Forum Discussion

imranHaider's avatar
imranHaider
Icon for Altostratus rankAltostratus
Apr 05, 2020

How to disable preview if using iCAP via ASM

Hello,

 

i have an iCAP server configured via ASM. The basic connectivity is OK however when the ASM send an attachment to the icap server (fortinet sandbox), the sandbox replies back instantly with a 204 no content found response. so in effect the F5 doesnt wait for the scan result and the attachment gets uploaded to the webserver.. I am thinking to somehow disable the preview feature so the F5 should be able to wait for the sandbox response..

is this achievable with ASM, or do i need to use Adaptation profile with an internal VS with a pool member as a icap server?

 

thanks in advance.

  • Lidev's avatar
    Lidev
    Apr 07, 2020

    Not all webtraffic, only the one with attachment.

    yes, the processing add a little latency but invisible for the end user.

    if you are satisfied with the answer, don't forget to mark the answer solved.

  • Thanks a lot for the valueable response.

    As i understand that now all your webtraffic will pass through the sandbox, so do you see any delay or latency issues?

    i assume there will be some latency though un-noticeable to the users.

    • Lidev's avatar
      Lidev
      Icon for MVP rankMVP

      Not all webtraffic, only the one with attachment.

      yes, the processing add a little latency but invisible for the end user.

      if you are satisfied with the answer, don't forget to mark the answer solved.

  • I have configured adapt profile and i can see that the communication is happening. I also see the file received by the AV server and scanned, while at the same instant the F5 sends a connection reset 104.

     

    below logs from AV server

    2020-04-07 23:51:36 172.19.0.9 socket error [Errno 104] Connection reset by peer

    2020-04-07 23:51:36 File from ICAP client (172.18.4.10)(self IP) was submitted. client_ip=137.210.92.58 sha256=4c11e6e120d335f8ca85af0aa3f4f12151a8e3de486b0ac8e9

    66d6e8e512992a fname=vpn8.PNG

    2020-04-07 23:51:36 172.18.4.10(self IP) socket error [Errno 104] Connection reset by peer

     

    in /var/log/ltm i see below

     

    Apr 8 00:15:08 lab-F5.com err tmm3[20599]: 01aa0003:3: ICAP (137.210.92.58:59860 -> 172.16.6.6:443): Parsing ICAP response headers failed

    172.16.6.6 is the webserver VIP on LTM

     

    i dont find much info about this error 104. Appreciate your help,thanks

     

  • Hello,

    How do you configure ICAP for ASM?

    Do you specify it in Security ›› Options : Application Security : Integrated Services : Anti-Virus Protection?

    Do you enable appropriate violation and settings on Security ›› Application Security : Integrated Services : Anti-Virus Protection?

    Do you send attachment as HTTP upload or as SOAP attachment?

     

    ASM shouldn't send any preview request in case of correct configuration.