Forum Discussion
I agree with Torti, there will be a slight slow down but only for the file uploads not the entire application. I am currently using this feature in one of our applications and there was full performance testing done with no complaints from the developers or business owners. If you or the business owners are that concerned about performance impacts of this feature there is an option when configuring the AV setting on ASM for "Guarantee Enforcement". If you uncheck the box (disable this option) the documentation says that the system will perform only if it does not slow down the application. I am unsure how it calculates this and honestly would not recommend disabling this, but the option is there and you would still get some protection. However it would make bypassing the scan pretty simple if someone wanted to.
A couple other things to note about AV scanning.
- There is a max request size for ASM, or long_request_buffer_size which is defaulted to 10mb. So if the request exceeds 10mb (which would include the file upload) then the ASM will not send the request to the ICAP server. Here is the SOL on this.
https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12984.html?sr=26859617
- If the ICAP server you are sending the files to for scanning goes down for any reason and the ASM is unable to get a response it will block the request. The initial log entry show a Virus detected but when you look at the details of that block you will see it says unable to contact ICAP server. So I would recommend making sure the ICAP servers you are sending are high avaialability in some way. We just have our two servers behind an LTM and send traffic to the Virtual IP.
Overall this feature has worked well for us and we have not had any service interruptions or performance issues reported that have been related to it.