MOVEit Transfer HTTPS with WAF Virtual Service Recommended Settings (optional)
- Last Updated: July 24, 2025
- 1 minute read
- MOVEit WAF
- Documentation
This table outlines the recommended settings set using the Progress application template:
|
Field Name |
Field Value |
|---|---|
| Service Name | MOVEit-Transfer-HTTPS-with-WAF |
| Port | 443 |
| Protocol | tcp |
| Service Type | HTTP-HTTP/2-HTTPS |
| Transparency | Disabled |
| Scheduling Method | least connection |
| Idle Connection Timeout | 1800 |
| SSL Acceleration | Enabled |
| SSL Reencrypt | Enabled |
| Cipher Set | BestPractices |
| Content Switching | Enabled |
Two HTTP Selection Rules should be assigned to the parent MOVEit Transfer HTTPS with WAF Virtual Service. To create a content rule, go to Rules & Checking > Content Rules > Create New. Details of the rules to add to this Virtual Service are provided in the sections below.
POST set flag rule
|
Field Name |
Field Value |
|---|---|
| Rule Name | POST_set_flag |
| Rule Type | Content Matching |
| Match Type | Regular Expression |
| Header Field | Method |
| Match String | POST |
| Ignore Case | Enabled |
| Set Flag If Matched | Flag 1 |
PUT set flag rule
|
Field Name |
Field Value |
|---|---|
| Rule Name | PUT_set_flag |
| Rule Type | Content Matching |
| Match Type | Regular Expression |
| Header Field | Method |
| Match String | PUT |
| Ignore Case | Enabled |
| Set Flag If Matched | Flag 2 |
MOVEit Transfer HTTPS with WAF Standard SubVS
This table outlines the recommended MOVEit Transfer HTTPS with WAF Standard SubVS settings set using the Progress application template:
|
Field Name |
Field Value |
|---|---|
| SubVS Name | MOVEit-Transfer-HTTPS-with-WAF-Standard |
| Scheduling Method | least connection |
| Add HTTP Headers | X-Forwarded-For (+ Via) |
| OWASP Core Rule Set WAF | Enabled |
| Anomaly Scoring Threshold | 100 |
| Custom Rules | moveit-transfer-00-pre-crs (Run First) moveit-transfer-90-post-crs |
| Inspect HTTP POST Request Bodies | Enabled |
| Enable JSON Parser | Enabled |
| Enable XML Parser | Enabled |
| Enable Other Content Types | Enabled |
| Blocking Paranoia Level | 2 |
| Executing Paranoia Level | 2 |
| Audit Parts - B - Request Headers | Enabled |
| Audit Parts - H - Audit Log Trailer | Enabled |
| PCRE Match Limit | 500000 |
| JSON Depth Limit | 10000 |
The default rule should also be assigned to the MOVEit Transfer HTTPS with WAF Standard SubVS. To add it, ensure that Content Switching is enabled in the parent (MOVEit-Transfer-HTTPS-with-WAF) Virtual Service. Then, expand the SubVSs section, click the None button in the Rules column, and add the default rule.
MOVEit Transfer HTTPS with WAF Direct SubVS
This table outlines the recommended MOVEit Transfer HTTPS with WAF Direct SubVS settings set using the Progress application template:
|
Field Name |
Field Value |
|---|---|
| SubVS Name | MOVEit-Transfer-HTTPS-with-WAF-Direct |
| Scheduling Method | least connection |
| Add HTTP Headers | X-Forwarded-For (+ Via) |
Four rules should be assigned to the MOVEit Transfer HTTPS with WAF Direct SubVS. To create a content rule, go to Rules & Checking > Content Rules > Create New. Details of the rules to add to this Virtual Service are provided in the sections below.
MOVEitISAPI_POST rule
|
Field Name |
Field Value |
|---|---|
| Rule Name | MOVEitISAPI_POST |
| Rule Type | Content Matching |
| Match Type | Regular Expression |
| Match String | /^\/moveitisapi\/moveitisapi\.dll\?.*/ |
| Ignore Case | Enabled |
| Include Query in URL | Enabled |
| Perform If Flag Set | Flag 1 |
REST_packages_attachments_POST rule
|
Field Name |
Field Value |
|---|---|
| Rule Name | REST_packages_attachments_POST |
| Rule Type | Content Matching |
| Match Type | Regular Expression |
| Match String | /^\/api\/v1\/packages\/attachments\/?/ |
| Ignore Case | Enabled |
| Include Query in URL | Enabled |
| Perform If Flag Set | Flag 1 |
REST_resumable_upload_POST rule
|
Field Name |
Field Value |
|---|---|
| Rule Name | REST_resumable_upload_POST |
| Rule Type | Content Matching |
| Match Type | Regular Expression |
| Match String | /^\/api\/v1\/folders\/\d+\/files\/?(\?uploadType=resumable&fileId=\d+)?/ |
| Ignore Case | Enabled |
| Include Query in URL | Enabled |
| Perform If Flag Set | Flag 1 |
REST_resumable_upload_PUT rule
|
Field Name |
Field Value |
|---|---|
| Rule Name | REST_resumable_upload_POST |
| Rule Type | Content Matching |
| Match Type | Regular Expression |
| Match String | /^\/api\/v1\/folders\/\d+\/files\/?(\?uploadType=resumable&fileId=\d+)?/ |
| Ignore Case | Enabled |
| Include Query in URL | Enabled |
| Perform If Flag Set | Flag 2 |
MOVEit Transfer HTTPS with WAF Redirect
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.