cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

How to disable preview if using iCAP via ASM

imranHaider
Altostratus
Altostratus

Hello,

 

i have an iCAP server configured via ASM. The basic connectivity is OK however when the ASM send an attachment to the icap server (fortinet sandbox), the sandbox replies back instantly with a 204 no content found response. so in effect the F5 doesnt wait for the scan result and the attachment gets uploaded to the webserver.. I am thinking to somehow disable the preview feature so the F5 should be able to wait for the sandbox response..

is this achievable with ASM, or do i need to use Adaptation profile with an internal VS with a pool member as a icap server?

 

thanks in advance.

1 ACCEPTED SOLUTION

Not all webtraffic, only the one with attachment.

yes, the processing add a little latency but invisible for the end user.

if you are satisfied with the answer, don't forget to mark the answer solved.

View solution in original post

6 REPLIES 6

Lidev
MVP
MVP

Hello,

We have meet the same issue with OPSWAT product with ICAP Server configured in ASM module. We solved the problem using LTM configuration with Adaptation profile and internal Virtual Server like you mentionned 😉

Configuring HTTP Request and Response Adaptation

 

Regards

imranHaider
Altostratus
Altostratus

Thanks a lot for the valueable response.

As i understand that now all your webtraffic will pass through the sandbox, so do you see any delay or latency issues?

i assume there will be some latency though un-noticeable to the users.

Not all webtraffic, only the one with attachment.

yes, the processing add a little latency but invisible for the end user.

if you are satisfied with the answer, don't forget to mark the answer solved.

imranHaider
Altostratus
Altostratus

I have configured adapt profile and i can see that the communication is happening. I also see the file received by the AV server and scanned, while at the same instant the F5 sends a connection reset 104.

 

below logs from AV server

2020-04-07 23:51:36 172.19.0.9 socket error [Errno 104] Connection reset by peer

2020-04-07 23:51:36 File from ICAP client (172.18.4.10)(self IP) was submitted. client_ip=137.210.92.58 sha256=4c11e6e120d335f8ca85af0aa3f4f12151a8e3de486b0ac8e9

66d6e8e512992a fname=vpn8.PNG

2020-04-07 23:51:36 172.18.4.10(self IP) socket error [Errno 104] Connection reset by peer

 

in /var/log/ltm i see below

 

Apr 8 00:15:08 lab-F5.com err tmm3[20599]: 01aa0003:3: ICAP (137.210.92.58:59860 -> 172.16.6.6:443): Parsing ICAP response headers failed

172.16.6.6 is the webserver VIP on LTM

 

i dont find much info about this error 104. Appreciate your help,thanks

 

Hi,

Have you configured HTTP Request Adapt profile AND Response Adapt profile on your virtual Server ?

See also this link https://support.f5.com/csp/article/K90438506

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello,

How do you configure ICAP for ASM?

Do you specify it in Security ›› Options : Application Security : Integrated Services : Anti-Virus Protection?

Do you enable appropriate violation and settings on Security ›› Application Security : Integrated Services : Anti-Virus Protection?

Do you send attachment as HTTP upload or as SOAP attachment?

 

ASM shouldn't send any preview request in case of correct configuration.