What is a one sentence summary of your feature request?
Integrated DPI with SSH / ADP application to reveal the file transfer destination.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
When users transfer files using SSH applications, the logs do not show destination details. This prevents us from determining whether transfers occur within the safe zone or if files are exposed to external areas. According to our discussion with your support team, this limitation exists because the DPI system has not been integrated with SSH applications.
We would like to request a feature enhancement where DPI is integrated with commonly used SSH applications. This integration would allow us to require users to utilize these monitored applications, providing better visibility and control over SSH operations.
How do you currently solve the challenges you have by not having this feature?
No work around, we need to check with end user to understand the transfer destination.
Thanks for sharing your idea. SSH can indeed be challenging to manage. Currently, we offer two approaches:
Application Scanning: You can control SSH by scanning files accessed by applications that use SSH (such as SSH clients, SCP, SFTP, Git, etc.). This method can be intrusive and may result in false positives. To implement it, configure your CAP policy with the app category “Social Media/Other” and check “WinSCP/SCP/SFTP/SSH”.
Application Blocking: Alternatively, you can completely block these applications from launching by using the “application deny-list.”
I can assure you that internally, we have this subject on our radar and are actively working on a solution to enhance visibility over this protocol. We’re testing different approaches, but due to various dependencies, we’re not yet able to provide a definitive solution, and I can’t confirm any ETA. Therefore, in the meantime, I recommend using one of the two workarounds above to limit the current risk until we can fully address it.
