The ICAP Client configuration file on Check Point Security Gateway ($FWDIR/conf/icap_client_blade_configuration.C
) contains a number of sections. Each section contains the applicable parameters. Some parameters accept only string values (notice the double-quotes). Some parameters accept only integer values.
Parameter |
Accepted Values |
Description |
---|---|---|
|
|
Controls the ICAP Client feature:
Default: |
|
|
Controls which HTTP methods to process. If this section is empty, there is no filter for HTTP requests. As a result, ICAP functionality is not activated on all HTTP requests. Default: |
|
Integer from 1 to 65535 |
Controls on which port to process the HTTP packets. This is in addition to the HTTP services that are defined by default in SmartConsole (such as: HTTP for TCP port 80 and HTTPS for TCP port 443). You must explicitly add every port, on which you transfer HTTP packets. Ranges of ports are not supported. ICAP filtering (HTTP methods) works on every port you define in this section. If traffic matches a filter, full ICAP functionality is activated on that port. Best Practice - Add only applicable ports. Default: |
|
|
Controls whether ICAP Client sends HTTP responses with content-type "
Default: |
|
Plain-text string (string length is up to 32 characters) |
Controls the name of UserCheck block page. If you change the default value, you must configure your value in the SmartConsole:
Default: |
|
|
Controls the Data Trickling mode. To avoid HTTP connection timeout when you upload or download large files, you can use the Data Trickling to pass some of the original HTTP payload to its destination, while the ICAP Server scans this HTTP payload.
Default: |
|
|
Controls the ICAP Client log level:
Default: |
|
|
Defines the ICAP Servers, with this the ICAP Client works. |
|
Plain-text string (string length is up to 32 characters) |
Defines the name of the ICAP Server. Used for logging. |
|
IPv4 Address in quad-decimal format (string length is up to 32 characters) |
Defines the IPv4 address of the ICAP Server. This parameter is mandatory. Note - For the ICAP server on a Check Point cluster, must enter the Cluster Virtual IPv4 address. |
|
IPv6 Address (string length is up to 40 characters) |
Defines the IPv6 address of the ICAP Server. This parameter is optional. Notes:
|
|
Integer from 1 to 65535 |
Defines the port on the ICAP Server. Default: |
|
Plain-text string up to 32 characters |
Defines the name of the ICAP service. Default: |
|
|
Defines the ICAP protocol. Note - You must not change this value. Default: |
|
|
Defines the ICAP modification mode:
Default: |
|
|
Defines the 3rd party connection type. Note - You must not change this value. Default: |
|
|
Defines the ICAP Client fail mode:
For HTTP requests or responses with a body, the last service fail-mode action is always treated as Default: |
|
Integer from 1 to (2^32)-1 |
Defines the ICAP Client timeout (in seconds). After this time passes, the ICAP Client sends a reset to the ICAP Server. Default: |
|
Integer from 1 to (2^32)-1 |
Defines the maximal number of ICAP opened connections to each configured ICAP Server. Default: |
|
|
Defines the UserCheck action:
Default: |
|
|
Controls the X-Headers: X-Client-IP, X-Server-IP, and X-Authenticated-User. |
|
|
Controls the X-Header X-Client-IP:
Default: |
|
|
Controls the X-Header X-Server-IP:
Default: |
|
|
Controls the X-Header X-Authenticated-User:
Default: |
|
|
Defines the Auth-Scheme for user authentication URI. Note - URI is given as plain-text, and not in the Base64 encoding. Default: |
|
|
Controls whether to encode the X-Header X-authenticated-user with Base64 encoding
Default: |
|
|
Controls the network filter rules:
Default: |
|
|
Controls the network filter rules for source and destination IPv4 addresses. |
|
|
Defines the source IPv4 addresses. Each rule can contain only one The |
|
|
Defines the minimal source IPv4 address in the range of IPv4 source addresses.
|
|
|
Defines the maximal source IPv4 address in the range of IPv4 source addresses.
|
|
|
Defines the destination IPv4 addresses. Each rule can contain only one The |
|
|
Defines the minimal destination IPv4 address in the range of IPv4 destination addresses.
|
|
|
Defines the maximal destination IPv4 address in the range of IPv4 destination addresses.
|
|
|
Controls the network filter rules for source and destination IPv6 addresses. |
|
|
Defines the source IPv6 addresses. Each rule can contain only one The |
|
|
Defines the minimal source IPv6 address in the range of IPv6 source addresses.
|
|
|
Defines the maximal source IPv6 address in the range of IPv6 source addresses.
|
|
|
Defines the destination IPv6 addresses. Each rule can contain only one The |
|
|
Defines the minimal destination IPv6 address in the range of IPv6 destination addresses.
|
|
|
Defines the maximal destination IPv6 address in the range of IPv6 destination addresses.
|
Notes about the :network_filter_rules_ip4 ()
and :network_filter_rules_ip6 ()
parameters:
:network_filter_rules_ipX ()
rule can contain only one :src_ip_ranges ()
parameter.The :src_ip_ranges ()
parameter in the rule can contain more than one :min_ip ()
and :max_ip ()
parameters.
:network_filter_rules_ipX ()
rule can contain only one :dst_ip_ranges ()
parameter.The :dst_ip_ranges ()
parameter in the rule can contain more than one :min_ip ()
and :max_ip ()
parameters.
:network_filter_rules_ip4 ()
] OR [:network_filter_rules_ip6 ()
]:src_ip_ranges ()
] AND [:dst_ip_ranges ()
]:src_ip_ranges ()
parameter, [:min_ip ()
] OR [:max_ip ()
]:dst_ip_ranges ()
parameter, [:min_ip ()
] OR [:max_ip ()
]If the result of these logical operations is TRUE and :rules_type ("include")
, then ICAP Client works.
If the result of these logical operations is TRUE and :rules_type ("exclude")
, then ICAP Client does not work.