Forum Discussion

Cirrocumulus

Jun 19, 2023

Solved

What is the flow of https virtual server with ASM security policy and ICAP request Adapt profile?

Hi;

Let's say there is a https virtual server used for allowing users to upload files and let's say that this server has an ASM/AWAF advanced policy attached to it.

My intention is to use ICAP over TLS to scan uploads, so I want to have and ICAP Adapt request profile associated with this https virtual server, with an SSL server profile.

My question is what is the traffic flow here? Is it ASM, then internal ICAP Request mod virtual server, then the ICAP scanner, then if the file is clean, the https virtual server moves to load balancing and send the file to the upload server?

Kindy

Wasfi

application delivery

security

Mohamed_Ahmed_Kansoh
Jun 19, 2023
Hi Wasfi_Bounni ,

Bigip AWAF checks first if the request valid or not then take the decision to forward it or not.

For Example ,

If your bigip received a request , and you have awaf policy in blocking mode ,
If this request violate any of AWAF policy settings , bigip will not proceed to send the request to the ICAP Server , whereas if this Request Valid , bigip ip will move forward to the ICAP server.

The Flow from my perspective:

For more details :
if a request triggered ( illegal url ) , bigip will not proceed sending this request to ICAP server , and will block it from the first time and give you event log says " Illegal url " , but if this request valid , it will be sent to ICAP , and After ICAP checking responses for the uploaded file , bigip will send this request " maybe will be modified due to ICAP " to the selected pool member.

Make sure to follow this Article to implement AWAF - ICAP integrations. :
https://my.f5.com/manage/s/article/K70941653

Also have a look in this Video , it shows it practically :
https://www.youtube.com/watch?v=4jX4e-oPHm4

you can Test this Flow in your Lab/or Test environment .
1) define the uri that used in file upload as a disallowed uri on ASM policy ( Blocking mode)
2) try to upload the file.
3) Take a Pcap between Bigip and Icap.
4) the Expected behavior : no Icap requests to the ICap server from BIGIP , because ASM policy blocked your request because it matches illegal uri " the disallowed uri entity you have defined"
5) Remove the disallowed entity to make the uri valid and test with another Pcap between Bigip and Icap server then you shoud see the ICAP Request going to ICAP servers for further inspections.

I hope I gave you some insights 🙂
Mohamed_Ahmed_Kansoh
Jun 19, 2023
you're most welcome Wasfi_Bounni , my pleasure 🙂

5 Replies

Mohamed_Ahmed_Kansoh
MVP
Jun 19, 2023
Hi Wasfi_Bounni ,

Bigip AWAF checks first if the request valid or not then take the decision to forward it or not.

For Example ,

If your bigip received a request , and you have awaf policy in blocking mode ,
If this request violate any of AWAF policy settings , bigip will not proceed to send the request to the ICAP Server , whereas if this Request Valid , bigip ip will move forward to the ICAP server.

The Flow from my perspective:

For more details :
if a request triggered ( illegal url ) , bigip will not proceed sending this request to ICAP server , and will block it from the first time and give you event log says " Illegal url " , but if this request valid , it will be sent to ICAP , and After ICAP checking responses for the uploaded file , bigip will send this request " maybe will be modified due to ICAP " to the selected pool member.

Make sure to follow this Article to implement AWAF - ICAP integrations. :
https://my.f5.com/manage/s/article/K70941653

Also have a look in this Video , it shows it practically :
https://www.youtube.com/watch?v=4jX4e-oPHm4

you can Test this Flow in your Lab/or Test environment .
1) define the uri that used in file upload as a disallowed uri on ASM policy ( Blocking mode)
2) try to upload the file.
3) Take a Pcap between Bigip and Icap.
4) the Expected behavior : no Icap requests to the ICap server from BIGIP , because ASM policy blocked your request because it matches illegal uri " the disallowed uri entity you have defined"
5) Remove the disallowed entity to make the uri valid and test with another Pcap between Bigip and Icap server then you shoud see the ICAP Request going to ICAP servers for further inspections.

I hope I gave you some insights 🙂
- Wasfi_Bounni
  Cirrocumulus
  Jun 19, 2023
  Thank you Mohamed.
  - Mohamed_Ahmed_Kansoh
    MVP
    Jun 19, 2023
    you're most welcome Wasfi_Bounni , my pleasure 🙂
Nikoolayy1
MVP
Jun 29, 2023
Wasfi_Bounni I do not know if you have also seen https://my.f5.com/manage/s/article/K17964220 (K17964220: Is it possible to activate antivirus checking using ICAP over SSL?) where it is mentioned that the F5 ASM antivirus option can't be used but if you create an ICAP virtual server that has server ssl profile and a pool that has the ICAP servers then you could configure the IP address of the virtual server in the ASM Antivirus configuration.

This is an alternative than using Adapt Request LTM profile for ICAP over TLS/SSL and the Virtual server IP address could be listening on a Vlan that is not attached to any interface making the communication between the F5 ASM/AWAF module and the ICAP Virtual Server Internal as the ASM will send ICAP that is not encrypted and the VS will encrypt it when sending it to the pool member ICAP servers.

Forum Discussion

What is the flow of https virtual server with ASM security policy and ICAP request Adapt profile?

5 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Tmsh command - virtual address list vs virtual server IP list (discrepancy)

Server Side SSL profile not match with Client side SSL profile?

VIP and SSL Profile Inventory

SSL Profile Cipher

ASM Logging profile w/ Remote Storage