Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

I am looking to implement ICAP file scanning for one of my applications that run through ASM. I am curious if anyone has any experience with this, and if you could tell me if there are any performance hits in the application or ASM for this.  Also I assume that the file is held on the ASM while it is waiting for a response from the AV server, does it keep anything after the response and are there any thoughts I should be putting into storage on the ASM?  As well as any other gotchas I may need to take into consideration. 

 

Thanks

Mike


7 Answer(s):

Hi,
we are using it for file uploads. Here it seems to work fine.
You are running 11.x? Do you want to use it for an application or a web service?
There is a (in my opinion) big bug, described in SOL12984. So, the maximum file size for ASM and ICAP can be 20mb. Bigger files are not send to the ICAP-server.
Another Bug is 346498.
You need 100% reachability of your ICAP server. If it isn't reachable, the files will be blocked and you get an alert about virus detection.
The only performance hit I know, is the increasing memory allocation of your ASM. The complete request will be hold back until you get a response. Bigger files need more memory.
Thats the reason for the 20mb limit, I think. So storage isn't a problem, its the RAM. If you don't have enough memory, your ASM is running out of memory. This results in swapping or can result in big troubles :-(
I don't believe files are keeping in system after response. The ASM don't save files. Its like any other request. The full request will be send to the ICAP server.

regards
Torti,
Thanks for the information this is what I was looking for. First to answer your question it is an application.
So I want to make sure I am reading this right, based upon what you are saying and the SOL you referenced if I send a file that is say 21mb it will not get scanned but the file will still get sent to the back end server? So basically this is a way to bypass the protection by essentially over running the buffer for lack of better words.
If you disable the Blocking Setting 'Request length exceeds defined buffer size', it is possible to bypass the virus scanning functionality (ICAP). If you don't disable it, 20mb is the maximum request size and bigger requests will be blocked. If you need to allow files bigger than 20mb, you have to do virus scanning by another way and not with the ASM.
I.e. you could do it on the backend system.
regards
Very good, that is what I wanted to hear. I want to make sure that bigger files get blocked. Thanks for the all the information it has been very helpful
Forgive my impudence, but I'm a complete F5 NOOB. Can anyone explain what they needed to do to get F5 to forward to an ICAP server? I've tried the methods in their documentation--I must be missing SOMETHING.

Thanks in advance...
Forgive my impudence, but I'm a complete F5 NOOB. Can anyone explain what they needed to do to get F5 to forward to an ICAP server? I've tried the methods in their documentation--I must be missing SOMETHING.

Thanks in advance...
Carl,
So there are basically 3 things you need to do.

1. Go into Application Security > Options > AV Protection and set the name and IP of the ICAP server you are using

2. Make sure you have your variables set correctly in Application Security > Advanced Config > System Variables

3. Go into the policy you want to us AV scanning on and go into Policy > AV Scanning and check the box to enable in that policy

If you have all these setup then once the ASM sees a file transfer it should send. If you have all these and it is still not working I would check check the /var/log/asm log for errors or any sort.

Your answer:

You must be logged in to reply. You can login here.