Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

ICAP with iRule Response Page

We are running version 11.6

We originally had ASM configured to send files to a Symantec server for scanning and if a Virus was detected the ASM would display the Blocking Response page. (all good so far). Except the limitation with ASM is a 30Meg limit, our customer wants to upload larger files.

After contacting several Reps at F5 we were told that LTM ICAP has no limit and it was best for us to use LTM for ICAP feature and use ASM for the response page and event logging.

So we configured ICAP in LTM using this link: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/12.html

It looks like virus files are being blocked however using LTM-ICAP, can't seem to trigger a response page.

Is this even possible ?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

ASM triggers after request adapt profile(aka ICAP). I have preliminary have created an iRule that works on detecting some ICAP results and then works in conjunction with ASM to raise custom violation - but I do need to test some more variants of it before I post something here for sharing. Stay tuned though!

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Same deal here, we were told we could use LTM ICAP and tie it in with custom ASM violations. We were thinking about capturing the ICAP_Response error and passing this to ASM triggering a custom violation after the ASM_REQUEST_END event. I think the problem is that the ASM event will fire before the ICAP_Response as the ICAP irule is on the Internal VS, which processes the request after the HTTP VS, I'll have a chat to F5 about this in the week.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Yeah i contacted support and they didnt help so im going back to our F5 account team.

I'll keep you posted on anything i hear and if you could do the same I'd appreciate it.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Have you seen the ASM::raise command? https://devcentral.f5.com/wiki/iRules.ASM__raise.ashx

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The ICAP URL should be:
uri icap://${SERVER_IP}:${SERVER_PORT}/AVSCANREQ\?action=scan
The SYMC* requests uses a different responses (201 - abort) instead of (200 - respond)
ADAPT and parent VS OOPS on the 201 response. The response delivered from SYMC server to the client with this compatibility-mode request

0