ProxySG ICAP policy fail_open overrules ICAP policy to block and serve the file


Article ID: 169182


Updated On:


ProxyAV Software - AVOS Content Analysis Software - CA ProxySG Software - SGOS


This is expected behavior.


The ProxySG policy of response.icap_service(virus_scan, fail_open) is designed to fail-open to any errors whether they are health-check related or an error is returned from the ICAP service. Thus, if the ICAP policy is set to block a file extension the ICAP service will return a 500 server error code, as per RFC3705, in which case the SG receives the error and fails-open as per policy.


To implement policy for handling of particular icap error codes in fail-open environments, follow the guidance below:

These policy definitions can be found in the CPL guides for the ProxySG, heading icap_error_code.
SGOS 6.6: on page 147
SGOS 6.5: on page 145

The icap_error_code option triggers on the X-ICAP-Error header, instead of relying on the response code.