Forum Discussion

seilemor_131269's avatar
seilemor_131269
Icon for Altostratus rankAltostratus
Mar 10, 2014

ICAP integration will not work

Hello community,

 

I want to check with the ASM module uploaded files against an ICAP server (Bluecoat Proxy AV). I´ve configured the ICAP settings and the settings in the asm policy. If I now upload a file in a upload form I see in the tcpdump that the F5 communicates with the ICAP server. If I upload a eicar test file I see in the ICAP log that the file has been recognized. The problem is that the F5 did not block the file. In the asm log I see that the "request" is okay and not a dangerous attack. What can I do? The ICAP server works fine. We are using it with more than one system.

 

14 Replies

  • what is your ASM policy set to? what does the message exactly say?

     

  • here are some screenshots from the settings of my asm policy regarding the AntiVirus settings.

    At the moment the policy is transparent but if there is a violation I should see it in the asm log.

    And here is the log of the ICAP scanner...

    TIME;TIME-INT;PROTOCOL;CLIENT;SERVER;VIRUS;URL;HWSERIALNUMBER;MACHINENAME;MACHINEIP;AVVENDOR;AVENGINEVERS;AVPATTERNVERS;AVPATTERNDATE;APPVERSION
    2014/03/10 14:15:49;1394460949;ICAP;10.2.160.101;;EICAR-AV-Test;;3609081087;pxghza-av5;10.160.72.18;Sophos, Plc.;3.50.1;4.98G.6465406.2540362744;2014/03/10 08:06:00;ProxyAV (Version 3.5.1.3(122676))
    2014/03/10 14:16:28;1394460988;ICAP;10.2.160.101;;EICAR-AV-Test;;3609081087;pxghza-av5;10.160.72.18;Sophos, Plc.;3.50.1;4.98G.6465406.2540362744;2014/03/10 08:06:00;ProxyAV (Version 3.5.1.3(122676))
    2014/03/10 14:17:10;1394461030;ICAP;10.2.160.101;;EICAR-AV-Test;;3609081087;pxghza-av5;10.160.72.18;Sophos, Plc.;3.50.1;4.98G.6465406.2540362744;2014/03/10 08:06:00;ProxyAV (Version 3.5.1.3(122676))
    

    Do you need more informations?

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      all seems fine, dont directly see a reason why this would fail, is your ICAP scanner supported by the F5? there is some config needed i believe for some other then the default.
  • do you know which ICAP scanners are supported or should I open a case for the F5 support?

     

  • All right... I have found the problem. The configuration of the virus_header_name in the system variables are wrong. The configuration are ok for the McAfee ICAP scanner (this is the default). For BluecoatProxy AV the configuration must be "X-Error-details,X-Virus-Details".

     

    Thank you for the help.

     

  • Hi,

     

    I've similar problems for the file scanning - I configured the settings as you described (virus_header_name and other av settings in ASM).

     

    When I do a tcpdump I can see:

     

    1. REQMOD icap://1.2.3.4:1344/reqmod ICAP/1.0\r\n
    2. no ICAP answer from server
    3. multiple "Continuation" from F5
    4. nothing else

    I've also tested the request adaption method, but I don't want to send every request to the ICAP server (only file uploads). With request adaption I got:

     

    1. REQMOD icap://1.2.3.4:1344/avscan ICAP/1.0\r\n

       

      (avscan is the service name on Bluecoat AV)

       

    2. ICAP/1.0 200 OK\r\n

       

    3. multiple "Continuation" from F5 with TCP-ACKs from Bluecoat

       

    4. nothing else

    This seems better to me, because Bluecoat answers with ICAP OK.

     

    So I have some questions:

     

    Is there any log or anything else for better troubleshooting this issue?

     

    Can I adjust the "servicename" in ASM config method?

     

    Does anyone have an idea, what may be the problem?

     

    Thanks for your response, Philipp

     

  • Hey Philipp,

     

    do you have a Firewall between the F5 and the ICAP servers and do you know the value which your ICAP server use for "tacking" a mail!? My problem in the past was that I´ve used the wrong value for identify if the ICAP has found a virus or not. One other problem at my structure was that I´ve configured the first time only the internal floating IP in the firewall for accessing the ICAP server. For successfully connection it is neccessary to permit also the internal self IPs from the appliances.

     

    The problem which you´ve describe sounds similiar like my second problem.

     

    Best regards

     

    • Philipp_Stadler's avatar
      Philipp_Stadler
      Icon for Nimbostratus rankNimbostratus
      Hi, I can eliminate a firewall issue on the way between F5 and ICAP server, because I already did a dump on both firewall interfaces, which exactly matches. What do you mean by "do you know the value which your ICAP server use for "tacking" a mail!?" Thanks
  • Each ICAP server will maybe use a different value to identify if a virus exists or not (x-headers) and if you do not configure the right value to search for the F5 will not see that the file which was inspected is bad.

     

    Additional see the post above which is tagged as answer.

     

    • Philipp_Stadler's avatar
      Philipp_Stadler
      Icon for Nimbostratus rankNimbostratus
      yes - I already referred to the tagged answer and already configured "X-Error-details,X-Virus-Details" at virus_header_name variable. But how can I be sure, that I configured the right values?
  • You must know it :)

     

    But it is already strange that if you do a TCPdump at the F5 you´ll see no answer package.

     

    • robert_83958's avatar
      robert_83958
      Icon for Nimbostratus rankNimbostratus
      i have a simmilar problem. I've set the icap uri to /avscan in the settings (and restarted asm module), but according to the tcpdump the F5 still tries with /reqmod Anyone solved this?