The gist is as follows:
yes, you will need to create a custom ASM violation in ASM and the traffic will still need to pass to ASM. It will, however, be sent to the ICAP server before hitting ASM - and if we get an ICAP response that indicates that the payload is unsafe/infected/malicious, the goal is to to override that response and set a specific flag in the iRule to indicate to the ASM_REQUEST_DONE event that it should raise that violation about ICAP-based compliance. I am currently playing with different scenarios and will post more details, but assuming you have ICAP integration on the LTM working, try this iRule:
when ADAPT_REQUEST_RESULT {
log local0. "ICAP response is [ADAPT::result]"
if { ! ([ADAPT::result] contains "bypass") } {
set icap_blocked 1
ADAPT::result bypass
} else {
set icap_blocked 0
}
}
when ASM_REQUEST_DONE {
if { [info exists icap_blocked] && $icap_blocked == 1 } {
ASM::raise ICAP
log local0. "Raising custom ASM Violation."
set icap_blocked 0
}
}
In order for this to work, you need to:
- Have LTM-based ICAP integration working
- Have ASM policy assigned to the VS and also have iRules Triggering enabled on that policy(this is needed for ASM_REQUEST_DONE event to fire).
- Create a custom Violation(in my case, the name of the violation is ICAP - either use the same name or adjust the name in the iRule)
- Adjust the Blocking mask in the Security Policy to alarm/block on the new custom violation.