Print Download PDF Send Feedback

Previous

Next

The ICAP Client Configuration File

The ICAP Client configuration file on Check Point Security Gateway ($FWDIR/conf/icap_client_blade_configuration.C) contains a number of sections. Each section contains the applicable parameters. Some parameters accept only string values (notice the double-quotes). Some parameters accept only integer values.

Parameter

Accepted Values

Description

:enabled ()

  • "false"
  • "true"

Controls the ICAP Client feature:

  • "false" - Disables the feature
  • "true" - Enables the feature

Default: "false"

:filter_http_method ()

  • :method ("GET")
  • :method ("PUT")
  • :method ("POST")
  • :method ("CONNECT")
  • :method ("HEAD")
  • :method ("OPTIONS")

Controls which HTTP methods to process.

If this section is empty, there is no filter for HTTP requests. As a result, ICAP functionality is not activated on all HTTP requests.

Default: "GET", "PUT", and "POST"

:http_services ()

:port (NUMBER)

Integer from 1 to 65535

Controls on which port to process the HTTP packets.

This is in addition to the HTTP services that are defined by default in SmartConsole (such as: HTTP for TCP port 80 and HTTPS for TCP port 443).

You must explicitly add every port, on which you transfer HTTP packets. Ranges of ports are not supported.

ICAP filtering (HTTP methods) works on every port you define in this section. If traffic matches a filter, full ICAP functionality is activated on that port.

Best Practice - Add only applicable ports.

Default: 8080

:inspect_html_response ()

  • "false"
  • "true"

Controls whether ICAP Client sends HTTP responses with content-type "text/html":

  • "false" - ICAP Client does not send an HTTP response with content-type "text/html".
  • "true" - ICAP Client also sends an HTTP response with content-type "text/html".

Default: "false"

:user_check_interaction_name ()

Plain-text string (string length is up to 32 characters)

Controls the name of UserCheck block page.

If you change the default value, you must configure your value in the SmartConsole:

  1. Objects menu > Object Explorer > More object types > UserCheck > New Drop.
  2. Select the Access Control related policy and click OK.
  3. You must enter the same name as you configured in the ICAP Client configuration file.
  4. Add the new message for the UserCheck Block page.
  5. Click OK.
  6. Install the Access Control Policy on the Security Gateway.

Default: "Blocked Message - Access Control"

:trickling_mode ()

  • 0
  • 1
  • 2
  • 3

Controls the Data Trickling mode.

To avoid HTTP connection timeout when you upload or download large files, you can use the Data Trickling to pass some of the original HTTP payload to its destination, while the ICAP Server scans this HTTP payload.

  • 0 - No data trickling. ICAP Client always holds the HTTP connections until it gets a verdict from an ICAP Server (same functionality as for processing small files).
  • 1 - Currently, not in use.
  • 2 - Trickling from the Start mode. ICAP Client sends the entire HTTP payload to its original destination, but slower than the original HTTP connection speed. This behavior is so that the ICAP Server verdict arrives before ICAP Client sends the HTTP payload to its original destination.
  • 3 - Trickling at the End mode. ICAP Client sends the entire HTTP payload to its original destination, except for the last (constant size) HTTP payload. Based on the verdict from the ICAP Server, ICAP Client sends or does not send this last HTTP payload.

Default: 0

:log_level ()

  • 0
  • 1
  • 2
  • 3

Controls the ICAP Client log level:

  • 0 - No logs.
  • 1 - Error logs (arrive with Alert).
  • 2 - Information logs (include verdict for the original HTTP connection).
  • 3 - Verbose logs (include service action for each ICAP Server connection).

Default: 0

:icap_servers ()

 

Defines the ICAP Servers, with this the ICAP Client works.

:icap_servers () - :name ()

Plain-text string (string length is up to 32 characters)

Defines the name of the ICAP Server. Used for logging.

:icap_servers () - :ip ()

IPv4 Address in quad-decimal format (string length is up to 32 characters)

Defines the IPv4 address of the ICAP Server.

This parameter is mandatory.

Note - For the ICAP server on a Check Point cluster, must enter the Cluster Virtual IPv4 address.

:icap_servers () - :ip6 ()

IPv6 Address (string length is up to 40 characters)

Defines the IPv6 address of the ICAP Server.

