APM sends local favicon.ico to client instead of fetching it from the backend

Question

This behavior&nbsp;seems to be since 16.1.2 and 16.1.3 version upgrade. The APM is sending the local version of favicon.ico to the client and not the version of the backend after the session has established.The used access profile is in LTM+APM mode.It seems to be a bug like this here: Bug ID 617675: SWG sends local favicon.ico to client instead of fetching it from the backend server&nbsp;We already tried the provided irule as a workaround but it doesnt work (redirect to somefavicon.ico etc.)Has someone experienced the same problem?Many thanks,Peter

lucas_thompson · Answer

Hi Peter.
Your browser probably grabs the favicon upon visiting the APM virtual server, and doesn't try to get it again once authenticated. You can change the favicon content by adding an iRule that basically says "if I hear a request for this URL, then serve out this file content" by following this KB:
https://support.f5.com/csp/article/K25815544
There are other touch-icon favicons that Apple uses too and you can use the same technique.

riemen · Answer

We have also encountered this problem with the favicon when APM is active on a virtual server.We run a productive webshop where single URI Pathes are protected by APM.For this the APM is switched on in the VS as well as an iRule that ACCESS::enable only the specified uri paths.Everything else is default ACCESS::disableThis works for all requests, traceable in the LTM log, but especially /favicon.ico is still stopped by APM and the requests do not reach the LTM Policy.https://my.f5.com/manage/s/article/K25815544This does work, but is only a Workaround. I dont want to Host the favicon.ico on the F5.Looks like a Bug from my view.

peter_baumann · Answer

Hi&nbsp;Lucas_Thompson&nbsp;,This looks good but there's one problem:We have an APM application which will be served after login and we need the favicon from this backend app after login.This is exactly not working and we always get the default favicon of APM back to the client.The backend apps are always changing since this vs with APM policy is doing SAML SSO.So, any idea how to get the favicon.ico of the backend to the client?Thank you.

lucas_thompson · Answer

In this case you'd like the favicon to be transmitted to the client ONLY once they are succesfully authenticated? Something like this should work (for LTM+APM mode), it says basically "If there is no session and the user is requesting favicon, then send a 404 instead of the APM favicon."
I'm not exactly sure if the best bet is a 404 or something different, but because you don't know in advance what backend host should get the favicon request, you're forced to send some static content or error.
Please also note that this irule uses the "ACCESS::restrict_irule_events disable" command which causes the HTTP_REQUEST event to fire upon each access, rather than the default behavior of only firing on the non-built-in APM HTTP requests (such as for webtop, logon pages, SAML URIs, etc). Make sure you don't have any other irules with HTTP_REQUEST events that might interfere with user logons.
&nbsp;
when CLIENT_ACCEPTED {  ACCESS::restrict_irule_events disable}when HTTP_REQUEST {  if { [HTTP::cookie exists "MRHSession" ] &amp;&amp; [ACCESS::session exists -state_allow] } {  # user seems to have a valid session, let them get the backend resource  return} else {  if { [HTTP::uri] contains "favicon" } {    # remove the following log line after testing    log local0. "user has no session, sending 404 for favicon request"    HTTP::close    HTTP::respond 404    }  }}
&nbsp;

peter_baumann · Answer

Hi Lucas_Thompson ,Unfortunately it still doesn't work. But your iRule seems to do the right thing, thank you for that!When I don't have a session I get the 404 back as seen in devtools from the browser.When I have a session I get the favicon.ico but not from the backend.It still uses the default icon from APM:I have seen this now at other customer installations. For me this seems to be a bug in APM not sending the favicon.ico from the backend to the client.Thanks,Peter

Forum Discussion

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Query on source IP preservation for syslog traffic through F5 virtual server

Related Content

favicon.ico code 302

Return default favicon.ico

HTTP Pre-Fetch Insertion

favicon.ico

Need help on CLI command to fetch < VIP Name + current connections >