Layer7 API Gateway 10.0

PDF
index 10.1 congw.10.1 10.0 congw.10.0 9.4 9.3 9.2 9.1 9.0
Japanese English

Scan Using ICAP-Enabled Antivirus Assertion

The Scan Using ICAP-Enabled Antivirus assertion allows the gateway to connect to an antivirus server that supports the ICAP protocol, such as McAfee® or Symantec™.
9-5
The
Scan Using ICAP-Enabled Antivirus
assertion allows the
Layer7 API Gateway
 to connect to an antivirus server that supports the ICAP protocol, such as McAfee® or Symantec™.
Prerequisites:
  • Ensure your antivirus server is enabled for the ICAP protocol.
  • For McAfee VirusScan, configure the McAfee server to add virus information to the ICAP response headers
(1) Knowledge of RFC3507 is required to use this assertion. Consult with your ICAP vendor to receive a sample HTTP request including required message header fields. Your vendor may also have client tools available to test the request before implementing in policy.
(2) This assertion supports RESPMOD (Response Modification Mode) and REQMOD (Request Modification Mode).
(3) The HTTP request that is embedded in the ICAP request is HTTP/1.1. The embedded HTTP request includes a Host header. This Host header value will be the cluster host name. In the absence of the cluster host name, the Host header value will be the host name of the Gateway.
Contents:
Context Variables
This assertion populates the following variables with information about a detected virus. The variables are multi-valued, to accommodate multiple viruses found. The context variables are not set if no viruses are found.
Variable
Description
icap.response.infected
Lists the infected part ID, content ID, filename or context variable name.
icap.response.header.names.X
Header names as returned by the ICAP server, where 'X' is an index that corresponds to the index of the infected part.
icap.response.header.values.X
Header values as returned by the ICAP server, where 'X' is an index that corresponds to the index of the infected part.
icap.response.header.value.X.headerName
The value of the specified header name for the infection part 'X'.
Cluster Properties
This assertion uses the following cluster properties.
Property
Description
icap.channelIdleTimeout
Maximum idle time for a connected channel in the connection pool to an ICAP server. Any channels exceeding this timeout value will be disconnected and removed from the pool. Value is a time unit; the allowable range is between 1 second and 1 hour.
Sample values look like 30s, 1m or 1h. If only an integer is provided with no suffix, the value is considered in minutes. This change comes into effect after Gateway restart.
Default:
1m
io.failoverServerRetryDelay
This property is used in the Failover Strategy. It controls the delay before the Gateway retries a failed server. For more information, see Input/Output Cluster Properties.
icap.maxResponseHeaderSize
Maximum size for an ICAP response header. Configure this value as per the maximum ICAP response header sent by ICAP server.
Default:
8192
icap.optionsRequestInterval
Interval in minutes after which Gateway makes ICAP OPTIONS method call to ICAP server to get the Preview length. Sample values look like 30s, 10m, or 1h. If only an integer is provided with no suffix, the value is considered in minutes.
Default:
30m
icap.response.maxIcapHeaderSize
Maximum number of bytes in all ICAP Response Headers concatenated.
Default:
8192
Note:
 The Scan Using ICAP-Enabled Antivirus assertion throws an exception when the number of the bytes of all ICAP Response Headers exceeds the default maximum value of 8192. Update this cluster-wide property value to
-1
 to set it to the maximum integer, 2147483647.
Assertion Properties
Setting
What you should know...
Add Server
Edit Server
URL of the ICAP Server. You may reference context variables.
ICAP Method
Specifies if the ICAP method is REQMOD or RESPMOD.
  • REQMOD–an ICAP client sends an HTTP request to an ICAP server
  • RESPMOD–an ICAP client sends an origin server's HTTP response to an ICAP server, and (if available) the original client request that caused that response.
Default:
RESPMOD
Origin Resource Path
The origin resource path to be added in the embedded HTTP Request line.
Default:
/
Connection Timeout
Connection timeout, in seconds (between 1 and 3600). You may reference context variables.
Read Timeout
The number of seconds that Gateway should wait for the server to send a response, which is the start of the response time to end of the request time.
Timeout value is in seconds (between 1 and 3600). You may reference context variables.
Response Read Timeout
The number of seconds that Gateway should wait for the server to send the last byte of the response, which is the time period to read the entire response from server (end of the response time to the start of the response time).
Timeout value is in seconds (between 1 and 3600). You may reference context variables.
Test Connection
Tests the connection to the ICAP Server. Only works if an explicit URL is entered. Does not work if context variables are referenced.
Service Parameters
Any optional service parameters required by the antivirus server. Specify the parameter name, value, and type (Header or Query). You may reference context variables for the name or value.
Gateway can send preview data to ICAP server. Add
Preview
 header and specify a value in bytes for Gateway to include preview data in the ICAP request that it sends to the ICAP server. Gateway makes OPTIONS method call to the ICAP server at regular interval (that is determined by
icap.optionsRequestInterval
cluster-wide property) and gets the supported preview length. The actual preview data sent by Gateway is the minimum value of preview length sent by the ICAP server and the Preview header specified in the Service Parameters.
For example, if the Preview header value is 100 bytes and the supported preview length by ICAP server is 50 bytes, Gateway sends 50 bytes of preview data. If the Preview header value is 20 bytes and the supported preview length by ICAP server is 50 bytes, Gateway sends 20 bytes of preview data.
Continue processing if virus found
If selected, the assertion does not fail if a virus is found; otherwise, the assertion fails.
Max MIME Depth
How deep the assertion should traverse in the event of nested multiparts.
Failover Strategy
How the Gateway responds when a server fails to respond:
  • Ordered Sticky with Failover:
    The Gateway sends service messages to the first server in the list until that server does not respond (fails). When this occurs, the Gateway tries the next server in the list.
  • Random Sticky with Failover:
     The Gateway chooses a server randomly at the beginning of each session and uses it for the duration of the session. If the chosen server fails, the Gateway chooses another server at random.
  • Round Robin:
     The Gateway rotates through the server list on a request-by-request basis (round-robin) from the first server, to the second server, and so on. When the end of the server list is reached, the cycle continues from the top of the list.
Variable Prefix
Enter a prefix that is added to the context variables created by this assertion. This prefix ensures uniqueness and prevents the variables from overwriting each other when multiple instances of this assertion appear in a policy.
Default:
icap.response
Frequently Asked Questions
Question
Answer
How can I monitor the number of connections to the antivirus server?
Use the
netstat
 command on the Gateway:
netstat -an -t 1 | grep ":1344"
How can I limit the number of requests?
Add an Apply Rate Limit Assertion to the service policy.
This assertion is not working properly with McAfee Antivirus
Check that your antivirus server is configured to add virus information to the ICAP response headers.