ICAP Server Configuration

To enable ICAP ServerClosed The ICAP Server functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Client requests, send the files for inspection, and return the verdict. support on system:

Step

Instructions

1

Enable ICAP Server support on the Check Point Security Gateway or Cluster:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Gateways & Servers view and double-click a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

  2. Navigate to the ICAP Server page.

  3. Select Enable ICAP Server.

    In Service, the default service is TCP ICAP, which runs on port 1344. You can create a new service, see Creating a new ICAP service

  4. Configure the ICAP client to connect to the Gateway. See Security Gateway as ICAP Client

  5. Configure Fail Mode - In case of an error, configure if requests to the ICAP server are blocked or allowed.

  6. You can configure an implied ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for ICAP in the Access Control policy.

  7. Configure Advanced ICAP Server options (see Advanced ICAP Server Settings on the Security Gateway).

  8. Click OK.

  9. Install the Access Control Policy.

2

Configure the ICAP rule:

When you enable ICAP Server on the gateway object, an auto-generated rule is created in the Threat Prevention Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase.. One rule is created for each gateway that has ICAP Server enabled.

Configure the Action column in this rule. You can select a different profile for each ICAP rule. Unlike other Threat Prevention rules, you cannot create exceptions for an ICAP rule.

Note - In Threat Extraction > UserCheck settings, if you want to allow the user access the original file, you must configure access from the internal network to the ICAP server so that the client will be able to download the original files (the internal network is connected to the ICAP client and not directly to the gateway or ICAP Server).

3

For Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. support, in the profile editor, go to Threat Extraction > General > Protocol > make sure that Web (HTTP/HTTPS) is selected.

4

To scan files with Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., in the Threat Prevention profile, go to the Anti-Virus tab, and select Enable deep inspection scanning (impacts performance).

5

Install the Threat Prevention policy.

You can create a new ICAP service and use it instead of the default service:

  1. Go to the Object Explorer and select New > More > Service > TCP.

  2. Enter the object name and add a comment if necessary.

  3. In General, do not select a protocol.

  4. In Match By, select the Port you want the service to run on.

  5. Optional: Configure the Advanced features. For a detailed explanation on the advanced service features, check the online help.

  6. Click OK

    The new service now appears in the drop-down Service list.

For information on how to test ICAP Server functionality, see sk174487.

Advanced ICAP Server Settings on the Security Gateway

The ICAP Server uses processes to handle the requests it receives from the ICAP ClientClosed The ICAP Client functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Server responses (see RFC 3507), modify their content, and block the matched HTTP connections.. Each process generates multiple threads, and each thread handles one request from the ICAP Client to the ICAP Server.

The ICAP Server supports dynamic scaling of the number of processes for optimal performance. The number of available threads increases or decreases as needed. The minimum number of processes is three.

To configure the advanced ICAP Server settings on the Security Gateway, open the gateway editor and go to ICAP Server > Advanced:

  • The maximum allowed number of server processes is configured on the gateway. In addition, you can configure The number of threads per a child process.

  • The maximum allowed number of server processes multiplied by The number of threads per a child process is the number of maximum concurrent connections that the ICAP Server can handle.

  • Start a new child process if the number of available threads is less than [x] - This option allows dynamic growth and lets you configure the number of new threads as needed. The ICAP Server counts the total number of available (idle) threads. If this number is lower than the number configured in this field, it creates a new child process.

  • End a child process if the number of available threads is more than [x] - This option allows dynamic reduction of the number of threads as needed. The ICAP Server counts the total number of available (idle) threads. If this number is higher than the number configured in this field, it ends a child process.