This parameter is optional.

Notes:

  • The ICAP server must have an IPv6 set up.
  • For the ICAP server on a Check Point cluster, must enter the Cluster Virtual IPv6 address.

:icap_servers () - :port ()

Integer from 1 to 65535

Defines the port on the ICAP Server.

Default: 1344

:icap_servers () - :service ()

Plain-text string up to 32 characters

Defines the name of the ICAP service.

Default: "echo"

:icap_servers () - :proto ()

"icap"

Defines the ICAP protocol.

Note - You must not change this value.

Default: "icap"

:icap_servers () - :modification_mode ()

  • "reqmod"
  • "respmod"
  • "both"

Defines the ICAP modification mode:

  • "reqmod" - HTTP request modification (REQMOD) only.
  • "respmod" - HTTP response modification (RESPMOD) only.
  • "both" - Both HTTP request and HTTP response modification modes.

Default: "both"

:icap_servers () - :transp ()

"3rd_cpas"

Defines the 3rd party connection type.

Note - You must not change this value.

Default: "3rd_cpas"

:icap_servers () - :failmode ()

  • close
  • open

Defines the ICAP Client fail mode:

  • close - In case of an ICAP error, the original HTTP connection is closed.
  • open - In case of an ICAP error, the original HTTP connection stays opened.
  • Logs will be according to :log_level () value.

For HTTP requests or responses with a body, the last service fail-mode action is always treated as close, regardless of the defined value.

Default: close

:icap_servers () - :timeout ()

Integer from 1 to (2^32)-1

Defines the ICAP Client timeout (in seconds).

After this time passes, the ICAP Client sends a reset to the ICAP Server.

Default: 61

:icap_servers () - :max_conns ()

Integer from 1 to (2^32)-1

Defines the maximal number of ICAP opened connections to each configured ICAP Server.

Default: 250

:icap_servers () - :user_check_action ()

  • 0
  • 1
  • 2

Defines the UserCheck action:

  • 0 - No "Block" page.
  • 1 - ICAP "Block" page.
  • 2 - Redirect to UserCheck Portal ("Block" page). On the Security Gateway, you must enable at least one of the supported Software Blades and the UserCheck.

Default: 1

:icap_servers () - :x_headers ()

 

Controls the X-Headers: X-Client-IP, X-Server-IP, and X-Authenticated-User.

:icap_servers () - :x_headers () - :x_client_ip ()

  • "false"
  • "true"

Controls the X-Header X-Client-IP:

  • "false" - Does not process this X-Header.
  • "true" - Adds the XFF header value of the original HTTP request, if this X-Header exists, or the source IP address if it does not.

Default: "false"

:icap_servers () - :x_headers () - :x_server_ip ()

  • "false"
  • "true"

Controls the X-Header X-Server-IP:

  • "false" - Does not process this X-Header.
  • "true" - Adds the destination IP address (proxy's IP address or resolving HTTP Hostname).

Default: "false"

:icap_servers () - :x_headers () - :x_authenticated_user ()

  • "false"
  • "true"

Controls the X-Header X-Authenticated-User:

  • "false" - Does not process this X-Header.
  • "true" - Adds the username from Identity Awareness Software Blade.

Default: "false"

:icap_servers () - :x_headers () - :authentication_source ()

  • "WinNT"
  • "LDAP"
  • "Radius"
  • "Local"

Defines the Auth-Scheme for user authentication URI.

Note - URI is given as plain-text, and not in the Base64 encoding.

Default: "Local"

:icap_servers () - :x_headers () - :base64_username_encode ()

  • "false"
  • "true"

Controls whether to encode the X-Header X-authenticated-user with Base64 encoding

  • "false" - Does not encode.
  • "true" - Encodes with the Base64 encoding.

Default: "true"

:rules_type ()

  • "none"
  • "include"
  • "exclude"

Controls the network filter rules:

  • "none" - Disables the network filter rules. ICAP Client ignores all other parameters of network filter rules. Same as "any" in the Source and Destination.
  • "include" - ICAP Client sends all IP addresses in the IP ranges (see below) to the ICAP Server
  • "exclude" - ICAP Client does not send the IP addresses in the IP ranges (see below) to the ICAP Server

Default: "none"

:network_filter_rules_ip4 ()

 

Controls the network filter rules for source and destination IPv4 addresses.

