ASM Custom Violation for ICAP Scanning

Hello Folks,

I recently started building ICAP AV Scanning configurations on F5 LTM. Looks like most of it is pretty easy to configure following some docs on support site.

But the blocker is, i'm trying to Raise a violation using iRules and ASM custom violations. Please see iRule below

when ADAPT_REQUEST_RESULT {

log local0. "ICAP response is [ADAPT::result]"

if { ! ([ADAPT::result] contains "modify") } {

set icap_blocked 1

ADAPT::result bypass

} else {

set icap_blocked 0

}

}

when ASM_REQUEST_DONE {

if { [info exists icap_blocked] && $icap_blocked == 1 } {

ASM::raise ICAP

log local0. "Raising custom ASM Violation."

set icap_blocked 0

}

}

So far, scanning the files and allowing or blocking the request is working just fine. When it comes to raising a custom violation to the user when a malicious file is uploaded, i'm not seeing any response pages i set on ASM.

Please see the procedure below:

1.Configured AV Scanning following the document(link above)

2.Created a security Policy on ASM with Blocking enforcement mode(Security->Application Security->Security Policies)

3.Created a custom violation under Security->Options->Application security -> Advanced Configuration -> Violation list->User-Defined Violations->create. See below

Now, Created a blocking response page under Security->Application Security->Blocking->Response Pages See below

Response Headers:

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Connection: close

Response Body:

Request RejectedThe requested URL was rejected. Please consult with your administrator.
Your support ID is: <%TS.request.ID()%>

After assigning iRule to the ICAP Virtual server, I uploaded a virus file from a web portal that points to ICAP Virtual IP, and its being blocked. But i'm not seeing the response page i created.

Any help is much appreciated! Thanks

I know this is too much information. Just thought it would help someone in future . I appreciate your patience 🙂