What is the flow of https virtual server with ASM security policy and ICAP request Adapt profile?
Let's say there is a https virtual server used for allowing users to upload files and let's say that this server has an ASM/AWAF advanced policy attached to it.
My intention is to use ICAP over TLS to scan uploads, so I want to have and ICAP Adapt request profile associated with this https virtual server, with an SSL server profile.
My question is what is the traffic flow here? Is it ASM, then internal ICAP Request mod virtual server, then the ICAP scanner, then if the file is clean, the https virtual server moves to load balancing and send the file to the upload server?
Hi Wasfi_Bounni ,
Bigip AWAF checks first if the request valid or not then take the decision to forward it or not.
For Example ,
If your bigip received a request , and you have awaf policy in blocking mode ,
If this request violate any of AWAF policy settings , bigip will not proceed to send the request to the ICAP Server , whereas if this Request Valid , bigip ip will move forward to the ICAP server.
The Flow from my perspective:
For more details :
if a request triggered ( illegal url ) , bigip will not proceed sending this request to ICAP server , and will block it from the first time and give you event log says " Illegal url " , but if this request valid , it will be sent to ICAP , and After ICAP checking responses for the uploaded file , bigip will send this request " maybe will be modified due to ICAP " to the selected pool member.
Make sure to follow this Article to implement AWAF - ICAP integrations. :
Also have a look in this Video , it shows it practically :
you can Test this Flow in your Lab/or Test environment .
1) define the uri that used in file upload as a disallowed uri on ASM policy ( Blocking mode)
2) try to upload the file.
3) Take a Pcap between Bigip and Icap.
4) the Expected behavior : no Icap requests to the ICap server from BIGIP , because ASM policy blocked your request because it matches illegal uri " the disallowed uri entity you have defined"
5) Remove the disallowed entity to make the uri valid and test with another Pcap between Bigip and Icap server then you shoud see the ICAP Request going to ICAP servers for further inspections.
I hope I gave you some insights 🙂