Forum Discussion
I agree with Torti, there will be a slight slow down but only for the file uploads not the entire application. I am currently using this feature in one of our applications and there was full performance testing done with no complaints from the developers or business owners. If you or the business owners are that concerned about performance impacts of this feature there is an option when configuring the AV setting on ASM for "Guarantee Enforcement". If you uncheck the box (disable this option) the documentation says that the system will perform only if it does not slow down the application. I am unsure how it calculates this and honestly would not recommend disabling this, but the option is there and you would still get some protection. However it would make bypassing the scan pretty simple if someone wanted to.
A couple other things to note about AV scanning.
- There is a max request size for ASM, or long_request_buffer_size which is defaulted to 10mb. So if the request exceeds 10mb (which would include the file upload) then the ASM will not send the request to the ICAP server. Here is the SOL on this.
https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12984.html?sr=26859617
- If the ICAP server you are sending the files to for scanning goes down for any reason and the ASM is unable to get a response it will block the request. The initial log entry show a Virus detected but when you look at the details of that block you will see it says unable to contact ICAP server. So I would recommend making sure the ICAP servers you are sending are high avaialability in some way. We just have our two servers behind an LTM and send traffic to the Virtual IP.
Overall this feature has worked well for us and we have not had any service interruptions or performance issues reported that have been related to it.
- Focus_140526Dec 30, 2013NimbostratusMike, Thanks for your tips.
- Focus_140526Jan 02, 2014NimbostratusMike, http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-4-0/12.html This document says when you create request adopt profile, you could use Ignore for Service Down Action where BIG-IP system to ignore the error and send the unmodified HTTP request to an HTTP server in the HTTP server pool.
- Mike_MaherJan 03, 2014NimbostratusI think this implementation is only needed if you don't have ASM licensing. If you are licensed for ASM you can still just use the integrated AV service and perform the same functionality with a bit less configuration. Also this looks like it is going to send all requests to the ICAP pool not just the file uploads, which may desired but also may have larger performance impact on the application. With ASM licensed you can scan just the file uploads and since it is done at ASM you gain some flexibility of using L7 Policy and Rules to seperate out the traffic that is being scanned I am glad you posted this as I didn't realize this was possible with request adaptation, and this feature probably give you ways to implement broader security on traffic coming into a virtual without have ASM. However it looks a bit more complex to manage and probably will apply to more traffic that you want it to. In a pinch though it is an option and I do like having options to use :).