Testing Check Point SandBlast

Hi Niels van Sluis,

I just looked at the iApp template.

In the iApps template I also didn't see anything about max ICAP connections!

I find the article great but please be careful without max. ICAP connection settings.

Regards

Heiko

Hi Heiko,

Thanks for your feedback, I'll look in to this. I didn't know this to be an issue. 

Kind regards,

     --Niels

Hi Heiko,

So I assume setting the Connection Limit on the SandBlast_ICAP_Pool pool member didn't work? Do you have an easy way of reproducing this error? 

I've been testing, but all seems okay (although my firewall had a load of 64). See the below output. 

[nielsvs@localhost ~]$ ab -n 1000 -c 200 http://10.23.98.219/F5/upload/uploads/eicar_com.zip
This is ApacheBench, Version 2.3 <$Revision: 1706008 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 10.23.98.219 (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests

Server Software: C-ICAP
Server Hostname: 10.23.98.219
Server Port: 80

Document Path: /F5/upload/uploads/eicar_com.zip
Document Length: 459 bytes

Concurrency Level: 200
Time taken for tests: 155.535 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 625000 bytes
HTML transferred: 459000 bytes
Requests per second: 6.43 [#/sec] (mean)
Time per request: 31106.983 [ms] (mean)
Time per request: 155.535 [ms] (mean, across all concurrent requests)
Transfer rate: 3.92 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 2 2.6 1 10
Processing: 1219 29546 7854.4 29687 56783
Waiting: 1219 29545 7854.3 29687 56782
Total: 1229 29548 7853.1 29688 56787

Percentage of the requests served within a certain time (ms)
50% 29688
66% 32377
75% 34387
80% 35846
90% 38867
95% 41347
98% 43732
99% 45058
100% 56787 (longest request)
[nielsvs@localhost ~]$

Kind regards,

     --Niels

Hi Niels van Sluis,

This does not describe the maximum number of connections over the F5.

It is the maximum number of connections between ICAP Server and ICAP Client.

You can limit this on a Symantec (Bluecoat) SG as follows:

It doesn't work on F5.

For example, the TE Appliance provides 100 ICAP TCP sockets and the 101 connection between F5 and TEX Appliance is established, an ICAP error occurs.

Hi Heiko,

When setting the pool members (read: the pool member is the SandBlast ICAP server) connection limit to for example 50, it does limit the ICAP connections being sent to the SandBlast ICAP server. However, this seems to result in the virtual server that has the adapt profiles attached become unavailable (connections being rejected). What happens on the Bluecoat when the Maximum number of connections to the SandBlast ICAP server is being reached? Will it just serve the requests without content scanning (fail-open) or will it reject requests until resources become available again?

Kind regards,

     --Niels

The Bluecoat SG is running a queuing of objects until one of the ICAP TCP connections can process a request. This may make everything very slow. But there are no ICAP errors.

However, you can adjust the parameters on the TEX Appliance in the following file:

$FWDIR/c-icap/etc/c-icap.conf

I don't have a system to test right now. Please read the infos under the following link:

The c-icap project 

Regards

Heiko

As I said, I do not think it is reasonable to limit it to the F5.

So I wouldn't use it in critical environments.

I'm a big fan of F5 and Check Point. But here I don't see any solution for the problem at the moment.

But maybe ask Thomas Werner from Check Point. He's very good at TEX and ICAP  themes.

Hi Heiko,

On the F5 BIG-IP it's also posible to queue the connections to the ICAP server when there is a connection limit set on the connections to the ICAP server. I've tested it, and it works. Here is how to do it:

• Enable Request Queueing on the SandBlast_ICAP_Pool (see Advanced options).

• Set connection limit to the SandBlast ICAP Pool member.

As you can see, in this example the limit of connections towards the ICAP server is set to 5 and Request Queing is enabled. See below the benchmark test without these settings applied and another with the settings applied.

• 10 requests with 10 requests concurrent and as expected 5 are failing, because the limit is set to 5 and there is no queueing.

• 10 requests with 10 requests concurrent and as expected and no failing connections, because queueing is enabled.

I'll add this to the iApp template soon 🙂

The iApp template now sets the default connection limit of the SandBlast ICAP Server to 100 connections and also Requeust Queueing is enabled on the SandBlast ICAP Server pool.

Kind regards,

     --Niels

Very nice! I'll give you 100 points.

One more small question. Which F5 version do you use 12 or 13?

Hi Heiko,

Thanks for the point and feedback. In my lab I have version 14 running. But the functionality being used in the iApp template is also available in version 12 and 13. But I guess also in version 11.

Kind regards,

  --Niels

Hi Heiko, Niels,

In Israel I talked with Heiko about the cons/pros of ICAP as mentioned here, and we talked about an idea to implement the ThreatPrevention API via an iRule. 

What do you guys think. Will it work ? 

Cheers

Martijn

Hi Martijn,

Hi Niels,

Yes, I had an interesting conversation with Martijn in Israel. Sometimes the world is small:-) I think it is possible to send the file via iRule directly to the Sandblast API via https. I'm gonna take a look at this in a quiet minute. It won't be easy, but it should work.

Regard

Heiko