Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
F5 Employee
F5 Employee


The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic?

An integrated F5 and OPSWAT MetaDefender solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more OPSWAT MetaDefender ICAP Servers, which can prevent previously hidden threats and block zero-day exploits. This solution eliminates the blind spots introduced by SSL/TLS.

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

A video demo of this integration is available HERE

OPSWAT MetaDefender Configuration

Install and configure:

OPSWAT MetaDefender Core

OPSWAT MetaDefender ICAP Server

Refer to OPSWAT Product Documentation for detailed instructions:

OPSWAT MetaDefender Core

OPSWAT MetaDefender ICAP Server

When done your Dashboard should look something like this:

Screen Shot 2023-01-05 at 10.31.37 AM.png

BIG-IP SSL Orchestrator Configuration

An OPSWAT MetaDefender ICAP Server is configured as an ICAP Server Service in BIG-IP SSL Orchestrator. BIG-IP SSL Orchestrator steers the decrypted web traffic through the OPSWAT ICAP Server(s), which are part of one or more Service Chains.

Create the OPSWAT MetaDefender Service

Under Services, click Add Service.

Screen Shot 2023-01-05 at 10.35.57 AM.png

In the service catalog, double click OPSWAT MetaDefender ICAP service. (If the version of BIG-IP SSL Orchestrator you’re using doesn’t have this option, then use the generic ICAP service.) This option is available from the ICAP tab in newer versions. 

Screen Shot 2023-01-05 at 10.39.34 AM.png

Give it a name, OPSWAT in this example.  Under ICAP Devices click Add.

Screen Shot 2023-01-05 at 10.45.32 AM.png

Enter the IP address of the MetaData ICAP Server, in this example. Click Done.

Screen Shot 2023-01-05 at 10.47.38 AM.png

Specify the URI Path for Request and Response Modification.  Click Save and Next at the bottom.

Screen Shot 2023-01-05 at 10.52.42 AM.png

From the Services Chain List select the Chain you want to add OPSWAT to, Services_Chain in this example.

Screen Shot 2023-01-05 at 11.11.34 AM.png

Move OPSWAT to the Selected field

Screen Shot 2023-01-05 at 11.12.36 AM.png

Click Save when done

Screen Shot 2023-01-05 at 11.14.12 AM.png

Deploy when done

Screen Shot 2023-01-05 at 11.16.07 AM.png

Testing the Configuration

To check that you configuration is working as expected try to download an eicar testfile over HTTPS here. If everything was setup properly you should see a blocking page similar to this:



This completes configuration of BIG-IP SSL Orchestrator with OPSWAT MetaDefender. At this point traffic that flows through SSL orchestrator will be decrypted and sent to the OPSWAT ICAP Service and inspected for malicious payloads.

Version history
Last update:
‎07-Feb-2023 10:37
Updated by: