With the ICAP response modification enabled (anti-virus enabled), the ProxySG seems to slow down. That slowness seems to increase over time up to a point where the ProxySG no longer serves objects.
Seeing many ICAP queued sessions on the ProxySG.
Seeing many things being scanning in the CAS device under Statistics Tab > Concurrent Connection with the duration high in the milliseconds seeming like the files are stuck in scanning.
Anti-virus scanning can potentially increase request / response latency as said traffic is now being scanned for malicious content while also being evaluated by the current proxy policy. This is expected behavior. However, there are circumstances that can introduce a more serious issue if latency is found to have increased over time.
Saturation of the available ICAP connection channels between the ProxySG and the ICAP Client/Server appliance (Content Analysis, ProxyAV, DLP, etc...)
Network outage or connection conflict between the ProxySG and the ICAP Client/Server
Conflict at the ICAP scanning appliance end
ICAP scanning enabled
Install the ICAP Best Practices via either a proxy VPM CPL layer or the proxy Local file (preferred method)
NOTE: As of 6.5.9.x and later, the ICAP Best Practice + Malware Bypass CPL code to stop malware scanning to evaluate other policy is no longer required. Please verify on a case by case basis to make sure. Running the ICAP Best Practice.txt File below should be tested first.(Preferred CPL without the Malware Bypass CPL)
Bypass ICAP scanning for known destinations where previous scanning issues have been detected using VPM Cache layer rules.
In most instances scanning of the following categories should be bypassed:
NOTE: We now Officially are moving away from Malware Scanning solution, we now recommend enabling the response scanning function in a Web Cache Layer and use the New ICAP Best Improvements: Secure Web Gateway - Content Analysis Policy Best Practices Improvement