOVEit will act as an ICAP web proxy and has the capability to send the ICAP request which represents the file upload to the Network Prevent for Web detector for inspection. 

However, during the implementation it may be seen that the Network Prevent for Web is unable to see or process the ICAP file upload requests from the MOVEit server. 


The MOVEit software was seen to use an HTTP GET message for file uploads, which by default is not inspected by DLP (as we are looking at outbound web traffic). 


1) First, verify whether in the case of your integration, MOVEit also uses GET requests for the file uploads. This can be found in the WebPrevent_Access log which logs all the ICAP requests seen by an NPW detector. The request will usually include the name of the file uploaded to MOVEit and it will also include information whether the request was POST or GET.

2) If the MOVEit file upload request in WebPrevent_Access is indeed a GET request, then you need to first enable processing of GET messages on an NPW detector. By default this is disabled. You can find example instructions here in the DLP Online Help. Be careful when reconfiguring the maximum request/response sizes and minimum GET URL sizes, as enabling GET processing will increase processing load on the NPW detector (GET requests are happening much more often than POST requests and most of the time they do not represent a sensitive data leak to the outside). 

3) You also need to add the Content Type used by MOVEit for the file upload to the "Inspect Content Type" configuration field in the Network Prevent for Web detector ICAP configuration. That field is required by the detector to know whether it should inspect a specific GET request or not, depending on its Content Type. You can check the Content Type used by MOVEit in your environment for the file upload either with the help of the NPW ICAP traces (described here) or by running a packet capture on the NPW during a test file upload to MOVEit. For example, if in your case the file upload is seen to use the application/octet-stream Content Type then that has to be added to Inspect Content Type on the NPW to allow the detector to look into the file uploads.

With the GET request inspection enabled and the proper Content Type added to monitoring on the NPW detection server, you should start to see successful detection on file uploads to MOVEit.