F5 ASM with fortisandbox
Hi i want to integrate f5 ASM with fortisandbox as a icap server for file upload inspection i found this articalehttps://support.f5.com/csp/article/K70941653 butValue of virus_header_name for fortisandbox is not mentioned any one has experince of integration with fortisandbox. please let me know if anyone knowvirus_header_name for fortisandboxASM and OPSWAT Metadefender Blank Page after file upload
Hi, I am trying to integrate F5 ASM WAF with OPSWAT metadefender but when I try and upload and EICAR file browser just shows a blank white page. I am using a default security policy in blocking mode and have configured the settings according to the F5 BIG IP ASM (WAF) OPSAWT guide. I have configured the ICAP server under Security>Options>Application Security>Integrated Services>Anti-Virus Protection. I have configured the antivirus block settings under Security>Application Security>Policy Building>Learning and Blocking Settings>Advanced Configuration. I have antivirus scanning for HTTP file uploads and SOAP attachments Security>Application Security>Integrated Services>Anti-Virus Protection. When I try to upload the test file I get a blank browser and if I check the source code in the browser I see the following: window["bobcmn"] = "101110101010102000000022ffffffff2ffffffff20000000220156c0ea200000000200000000200000000300000044multipart%2fform%2ddata%3b%20boundary%3d%2d%2d%2d%2dWebKitFormBounda300000000300000000300000000300000000300000007httpsc3000000b008a59e5661ab20000adb568196d38950bf7928e988d64266cafbda4956605335d523cb0c44e211db089aede8158b2800a5d271c7e2a6f9d94d8c4ad7cd49022d5f72b236f5ca5943b07c111a9484727f3b29e542d2d2302b300000002TS300000165%2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz Content%2dDisposition%3a%20form%2ddata%3b%20name%3d%22filename%22%3b%20filename%3d%22eicar.com%22 Content%2dType%3a%20application%2foctet%2dstream X5O!P%25@AP[4%5cPZX54(P%5e)7CC)7}%24EICAR%2dSTANDARD%2dANTIVIRUS%2dTEST%2dFILE!%24H%2bH%2a %2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz%2d%2d 200000000"; "</script> </APM_DO_NOT_TOUCH> <script type="text/javascript" src="/TSbd/08a59e5661ab2000a21cb91986bc897b6b354965ec350caba4c8ca55a7b089798844a4727e8dc553?type=5"></script><noscript>Please enable JavaScript to view the page content.<br/>Your support ID is:8648386876400468880.</noscript> </head><body> </body></html>" Is there something in the ASM policy that needs to be changed?
F5 ASM with Mcafee Virusscan for storage ICAP server
Dear all, Working on a integration with F5 ASM with Mcafee Virusscan for storage (ICAP server) and the server keeps sending me HTTP response code 400 Bad Request. Below the configuration and Wireshark output and logs. Following is the response code 400 In ASM request log the following is being logged This is the ouput of that log F5 is configured with /REQMOD as stated in the documentation I believe we are using the right solution for ICAP scanning Mcafee Virusscan for storage with ICAP AV scanner enabled version 8.8 hotfix 4 and Enterprise for storage 1.1
Modify HTTP response from ICAP server on BigIP
Hi all, I'm facing the following problem with an ICAP setup: What we want is AV scanning of file uploads to a web page using ICAP on the BigIP. This is done by using a request adapt profile in conjunction with an internal virtual with ICAP profile. We want all POST requests to a specific upload path to be sent to an ICAP server that performs AV scanning. When finding an infected upload, the ICAP server will respond with an ICAP result "respond" (instead of "modify") and return an http 403 error page (we cannot change that behaviour). The upload (POST request) will not reach the webserver in that case. Up to that point, we could get all of this working properly. Unfortunately, the client application (third party product) will throw an unexpected and undefined error upon receiving an http 403 status code. In order to display a meaningful error message to the end user, the application expects an http status code 901 instead. As already mentioned, we can neither change the http 403 error returned by the ICAP server (third party product), nor the need/expectation for an http 901 status by the web application (also third party product). Hence, we plan to rewrite the http 403 reply (of the ICAP server) into an http 901 status on the bigip, resulting in the following setup: click here I tried to address this issue with the following iRule: when HTTP_REQUEST { if { [HTTP::uri] starts_with "/some/path/to/file/uploads" } { log local0. "Upload detected - activating ICAP" ADAPT::enable request true set icap_enabled 1 set icap_respond 0 } else { ADAPT::enable request false set icap_enabled 0 set icap_respond 0 } } when ADAPT_REQUEST_RESULT { set result [ADAPT::result] log local0. "ICAP RESULT received. Result: $result" if { $result == "respond" } { set icap_respond 1 log local0. "ICAP MATCH respond" } } when HTTP_RESPONSE { if { $icap_enabled == 1 } { if { $icap_respond == 1 } { HTTP::respond 901 log local0. "Upload ICAP response detected - sending http 901 to client." } } } Unfortunately, this does not work, since the HTTP_RESPONSE event will not be triggered by the ICAP response, because it is not coming from a server as the wiki page states: HTTP_RESPONSE is specific to a server response passing through the load balancer, and is not triggered for locally-generated responses HTTP_RESPONSE_RELEASE is also not a suitable event, because it does not allow HTTP::respond actions. Trying to do the HTTP::respond action within the ADAPT_REQUEST_RESULT event block will result in TCL errors during execution and break down the whole virtual. Does anybody have ideas on how to address this issue properly? I'm running out of ideas. Many thanks in advance! Martin
