The Security Gateway as an ICAP Server

Check Point ICAP ServerClosed The ICAP Server functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Client requests, send the files for inspection, and return the verdict. can work with multiple ICAP Clients.

Check Point ICAP Server is supported On R80.20 Security Gateways and higher for the Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. blades. From R81, ICAP Server also supports the Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. blade.

To activate the ICAP Server on a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., you must first enable Threat Emulation and/or Anti-Virus and/or Threat Extraction on that Security Gateway object.

If you enable ICAP Server on the Security Gateway and not enable the Threat Emulation Anti-Virus, or Threat Extraction blades, the ICAP Server runs but without inspection.

The ICAP Server operates according to the relevant settings defined for Threat Emulation, Threat Extraction and Anti-Virus in the selected Threat Prevention profile and engine settings.

ICAP Server functionality is not supported in VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode and ClusterXL Load Sharing mode.

ICAP Server supports only Anti-Virus deep-scan. Any additional functionality, such as MD5 hash, URL reputation, and signature-based protection, is not supported.

If you enable the ICAP Server on a Check Point ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object:

  • You must configure your ICAP Clients to communicate with the applicable Virtual IP Address of the Check Point Cluster.

  • ICAP connections do not survive cluster failover.

For more information, see sk111306.

ICAP Server Actions

Check Point ICAP Server has 3 possible actions:

ICAP Action

Description and Example


For example: A Check Point UserCheckClosed Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. page presented by the Threat Emulation, Anti-Virus, or Threat Extraction Software Blades.

Continue / Not modified

A default gateway or a proxy server can forward the HTTP Request / Response to its original destination.

File modification

Applicable when Threat Extraction is activated. The ICAP Server modifies the HTTP/HTTPS content and sends the modified content to the ICAP Client.