Forum Discussion
Nik_67256
Nimbostratus
NimbostratusConnection Mirroring & Virus Detection
Hello ALL,
Would apprecuate any inputs in understanding the following :
1) Is connection mirroring is related to SSL session state on failover? If not then whats the difference? (please also feel free to provide link giving relevent details.)
2) Consider policy-->Blocking on for virus detected checkbox.
Now, if there are any virus infections coming in from the web application from the upload of a file through webservices , then will the user connection be broken or the end user not recieve the infected file while other things are delivered to him . ? In other words , how will the end user be impacted because the file contained a virus and the virus detection policy was in blocking?
Nik
TechgeeegHi Nik,
For your point no. 1 yes SSL session state are maintained on Failover uni when connection mirroring is enabled. For you point no. 2 which product are you talking about???
Regards,
hooleylistCirrostratus
Hi Nik,
1) Is connection mirroring is related to SSL session state on failover? If not then whats the difference? (please also feel free to provide link giving relevent details.)
When enabled on a virtual server, connection mirroring triggers mirroring of the connection table entry and updates to it. So the client would be able to resume their existing TCP connection. Connection mirroring does not mirror the SSL session cache. So if a failover occurs, the client will need to re-initiate an SSL handshake.
We are tracking a request for enhancement to support SSL session cache mirroring. You can open a case with F5 Support to raise the visibility of this feature request.
2) Consider policy-->Blocking on for virus detected checkbox.
This is for ASM. If the policy check is in blocking mode and a violation occurs, the blocking response will be taken.
Aaron
Nik_67256
Hi Aaron,
1) SO i believe Connectrion mirroring and SSL session state over failover is the same...correct ? Except that Connection mirroring does not mirror the SSL session cache while SSL session state on failover does manage SSL session cache. Is this correct ?
2) So to confirm , the blocking response to the end user will display "please contact the system administrator"
even if only the file being sent accross was infected (i.e basically it does not distinguish between header having a
virus , file having a virus etc and block only that perticular entity only e.g. file being stripped off if infected) ?
Current version asm being used - 10.2.4
Regards
N- hooleylistConnection mirroring copies the connection table entry and its state to the peer unit. With connection mirroring, the client would be able to resume an existing connection after a failover.
SSL session cache mirroring would copy the shared SSL key, session ID, cipher spec, and version. With SSL cache mirroring, the client would be able to resume an existing SSL session after a failover.
I don't think there is an option to strip bad attachments but allow the request. You could potentially disable blocking on the ICAP violation and insert a header using an iRule that indicates the attachment is bad.
You could also submit a request for enhancement to allow for removing a bad attachment.
Aaron - Nik_67256
Thanks for the inputs Aaron.
So ssl and session to mirror is something underway with f5. Is there a performance impact to use this ? (whenever it will be available)