Deferred scanning not working for ICAP reqmod scanning on EdgeSWG
search cancel

Deferred scanning not working for ICAP reqmod scanning on EdgeSWG

book

Article ID: 281319

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

ICAP request modification service has been configured on EdgeSWG to send outbound traffic to DLP/CAS for scanning 

The deferred scanning is not taking effect when the icap queue reached the defer scanning threshold for icap reqmod service

 

 

Environment

EdgeSWG with CAS/DLP integrated using ICAP reqmod

Cause

Deferred scanning feature is not supported for ICAP reqmod. 

For long running sessions (considered running more that 60 sec), the proxysg will only log the transaction in the eventlog for icap reqmod and the connections are not deferred. For example, the following log will be seen in the eventlogs

2023-12-12 01:35:24-00:00UTC "ICAP long scanning reqmod transaction for https://example.com using icapreq after 60 seconds and 941713621 bytes" 0 3D000C:91 opp_action.cpp:778

Resolution

One of the following approaches can be followed to mitigate ICAP queuing for reqmod

Option 1 (Proactive and recommended option)
- Follow best practices for ICAP request mode and bypass streaming traffic from ICAP scanning

Option 2 (Reactive approach)

Use the following feature

# (config icap service_name) resource-overload-time 0_to_300_seconds

- (Added in version 7.3.12.1) Specify the maximum age in seconds the oldest queued ICAP request can be before the appliance triggers the ICAP service or service group to fail open.
- When this feature is configured and the age threshold for resource-overload-time is met, requests that are destined for these services or groups bypass ICAP scanning.
- Configure this feature to avoid latency issues when the resources of ICAP services or service groups are overloaded.
- If you set the resource-overload-time to 0, all requests bypass scanning when the transaction count for the service or service group is at the maximum connection count
- Important Note: This feature can only be enabled via CLI

To configure this feature:
step 1: Set the resource-overload-time command for the ICAP services or service groups that you want to fail open when their requests reach the age threshold.

step 2: In policy, set the request.icap_service() property or response.icap_service() property to fail_open for the ICAP services or service groups that you specified in step 1.If you configure this policy for an ICAP service group, the appliance checks that every service in the group is overloaded before triggering the group to fail open.

For more details, refer here

 

Powered by Wolken Software