Increasing the default Ignore Requests or Ignore Responses Smaller Than 4096 Bytes
Article ID: 248976
Updated On:
Products
Issue/Introduction
Our Network Prevent for Web (NPW) server has the minimal transaction size set to 4kb as recommended by Broadcom in the ICAP configuration:
However, we have seen a large number of web transactions that appear to be collection process instigated by the application which are above 4kb.
Interested to know if there is a workaround or recommendation to minimize these types of events.
Environment
Release : 16.x
Component : Default-Sym
Cause
We have recently increased queues on the web proxy, and an investigation into the logs has shown that there’s lots of POST requests generated by websites which don’t seem to be end-user generated traffic.
There is not much that can be done from the DLP side, and if the Request Filtering limit is already at the default of 4K, then it might be that these POST requests are still of a larger size and will be analyzed by the NPW.
Resolution
There are two options to workaround this problem:
Option 1. Increase the Request Filtering size limit (ideally we would not suggest increasing the size limit above 4k as you risk missing detections, if you do so then you must acknowledge the potential exists for data leakage of content larger in size)
Option 2. Configure the web proxy to only forward POST requests from websites which do constitute a possible data leak to the NPW, while for others, having this bypassed from being inspected.
In conclusion, the Option 2 would be the recommended approach, keep adding Exclusions in the web proxy for these sites since they are not triggered by the users themselves.
It is far better if this unwanted traffic is not submitted in the ICAP to the NPW for load/frequency reasons to avoid impacting the overall delay and performance.
Feedback
