antivirus protection using ASM

if you mean the icap connection, yes it allways slow down the application (a part of it). There are severall stations, which create a delay.

1. ASM collect the complete file
2. ASM send to AV
3. AV scan the file - bigger files need more time to scan (4.) AV send the file back, although it should send only a response code

But every AV method creates a delay, depending on the file size. Because of this, you only scan a request with file upload and not every request. So, not the application has a slow down issue, only the file upload process (which isn't an issue).

anything wrong? I don't think so.

I agree with Torti, there will be a slight slow down but only for the file uploads not the entire application. I am currently using this feature in one of our applications and there was full performance testing done with no complaints from the developers or business owners. If you or the business owners are that concerned about performance impacts of this feature there is an option when configuring the AV setting on ASM for "Guarantee Enforcement". If you uncheck the box (disable this option) the documentation says that the system will perform only if it does not slow down the application. I am unsure how it calculates this and honestly would not recommend disabling this, but the option is there and you would still get some protection. However it would make bypassing the scan pretty simple if someone wanted to.

A couple other things to note about AV scanning.

1. There is a max request size for ASM, or long_request_buffer_size which is defaulted to 10mb. So if the request exceeds 10mb (which would include the file upload) then the ASM will not send the request to the ICAP server. Here is the SOL on this.

https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12984.html?sr=26859617

1. If the ICAP server you are sending the files to for scanning goes down for any reason and the ASM is unable to get a response it will block the request. The initial log entry show a Virus detected but when you look at the details of that block you will see it says unable to contact ICAP server. So I would recommend making sure the ICAP servers you are sending are high avaialability in some way. We just have our two servers behind an LTM and send traffic to the Virtual IP.

Overall this feature has worked well for us and we have not had any service interruptions or performance issues reported that have been related to it.

I agree with Torti, there will be a slight slow down but only for the file uploads not the entire application. I am currently using this feature in one of our applications and there was full performance testing done with no complaints from the developers or business owners. If you or the business owners are that concerned about performance impacts of this feature there is an option when configuring the AV setting on ASM for "Guarantee Enforcement". If you uncheck the box (disable this option) the documentation says that the system will perform only if it does not slow down the application. I am unsure how it calculates this and honestly would not recommend disabling this, but the option is there and you would still get some protection. However it would make bypassing the scan pretty simple if someone wanted to.

A couple other things to note about AV scanning.

1. There is a max request size for ASM, or long_request_buffer_size which is defaulted to 10mb. So if the request exceeds 10mb (which would include the file upload) then the ASM will not send the request to the ICAP server. Here is the SOL on this.

https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12984.html?sr=26859617

1. If the ICAP server you are sending the files to for scanning goes down for any reason and the ASM is unable to get a response it will block the request. The initial log entry show a Virus detected but when you look at the details of that block you will see it says unable to contact ICAP server. So I would recommend making sure the ICAP servers you are sending are high avaialability in some way. We just have our two servers behind an LTM and send traffic to the Virtual IP.

Overall this feature has worked well for us and we have not had any service interruptions or performance issues reported that have been related to it.

Add:

1. the most performance impact will result of the AV scan. So, look at the performance stats of your AV system.
2. if you have trouble with the file size (files bigger than 20mb are not supported with ICAP!), you need a AV proxy or use the strange new method of 11.4 instead of ICAP

Add:

1. the most performance impact will result of the AV scan. So, look at the performance stats of your AV system.
2. if you have trouble with the file size (files bigger than 20mb are not supported with ICAP!), you need a AV proxy or use the strange new method of 11.4 instead of ICAP