Configuring Additional ICAP Response Headers for Enforcement

Description

To adjust the enforcement according to ICAP response headers from an ICAP Server The ICAP Server functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Client requests, send the files for inspection, and return the verdict., you can configure specific HTTP headers. When ICAP Client The ICAP Client functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Server responses (see RFC 3507), modify their content, and block the matched HTTP connections. on Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. receives these HTTP headers, the Security Gateway blocks the matched HTTP connections. See the Draft RFC - ICAP Extensions.

Default HTTP Response X-Headers

By default, ICAP Client recognizes these three user-defined ICAP response header extensions.

Default X-Headers

HTTP Response X-Header	Description	Examples
`X-Virus-ID`	Contains a short description of the threat that was found in the content. On a single line it can contain any virus or threat description. If multiple threats were found, only the first one is returned. This header is a shorter alternative to the `X-Infection-Found` header. This header is available only if the content was scanned, and some violations were found.	`X-Virus-ID: EICAR Test String` `X-Virus-ID: Encrypted Archive`
`X-Violations-Found`	Contains the detailed description of all the policy violations (for example, found viruses) that occurred while handling the request. If the scanned content was an archive, the scan results are listed for the contained files as well. If multiple threats were found for a single file, only the first one is returned. This header is present only if the content was scanned, and some violations were found. This header has a multi-line value starting with the number of reported violations on the first line and four additional lines per violation: The first line contains the number of the reported violations. The following lines contain the details: `Filename` May describe a single file within an archive that the ICAP Client sent to the ICAP Server. `ThreadDescription` Human readable description of the threat. For example, the virus name or the policy violation description. It may contain spaces and should not be quoted. `ProblemID:` One-digit integer identifier of the policy violation. For example, a virus ID. Currently, 0 is returned for all threats. `ResolutionID:` 0: File was not repaired. 1: File was repaired. 2: Violating part was removed (usually used if a file was removed from a container).	`X-Violations-Found: 2` `test.zip/dir1/eicar.com` `EICAR Test String` `11101` `2` `test.zip/dir2/eicar.com` `EICAR Test String` `11101` `2`
`X-Infection-Found`	Contains the description of the threat that was found in the ICAP message body of the request. If multiple threats were found, only the first one is returned. This header is present only if the content was scanned, and some violations were found. The value is a semicolon-separated parameter list with exactly three parameters in a given order: `TypeID:` 0: Virus infection. 1: Mail policy violation (for example, illegal file attachment name). 2: Container violation (for example, a ZIP file that takes too long to decompress). `ResolutionID:` 0: File was not repaired. 1: The returned file in the RESPMOD response is the repaired version of the infected file that was encapsulated in the request. 2: The original file should be blocked or rejected due to container or mail policy violations. `ThreadDescription:` Human readable description of the threat. For example, the virus name or the policy violation description. It may contain spaces and should not be quoted. It must not contain semicolons, because it is terminated by the final semicolon of the header definition.	`X-Infection-Found: Type=0; Resolution=1; Threat=EICAR Test String;` Explanation: The ICAP request contained data that is infected by the EICAR test string. The file was repaired (for example, the `eicar.com` file was removed from an archive and the remaining archive is sent back in the response).

HTTP Response X-Header

Description

Examples

X-Virus-ID

Contains a short description of the threat that was found in the content.

On a single line it can contain any virus or threat description.

If multiple threats were found, only the first one is returned.

This header is a shorter alternative to the X-Infection-Found header.

This header is available only if the content was scanned, and some violations were found.

X-Virus-ID: EICAR Test String

X-Virus-ID: Encrypted Archive

X-Violations-Found

Contains the detailed description of all the policy violations (for example, found viruses) that occurred while handling the request.

If the scanned content was an archive, the scan results are listed for the contained files as well.

If multiple threats were found for a single file, only the first one is returned.

This header is present only if the content was scanned, and some violations were found.

This header has a multi-line value starting with the number of reported violations on the first line and four additional lines per violation:

The first line contains the number of the reported violations.
The following lines contain the details:

Filename

May describe a single file within an archive that the ICAP Client sent to the ICAP Server.

ThreadDescription

Human readable description of the threat. For example, the virus name or the policy violation description. It may contain spaces and should not be quoted.

ProblemID:

One-digit integer identifier of the policy violation. For example, a virus ID. Currently, 0 is returned for all threats.

ResolutionID:

0: File was not repaired.
1: File was repaired.
2: Violating part was removed (usually used if a file was removed from a container).

X-Violations-Found: 2
test.zip/dir1/eicar.com
EICAR Test String
11101
2
test.zip/dir2/eicar.com
EICAR Test String
11101
2

X-Infection-Found

Contains the description of the threat that was found in the ICAP message body of the request.

If multiple threats were found, only the first one is returned.

This header is present only if the content was scanned, and some violations were found.

The value is a semicolon-separated parameter list with exactly three parameters in a given order:

TypeID:

0: Virus infection.
1: Mail policy violation (for example, illegal file attachment name).
2: Container violation (for example, a ZIP file that takes too long to decompress).

ResolutionID:

0: File was not repaired.
1: The returned file in the RESPMOD response is the repaired version of the infected file that was encapsulated in the request.
2: The original file should be blocked or rejected due to container or mail policy violations.

ThreadDescription:

Human readable description of the threat. For example, the virus name or the policy violation description. It may contain spaces and should not be quoted. It must not contain semicolons, because it is terminated by the final semicolon of the header definition.