:network_filter_rules_ip4 () - :src_ip_ranges ()

 

Defines the source IPv4 addresses.

Each rule can contain only one :src_ip_ranges () parameter.

The :src_ip_ranges () parameter can contain more than one :min_ip () and :max_ip () parameters.

:network_filter_rules_ip4 () - :src_ip_ranges () - :min_ip ()

  • any
  • IPv4 Address in quad-decimal format

Defines the minimal source IPv4 address in the range of IPv4 source addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you define :min_ip (any), you must define :max_ip (any).

  • IPv4 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv4 addresses start from this configured IPv4 address.

:network_filter_rules_ip4 () - :src_ip_ranges () - :max_ip ()

  • any
  • IPv4 Address in quad-decimal format

Defines the maximal source IPv4 address in the range of IPv4 source addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you define :max_ip (any), you must define :min_ip (any).

  • IPv4 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv4 addresses end with this configured IPv4 address.

:network_filter_rules_ip4 () - :dst_ip_ranges ()

 

Defines the destination IPv4 addresses.

Each rule can contain only one :dst_ip_ranges () parameter.

The :dst_ip_ranges () parameter can contain more than one :min_ip () and :max_ip () parameters.

:network_filter_rules_ip4 () - :dst_ip_ranges () - :min_ip ()

  • any
  • IPv4 Address in quad-decimal format

Defines the minimal destination IPv4 address in the range of IPv4 destination addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you define :min_ip (any), you must define :max_ip (any).

  • IPv4 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv4 addresses start from this configured IPv4 address.

:network_filter_rules_ip4 () - :dst_ip_ranges () - :max_ip ()

  • any
  • IPv4 Address in quad-decimal format

Defines the maximal destination IPv4 address in the range of IPv4 destination addresses.

  • any - ICAP Client processes the HTTP traffic sent to all HTTP servers.

    If you define :max_ip (any), you must define :min_ip (any).

  • IPv4 Address - ICAP Client processes the HTTP traffic sent to HTTP servers, whose IPv4 addresses end with this configured IPv4 address.

:network_filter_rules_ip6 ()

 

Controls the network filter rules for source and destination IPv6 addresses.

:network_filter_rules_ip6 () - :src_ip_ranges ()

 

Defines the source IPv6 addresses.

Each rule can contain only one :src_ip_ranges () parameter.

The :src_ip_ranges () parameter can contain more than one :min_ip () and :max_ip () parameters.

:network_filter_rules_ip6 () - :src_ip_ranges () - :min_ip ()

  • any
  • IPv6 Address

Defines the minimal source IPv6 address in the range of IPv6 source addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you define :min_ip (any), you must define :max_ip (any).

  • IPv6 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv6 addresses start from this configured IPv6 address.

:network_filter_rules_ip6 () - :src_ip_ranges () - :max_ip ()

  • any
  • IPv6 Address

Defines the maximal source IPv6 address in the range of IPv6 source addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you define :max_ip (any), you must define :min_ip (any).

  • IPv6 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv6 addresses end with this configured IPv6 address.

:network_filter_rules_ip6 () - :dst_ip_ranges ()

 

Defines the destination IPv6 addresses.

Each rule can contain only one :dst_ip_ranges () parameter.

The :dst_ip_ranges () parameter can contain more than one :min_ip () and :max_ip () parameters.

:network_filter_rules_ip6 () - :dst_ip_ranges () - :min_ip ()

  • any
  • IPv6 Address

Defines the minimal destination IPv6 address in the range of IPv6 destination addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you define :min_ip (any), you must define :max_ip (any).

  • IPv6 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv6 addresses start from this configured IPv6 address.

:network_filter_rules_ip6 () - :dst_ip_ranges () - :max_ip ()

  • any
  • IPv6 Address

Defines the maximal destination IPv6 address in the range of IPv6 destination addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you define :max_ip (any), you must define :min_ip (any).

  • IPv6 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv6 addresses end with this configured IPv6 address.

Notes about the :network_filter_rules_ip4 () and :network_filter_rules_ip6 () parameters: