Connection Mirroring & Virus Detection

Hi Nik,

 

For your point no. 1 yes SSL session state are maintained on Failover uni when connection mirroring is enabled. For you point no. 2 which product are you talking about???

 

 

Regards,

Hi Nik,

 

 

1) Is connection mirroring is related to SSL session state on failover? If not then whats the difference? (please also feel free to provide link giving relevent details.)

 

 

When enabled on a virtual server, connection mirroring triggers mirroring of the connection table entry and updates to it. So the client would be able to resume their existing TCP connection. Connection mirroring does not mirror the SSL session cache. So if a failover occurs, the client will need to re-initiate an SSL handshake.

 

 

We are tracking a request for enhancement to support SSL session cache mirroring. You can open a case with F5 Support to raise the visibility of this feature request.

 

 

2) Consider policy-->Blocking on for virus detected checkbox.

 

 

This is for ASM. If the policy check is in blocking mode and a violation occurs, the blocking response will be taken.

 

 

Aaron

 

 

Hi Aaron,

 

 

 

1) SO i believe Connectrion mirroring and SSL session state over failover is the same...correct ? Except that Connection mirroring does not mirror the SSL session cache while SSL session state on failover does manage SSL session cache. Is this correct ?

 

 

2) So to confirm , the blocking response to the end user will display "please contact the system administrator"

 

even if only the file being sent accross was infected (i.e basically it does not distinguish between header having a

 

virus , file having a virus etc and block only that perticular entity only e.g. file being stripped off if infected) ?

 

 

Current version asm being used - 10.2.4

 

 

Regards

 

N

 

 

 

 

 

Connection mirroring copies the connection table entry and its state to the peer unit. With connection mirroring, the client would be able to resume an existing connection after a failover.

 

 

SSL session cache mirroring would copy the shared SSL key, session ID, cipher spec, and version. With SSL cache mirroring, the client would be able to resume an existing SSL session after a failover.

 

 

I don't think there is an option to strip bad attachments but allow the request. You could potentially disable blocking on the ICAP violation and insert a header using an iRule that indicates the attachment is bad.

 

 

You could also submit a request for enhancement to allow for removing a bad attachment.

 

 

Aaron

 

 

Thanks for the inputs Aaron.

 

 

So ssl and session to mirror is something underway with f5. Is there a performance impact to use this ? (whenever it will be available)