Hi Bipin, I have to correct myself. What I said worked in older releases, but in the latest releases we block secure file transfers using the SSH proxy. The options are as follows:
- Enable SSH Terminal File Transfer in Global Settings. This will allow you to transfer files using the build-in SSH access method (Mindterm). Since the SSH access method includes auto-login, no credentials are needed by the user for file transfers.
- Associate the sftpsftp service with a device and enable in a policy. This will open a port on a local IP address that you can connect your own file transfer client like WinSCP to. The popup showing local IP and Port will include a Credential link if an account is configured in policy for login. The user has to view the credential and use it for logon.
- Define a TCP service like you described with application protocol Disabled. This is similar to the previous option except that PAM will launch your local client for you.
- Associate the sftpsftpemb service with a device and enable in a policy. This is a mix of the previous two as it will use an embedded WinSCP client, see e.g. https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/provision-your-server/provisioning-devices/device-features
At this time none of the options will record file transfers for you. There is one open idea on this topic: https://communities.ca.com/ideas/235737556-logging-file-transfer-transaction-for-ftp-service-on-ca-pam
If you had users launching a WinSCP session from a Windows jump server, the RDP session recording would capture all file transfer activity of course.