Forum Discussion

GGoran_276252's avatar
GGoran_276252
Icon for Nimbostratus rankNimbostratus
Jul 20, 2016

F5 with Symantec external antivirus (ICAP protocol)

Hi, first time asking a question here. We're trying to setup an F5 ASM to forward files to external antivirus for scanning (Symantec Protection Engine for Cloud Services) with ICAP protocol. There ha...
ASM Advanced WAF
BIG-IP
security
Vijith_182946's avatar
Vijith_182946
Icon for Cirrostratus rankCirrostratus
Jul 23, 2016

This might help : https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/37.html

 

GGoran_276252's avatar
GGoran_276252
Icon for Nimbostratus rankNimbostratus
Jul 23, 2016

Hi, tnx for your answer. Maybe it isn't clear from my first post, but we managed to get antivirus checking on Symantec and blocking them on F5. So we have a basic functionality of the system.

 

What we would like to achieve is that when a virus is blocked, to have F5 generate a blocking response page for the end user. How to do this is unclear to us.

 

When a virus is blocked, this is considered a security violation on F5. How can we use this violation to trigger a response page for the use? Maybe it's unimportant, but we're missing Response Status Code which is set to N/A.

 

Policy in blocking mode (EICAR test virus uploaded):

 

Policy in transparent mode (response code 200 OK, same file uploaded):

 

I've looked over F5 Guide for blocking response page, and it just states that we can use default or customized reponse pages. I've checked this Guide

 

Also, do we need to use iRules for this? I'd be happier without them :)

 

Regards, Goran