SharePoint 2016 large file upload and LTM ICAP configuration
Hi Guys, I have a special case here: Configuration: BigIP Version 13 HTTPS VS (SharePoint Web App with adapt request/response profiles) ICAP VS (Internal with an icap profile) ICAP sever Bluecoat ProxySG with a Symantec scan engine What's happening: When I upload a file with a size less than 100 MB SharePoint upload page sends the file to the SharePoint server in a single block with the header content-type mutilpart. LTM ICAP client sends the file to the ICAP Server (bluecoat) and the file gets scanned and we get back a response according to what we expect. Pass if clean and block is virus detected. Now if I upload a file bigger the 100 MB SharePoint switches to REST API mode and sends the file in multiple chunks of 8MB. The LTM ICAP client sends the files to the ICAP server (bluecoat) and the files get scanned and we get a response for the all the files scanned BUT the answer is always 'file is CLEAN' even if we test with a 110 MB zip file containing an eicar file or multiple eicar files or even a pack or 500MB of real deadly viruses :-) SharePoint sends the file chunks in a JSON payload with the header ACCPET: application/json Anyone managed to make file uploads bigger than 100MB scannable with this type of setup? Any configuration steps I'm missing to make the 110MB zip file scannable when it arrives in small chunks on the ICAP server. I understand that this might be an issue with the ICAP server but I want to rule out the LTM configuration. We are talking to talking to Broadcom/Symantec too. It will not be possible to do anything on the SharePoint side unfortunately since this is the preferred method of uploading large files.ICAP integration will not work
Hello community, I want to check with the ASM module uploaded files against an ICAP server (Bluecoat Proxy AV). I´ve configured the ICAP settings and the settings in the asm policy. If I now upload a file in a upload form I see in the tcpdump that the F5 communicates with the ICAP server. If I upload a eicar test file I see in the ICAP log that the file has been recognized. The problem is that the F5 did not block the file. In the asm log I see that the "request" is okay and not a dangerous attack. What can I do? The ICAP server works fine. We are using it with more than one system.
Send 1 uri to ICAP
Hi, It's been 2 year since i've done F5 ASM and i noticed some changes in 11.4 The ASM is differently set up. I used to make classes and attached policies, but that's now gone. What i wan't is send 1 specific uri to an icap server (proxyAV). I used to make an extra class for this setup to only match on the specific upload uri. This wouldn't intefere with the existing policy for the whole application, and prevents sending all traffic to the icap. How would i approach this now on 11.4?
ICAP server reachable, however ASM claims communication issues
Greetings, I have encountered a situation where I have implemented basic AV protection to a server. Tests with EICAR file work fine from internal and external networks (should not really matter). The thing is that on some occasions I noticed that the file upload had been blocked but the Virus violation states: "Virus detection was not performed due to communication problem. See details here: /ts/log/bd.log" There is no relevant info in that log file. Guaranteed enforcement was turned on, so I guess that's why the block took place. But the real question is - why is it complaining about not being able to communicate with the ICAP server? When I run a test from any network, it blocks it just right and the violation is described accurately. Whenever this has happened there have been multiple generic violations detected with the traffic as well, but ONLY AV protection is in Blocking mode - generic signatures are just alerting for analysis. Does anyone have more experience with such cases? Any ideas why this is happening? Thank you!
problem integrating icap into asm of F5 14.1
I followed this tutorial https://support.f5.com/csp/article/K70941653 but i have a problem in integrating icap into asm of F5 14.1, asm does not send files to icap Trend Micro antivirus. I have configured the IP address, the port and the iCAP_URI (/ reqmod, / REQ-Service, / AVSCAN) no result!!!
