Release : 15.8

Component : Default-Sym

We have recently increased queues on the web proxy, and an investigation into the logs has shown that there’s lots of POST requests generated by websites which don’t seem to be end-user generated traffic.

Some example websites which are producing this which we saw for customers are:

http://go.microsoft.com/fwlink/

http://dmd.metaservices.microsoft.com/metadata.svc

https://clients2.google.com/domainreliability/upload

https://play.google.com/log

https://www.bing.com/threshold/xls.aspx

https://www.google.com/gen_204

https://europe-001.azure-apim.net/invoke

https://pki.fbnholdings.com/ocsp

https://ocsp.digicert.com

There is not much that can be done from the DLP side, and if the Request Filtering limit is already at the default of 4K, then it might be that these POST requests are still of a larger size and will be analysed by the NPW.

There are two options to workaround this problem: 

Option 1. Increase the Request Filtering size limit (ideally we would not suggest increasing the size limit above 4k as you risk missing detections, if you do so then you must acknowledge the potential exists for data leakage of content larger in size)

Option 2. Configure the web proxy to only forward POST requests from websites which do constitute a possible data leak to the NPW, while for others, having this bypassed from being inspected.

In conclusion, the Option 2 would be the recommended approach, keep adding Exclusions in the web proxy for these sites since they are not triggered by the users themselves.

It is far better if this unwanted traffic is not submitted in the ICAP to the NPW for load/frequency reasons to avoid impacting the overall delay and performance.