ProxySG ICAP policy fail_open overrules ICAP policy to block and serve the file

book

Article ID: 169182

calendar_today

Updated On:

Products

ProxyAV Software - AVOS Content Analysis Software - CA ProxySG Software - SGOS

Issue/Introduction

This is expected behavior.

Cause

The ProxySG policy of response.icap_service(virus_scan, fail_open) is designed to fail-open to any errors whether they are health-check related or an error is returned from the ICAP service. Thus, if the ICAP policy is set to block a file extension the ICAP service will return a 500 server error code, as per RFC3705, in which case the SG receives the error and fails-open as per policy.

Resolution

To implement policy for handling of particular icap error codes in fail-open environments, follow the guidance below:

These policy definitions can be found in the CPL guides for the ProxySG, heading icap_error_code.
SGOS 6.6: https://support.symantec.com/content/unifiedweb/en_US/article.DOC10350.html on page 147
SGOS 6.5: https://support.symantec.com/content/unifiedweb/en_US/article.DOC10097.html on page 145

The icap_error_code option triggers on the X-ICAP-Error header, instead of relying on the response code.

Workaround

None.