X-Infection-Found: Type=0; Resolution=1; Threat=EICAR Test String;

Explanation: The ICAP request contained data that is infected by the EICAR test string. The file was repaired (for example, the eicar.com file was removed from an archive and the remaining archive is sent back in the response).

Additional HTTP Response X-Headers

You can add additional HTTP response X-Headers for the ICAP Client to recognize.

Additional X-Headers

HTTP Response X-Header	Description	Examples
`X-Response-Info`	Contains a one word description of the action the ICAP Server applied on the HTTP request. This header is available in all responses sent by the ICAP Server.	`X-Response-Info: Allowed` `X-Response-Info: Blocked` `X-Response-Info: Options`
`X-Response-Desc`	Contains a one line description about the action that the ICAP Server applied on the content. This header is available in all "blocked" responses. In case of the content was scanned, and some violations were found, the returned string is equivalent to `X-Blocked-Reason`'s value.	`X-Response-Desc: Infected` `X-Response-Desc: Encrypted Archive`
`X-Include`	Contains the list of requested HTTP headers, which the ICAP Client should add to the HTTP requests, if the information is available. This header is present only in HTTP `Options` responses. This header is a comma-separated list of any ICAP header extension field names that the ICAP Server wants the ICAP Client to add to the requests, if the information is available and the header is supported.	`X-Include: X-Client-IP`
`X-Blocked-Reason`	Metadefender specific custom header. Contains the blocking reason of the content. This header is available only if the content was scanned, and some violations were found.	`X-Blocked-Reason: Infected`
`X-ICAP-Profile`	Contains the applied workflow's name (user profile). This header is available only if the file was scanned.	`X-ICAP-Profile: Proxy`

Configuring the Additional HTTP Response X-Headers

You add the additional HTTP response X-Headers as values of the specific kernel parameter:

Item	Description
Name	`icap_unwrap_append_header_str`
Type	String
Notes	Length of each added HTTP header is up to 80 characters You can add up to 21 such HTTP headers The ICAP Client also uses this HTTP response status: `HTTP/1.0 403 Forbidden` (according to RFC 3507).

For general instructions, see the R81 Quantum Security Gateway Guide > Chapter Working with Kernel Parameters on Security Gateway.

To see the list of the configured HTTP response X-headers

Set the value of this kernel parameter to the string '__print__':

fw ctl set str icap_unwrap_append_header_str '__print__'

Print the list of the configured HTTP headers:

dmesg | grep append_icap_unwrap_headers

Example:

[Expert@GW:0]# fw ctl set str icap_unwrap_append_header_str '__print__'
[Expert@GW:0]# dmesg | grep append_icap_unwrap_headers
[fw6_0];append_icap_unwrap_headers: ==> new icap_unwrap_headers array is: [ X-Virus-ID ; X-Violations-Found ; X-Infection-Found ;]
[fw4_0];append_icap_unwrap_headers: ==> new icap_unwrap_headers array is: [ X-Virus-ID ; X-Violations-Found ; X-Infection-Found ;]
[Expert@GW:0]#

To add an HTTP response X-Header in detect only mode temporarily

Note - In this mode, the ICAP Client does not block the matched HTTP connections.

Set the value of this string kernel parameter to the name if the X-header:

fw ctl set str icap_unwrap_append_header_str '<Name of X-header>'

Print the list of the configured HTTP headers:

dmesg | grep append_icap_unwrap_headers

Example:

[Expert@GW:0]# fw ctl set str icap_unwrap_append_header_str 'X-Response-Info'
[Expert@GW:0]# fw ctl set str icap_unwrap_append_header_str 'X-Response-Desc'
[Expert@GW:0]# fw ctl set str icap_unwrap_append_header_str '__print__'
[Expert@GW:0]# dmesg | grep append_icap_unwrap_headers
[fw6_0];append_icap_unwrap_headers: ==> new icap_unwrap_headers array is: [ X-Virus-ID ; X-Violations-Found ; X-Infection-Found ; X-Response-Info ; X-Response-Desc ;]
[fw4_0];append_icap_unwrap_headers: ==> new icap_unwrap_headers array is: [ X-Virus-ID ; X-Violations-Found ; X-Infection-Found ; X-Response-Info ; X-Response-Desc ;]
[Expert@GW:0]#

To delete all configured HTTP response X-Headers temporarily

Set the value of this kernel parameter to an empty string '':

fw ctl set str icap_unwrap_append_header_str ''

Print the list of the configured HTTP headers:

fw ctl set str icap_unwrap_append_header_str '__print__'

dmesg | grep append_icap_unwrap_headers

Example:

[Expert@GW:0]# fw ctl set str icap_unwrap_append_header_str ''
[Expert@GW:0]# fw ctl set str icap_unwrap_append_header_str '__print__'
[Expert@GW:0]# dmesg | grep append_icap_unwrap_headers
[Expert@GW:0]#

To restore the default configured HTTP response X-Headers temporarily

Set the value of this kernel parameter to the strings 'X-Virus-ID', 'X-Violations-Found', and 'X-Infection-Found':

fw ctl set str icap_unwrap_append_header_str 'X-Virus-ID'

fw ctl set str icap_unwrap_append_header_str 'X-Violations-Found'

fw ctl set str icap_unwrap_append_header_str 'X-Infection-Found'

Print the list of the configured HTTP headers:

fw ctl set str icap_unwrap_append_header_str 'X-Infection-Found'

dmesg | grep append_icap_unwrap_headers