For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

neeeewbie's avatar
neeeewbie
Icon for MVP rankMVP
Aug 05, 2025
Solved

connect to an icap server, but is it possible to route only specific services to the virtual server?

Since it's created as an internal virtual server, I don't know what traffic is going through that VS.

Is it possible to configure it so that only certain services go through that VS?

 

refer : https://www.f5.com/pdf/integration-guide/f5-ssl-orchestrator-and-symantec-dlp-ssl-visibility-and-content-adaptation.pdf

https://www.f5.com/pdf/solution-center/f5-ssl-orchestrator-and-mcafee-dlp-recommended-practices-guide.pdf

application delivery
devops
security
  • Jeffrey_Granier's avatar
    Jeffrey_Granier
    Sep 30, 2025

    Hello,

     

    Have you configured any service chains?  This is where you would setup which services / routing would go towards that VS.  Something like this:  

    Service Cain: chain_dlp_scan.  description -  "Chain for DLP-sensitive traffic".

    services  - Move icap_dlp (and any other services like inline L3 firewall) from Services Available to Selected Service Chain Order. Order matters (e.g., decrypt > ICAP > re-encrypt).

     

    Then you would look at security policies -- creating a rule -- 

     

    • Conditions (match-all or match-any):
      • Source: IP/subnet (e.g., client from 10.0.0.0/8).
      • Destination: IP/subnet, geolocation, port (e.g., dest port 80/443), or host/SNI (e.g., category "Social Networking" via URLDB).
      • Protocol: HTTP, TCP, etc.
      • Other: IP Intelligence (reputation), flow info.
      • Examples from guides: Bypass for financial/healthcare URLs to comply with regulations (use URL Category Lookup).
    • Actions:
      • SSL Check: Decrypt or bypass.
      • Service Chain: Assign to chain_dlp_scan (includes ICAP) for matching traffic.
      • Server Certificate Check: Reject invalid certs

     

     

     

1 Reply

  • Jeffrey_Granier's avatar
    Jeffrey_Granier
    Icon for Employee rankEmployee
    Sep 30, 2025

    Hello,

     

    Have you configured any service chains?  This is where you would setup which services / routing would go towards that VS.  Something like this:  

    Service Cain: chain_dlp_scan.  description -  "Chain for DLP-sensitive traffic".

    services  - Move icap_dlp (and any other services like inline L3 firewall) from Services Available to Selected Service Chain Order. Order matters (e.g., decrypt > ICAP > re-encrypt).

     

    Then you would look at security policies -- creating a rule -- 

     

    • Conditions (match-all or match-any):
      • Source: IP/subnet (e.g., client from 10.0.0.0/8).
      • Destination: IP/subnet, geolocation, port (e.g., dest port 80/443), or host/SNI (e.g., category "Social Networking" via URLDB).
      • Protocol: HTTP, TCP, etc.
      • Other: IP Intelligence (reputation), flow info.
      • Examples from guides: Bypass for financial/healthcare URLs to comply with regulations (use URL Category Lookup).
    • Actions:
      • SSL Check: Decrypt or bypass.
      • Service Chain: Assign to chain_dlp_scan (includes ICAP) for matching traffic.
      • Server Certificate Check: Reject invalid certs