Forum Discussion
CirrusMultiple ICAP servers with ASM
Hello,
Is it possible to send files to be analyzed to multiple ICAP servers? Normally documentation/ASM GUI mentions only 1 server host: https://support.f5.com/csp/article/K70941653
Can we refer instead of a server host IP a VIP in that field? (maybe configured on the same LTM)
Also, if a virus has been analyzed as infected, would it be logged in ASM violation? where is all this stuff documented?
When to use ASM and when LTM to check files against antivirus via ICAP? Is there any added value in terms of violations detection using LTM?
Leonardo_SouzaCirrocumulus
I was looking this the other day, and had a similar query, if I could use more than one IP for the ICAP. However, I haven't research about that yet.
The solution you sent explains the violation part, as that will be logged together with other violations in the system as virus detected.
Never used this with LTM, so not sure about the difference, or if you can have with LTM.
Daniel_VarelaEmployee
You should be able to refer a VIP as far as everything is in route domain 0 (you may make this work in other route domains if strict isolation is disabled). In your VIP configuration then set a pool of ICAP servers and look after persistence. This should work fine.
Regarding ASM triggering the violation, yes it does and it provides some details about the malware/thread detected. You need to go to advanced settings in ASM en set the specific ICAP header that your ICAP server uses to provide this information. Then you should see nice alarm violations in your event log (this is always subject to your block setting configuration)
When to use ASM and LTM, well I'd say LTM is more flexible and it works better overall but it lacks integration with ASM. ICAP on ASM got some limitations, for example the longest request length supported by the system by default is 10MB and you can go to 30MB without big issues. If you expect to deal with big files this may be a problem. Going beyond that requires to involve F5 support.