Fail
Mode Traffic PermitNote: Juniper Networks supports external or internal antivirus (AV) on select devices. Your security device communicates with the external AV scan engine using Internet Content Adaptation Protocol (ICAP).
A virus is an executable code that infects or attaches itself to other executable code to reproduce itself. Some viruses are malicious, erasing files or locking up systems. Others present a problem merely by infecting other files, as their propagation can overwhelm the infected host or network with excessive amounts of bogus data.
This page allows you to configure global AV and HTTP settings.
Fail Mode Traffic Permit: Select this option to permit unexamined traffic when an error condition occurs. Clear the check box to block it.
Fail mode is the behavior of the security device when the scan engine cannot scan traffic--either permit or block the unexamined traffic. By default, a security device blocks HTTP and SMTP traffic that a policy with antivirus checking enabled permits.
Maximum
AV Resources Allowed per AV Client
Maximum AV Resources Allowed per AV Client: Determines how many resources (number of connections, expressed as a percentage of total resources) the client can use. Default value: 70.
Webmail Enable: Allows you to enable Webmail scanning only. The default behavior allows both HTTP and Webmail scanning.
Note: Make sure a policy enabling HTTP exists.
If you want Webmail scanning only, then enable this parameter, click Apply.
Keep Alive: Select the Keep Alive check box to use the “keep-alive” connection option, or clear the check box to use the “close” connection option, and then click Apply.
By default, the security device uses the HTTP “keep-alive” connection option, which does not send a TCP FIN to indicate the termination of data transmission. The HTTP server must indicate that it has sent all the data in another way, such as by sending the content length in the HTTP header or by some form of encoding. (The method that a server uses varies by server type.) This method keeps the TCP connection open while the antivirus examination occurs, which decreases latency and improves CPU performance. However, it is not as secure as the “close” connection method. You can change this behavior if you find that HTTP connections are timing out during the antivirus examination.
You can change the default behavior of the security device to use the HTTP "close” connection option for indicating the end of data transmission. (If necessary, the security device changes the token in the connection header field from “keep-alive” to “close”.) In this method, when the HTTP server completes its data transmission, it sends a TCP FIN to close the TCP connection and thereby indicate that it has finished sending data. When the security device receives a TCP FIN, it has all the HTTP data from the server and can instruct the scan manager to begin scanning.
Trickling: HTTP trickling is the forwarding of specified amounts of unscanned HTTP traffic to the requesting HTTP client to prevent the browser window from timing out while the scan manager examines downloaded HTTP files. (The security device forwards small amounts of data in advance of transferring an entire scanned file.)
Disable: Select this option to disable HTTP trickling. HTTP trickling is disabled by default.
Default: Select this option to enable HTTP trickling using the stated predefined parameters.
Custom: Select this option to enable HTTP trickling using user-defined parameters for the following:
Minimum Length to Start Trickling: Enter the minimum size (in megabytes) of an HTTP file to trigger trickling.
Trickle Size: Enter the size (in bytes) of unscanned traffic that the NetScreen device forwards.
Trickle for Every MB Sent for Scanning: Enter the size (in megabytes) of a block of traffic to which the security device applies trickling.