ProxySG ICAP policy fail_open overrules ICAP policy to block and serve the file
search cancel

ProxySG ICAP policy fail_open overrules ICAP policy to block and serve the file

book

Article ID: 169182

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

This is expected behavior.

Cause

The ProxySG policy of response.icap_service(virus_scan, fail_open) is designed to fail-open to any errors whether they are health-check related or an error is returned from the ICAP service. Thus, if the ICAP policy is set to block a file extension the ICAP service will return a 500 server error code, as per RFC3507, in which case the SG receives the error and fails-open as per policy.

Resolution

To implement policy for handling of particular icap error codes in fail-open environments, follow the guidance below:

These policy definitions can be found in the respective CPL and VPM guides for the ProxySG, heading icap_error_code.

SGOS 7.4:
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-4/creating-icap-policy.html

SGOS 7.3:
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/creating-icap-policy.html

SGOS 6.7:
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/6-7/creating-icap-policy.html


The icap_error_code option triggers on the X-ICAP-Error header, instead of relying on the response code.

Workaround

None.

Powered by Wolken Software