ASM Custom Violation for ICAP Scanning
Hello Folks, I recently started building ICAP AV Scanning configurations on F5 LTM. Looks like most of it is pretty easy to configure following some docs on support site. But the blocker is, i'm trying to Raise a violation using iRules and ASM custom violations. Please see iRule below when ADAPT_REQUEST_RESULT { log local0. "ICAP response is [ADAPT::result]" if { ! ([ADAPT::result] contains "modify") } { set icap_blocked 1 ADAPT::result bypass } else { set icap_blocked 0 } } when ASM_REQUEST_DONE { if { [info exists icap_blocked] && $icap_blocked == 1 } { ASM::raise ICAP log local0. "Raising custom ASM Violation." set icap_blocked 0 } } So far, scanning the files and allowing or blocking the request is working just fine. When it comes to raising a custom violation to the user when a malicious file is uploaded, i'm not seeing any response pages i set on ASM. Please see the procedure below: 1.Configured AV Scanning following the document(link above) 2.Created a security Policy on ASM with Blocking enforcement mode(Security->Application Security->Security Policies) 3.Created a custom violation under Security->Options->Application security -> Advanced Configuration -> Violation list->User-Defined Violations->create. See below Now, Created a blocking response page under Security->Application Security->Blocking->Response Pages See below Response Headers: HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Connection: close Response Body: Request RejectedThe requested URL was rejected. Please consult with your administrator. Your support ID is: <%TS.request.ID()%> After assigning iRule to the ICAP Virtual server, I uploaded a virus file from a web portal that points to ICAP Virtual IP, and its being blocked. But i'm not seeing the response page i created. Any help is much appreciated! Thanks I know this is too much information. Just thought it would help someone in future . I appreciate your patience 🙂
