Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Content Adaptation for HTTP Requests with Symantec

Hi Team,

I need your help to configure content adaption request on f5 LTM. F5 is integrated with Symantec using ICAP protocol. When any infected malicious request comes; Symantec send 201 response which is not processed further and response halt on F5 before reaching back to user. Symantec can only send 201 and 403 request for infected request. 201 response states new response created against actual request. As per F5 all infected request ICAP response should be either go to 200 or 204 to forward response back to users.

Action points: 1. We have to send infected file scanning response back to users. As per current scenario which is possible only if ICAP response will be 200 and 204 on F5. 2. To implement this we have to perform traffic modification on F5 so that if any infected request will be forwarded to Symantec it’s return response should be 200 or 204. Or in other way we have to do some modification on Symantec ICAP 201 response to get it change to 204 on F5.

Recommendation:

F5

Symantec

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is it possible to check ICAP response. Either replace icap response 201 with 204 or send request header 204 in icap request. Also if possible icap response comes with 201 icap status then session will be drop by F5 before forwarding to webserver and user notification will be sent.

I tried below iRule but not worked.

            when ICAP_RESPONSE { 
           if { [ICAP::status] contains "201" } {  
                   [ICAP::status] replace 204
                          pool pool_testing
                }
            }
OR
            when ICAP_RESPONSE { 
                 if { [ICAP::status] contains "201" } {  
              set [ICAP::status] 204
               pool pool_testing
                 }
            }
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Have you had an luck with this? A few of us are trying to accomplish the same thing.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Use:
uri icap://${SERVER_IP}:${SERVER_PORT}/AVSCANREQ\?action=scan
The SYMC* responses with 201 what can break the F5. This req is backward-compatible. Responses 200 instead of 201, and the ADAPT::response will be "respond" instead of the undefined state.

0