ProxySG ICAP policy fail_open overrules ICAP policy to block and serve the file

book

Article ID: 169182

calendar_today

Updated On:

Products

ProxyAV Software - AVOS Content Analysis Software - CA ProxySG Software - SGOS

Issue/Introduction

This is expected behavior.

Cause

The ProxySG policy of response.icap_service(virus_scan, fail_open) is designed to fail-open to any errors whether they are health-check related or an error is returned from the ICAP service. Thus, if the ICAP policy is set to block a file extension the ICAP service will return a 500 server error code, as per RFC3705, in which case the SG receives the error and fails-open as per policy.

Resolution

To implement policy for handling of particular icap error codes in fail-open environments, follow the guidance below:

These policy definitions can be found in the respective CPL and VPM guides for the ProxySG, heading icap_error_code.

SGOS 7.3:
CPL Guide  on page 245
VPM Guide  on page 131

SGOS 7.2:
CPL Guide on page 238
VPM Guide on page 131

SGOS 7.1:
CPL Guide on page 217
VPM Guide on page 133

SGOS 6.7:
CPL Guide on page 195
VPM Guide on page 129

SGOS 6.5: 
CPL Guide on page 145
VPM Guide on page 118

The icap_error_code option triggers on the X-ICAP-Error header, instead of relying on the response code.

Workaround

None.