Forum Discussion
What is the flow of https virtual server with ASM security policy and ICAP request Adapt profile?
Hi;
Let's say there is a https virtual server used for allowing users to upload files and let's say that this server has an ASM/AWAF advanced policy attached to it.
My intention is to use ICAP over TLS to scan uploads, so I want to have and ICAP Adapt request profile associated with this https virtual server, with an SSL server profile.
My question is what is the traffic flow here? Is it ASM, then internal ICAP Request mod virtual server, then the ICAP scanner, then if the file is clean, the https virtual server moves to load balancing and send the file to the upload server?
Kindy
Wasfi
Hi Wasfi_Bounni ,
Bigip AWAF checks first if the request valid or not then take the decision to forward it or not.
For Example ,
If your bigip received a request , and you have awaf policy in blocking mode ,
If this request violate any of AWAF policy settings , bigip will not proceed to send the request to the ICAP Server , whereas if this Request Valid , bigip ip will move forward to the ICAP server.
The Flow from my perspective:
For more details :
if a request triggered ( illegal url ) , bigip will not proceed sending this request to ICAP server , and will block it from the first time and give you event log says " Illegal url " , but if this request valid , it will be sent to ICAP , and After ICAP checking responses for the uploaded file , bigip will send this request " maybe will be modified due to ICAP " to the selected pool member.
Make sure to follow this Article to implement AWAF - ICAP integrations. :
https://my.f5.com/manage/s/article/K70941653
Also have a look in this Video , it shows it practically :
https://www.youtube.com/watch?v=4jX4e-oPHm4
you can Test this Flow in your Lab/or Test environment .
1) define the uri that used in file upload as a disallowed uri on ASM policy ( Blocking mode)
2) try to upload the file.
3) Take a Pcap between Bigip and Icap.
4) the Expected behavior : no Icap requests to the ICap server from BIGIP , because ASM policy blocked your request because it matches illegal uri " the disallowed uri entity you have defined"
5) Remove the disallowed entity to make the uri valid and test with another Pcap between Bigip and Icap server then you shoud see the ICAP Request going to ICAP servers for further inspections.
I hope I gave you some insights 🙂you're most welcome Wasfi_Bounni , my pleasure 🙂
Hi Wasfi_Bounni ,
Bigip AWAF checks first if the request valid or not then take the decision to forward it or not.
For Example ,
If your bigip received a request , and you have awaf policy in blocking mode ,
If this request violate any of AWAF policy settings , bigip will not proceed to send the request to the ICAP Server , whereas if this Request Valid , bigip ip will move forward to the ICAP server.
The Flow from my perspective:
For more details :
if a request triggered ( illegal url ) , bigip will not proceed sending this request to ICAP server , and will block it from the first time and give you event log says " Illegal url " , but if this request valid , it will be sent to ICAP , and After ICAP checking responses for the uploaded file , bigip will send this request " maybe will be modified due to ICAP " to the selected pool member.
Make sure to follow this Article to implement AWAF - ICAP integrations. :
https://my.f5.com/manage/s/article/K70941653
Also have a look in this Video , it shows it practically :
https://www.youtube.com/watch?v=4jX4e-oPHm4
you can Test this Flow in your Lab/or Test environment .
1) define the uri that used in file upload as a disallowed uri on ASM policy ( Blocking mode)
2) try to upload the file.
3) Take a Pcap between Bigip and Icap.
4) the Expected behavior : no Icap requests to the ICap server from BIGIP , because ASM policy blocked your request because it matches illegal uri " the disallowed uri entity you have defined"
5) Remove the disallowed entity to make the uri valid and test with another Pcap between Bigip and Icap server then you shoud see the ICAP Request going to ICAP servers for further inspections.
I hope I gave you some insights 🙂- Wasfi_BounniCirrocumulus
Thank you Mohamed.
you're most welcome Wasfi_Bounni , my pleasure 🙂
Wasfi_Bounni I do not know if you have also seen https://my.f5.com/manage/s/article/K17964220 (K17964220: Is it possible to activate antivirus checking using ICAP over SSL?) where it is mentioned that the F5 ASM antivirus option can't be used but if you create an ICAP virtual server that has server ssl profile and a pool that has the ICAP servers then you could configure the IP address of the virtual server in the ASM Antivirus configuration.
This is an alternative than using Adapt Request LTM profile for ICAP over TLS/SSL and the Virtual server IP address could be listening on a Vlan that is not attached to any interface making the communication between the F5 ASM/AWAF module and the ICAP Virtual Server Internal as the ASM will send ICAP that is not encrypted and the VS will encrypt it when sending it to the pool member ICAP servers.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com