Configuring Additional ICAP Response Headers for Enforcement
Description
To adjust the enforcement according to ICAP response headers from an ICAP Server The ICAP Server functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Client requests, send the files for inspection, and return the verdict., you can configure specific HTTP headers. When ICAP Client The ICAP Client functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Server responses (see RFC 3507), modify their content, and block the matched HTTP connections. on Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. receives these HTTP headers, the Security Gateway blocks the matched HTTP connections. See the Draft RFC - ICAP Extensions.
Default HTTP Response X-Headers
By default, ICAP Client recognizes these three user-defined ICAP response header extensions.
Additional HTTP Response X-Headers
You can add additional HTTP response X-Headers for the ICAP Client to recognize.
Configuring the Additional HTTP Response X-Headers
You add the additional HTTP response X-Headers as values of the specific kernel parameter:
Item |
Description |
---|---|
Name |
|
Type |
String |
Notes |
|
For general instructions, see the R81 Quantum Security Gateway Guide > Chapter Working with Kernel Parameters on Security Gateway.
-
Set the value of this kernel parameter to the string
'__print__'
:fw ctl set str icap_unwrap_append_header_str '__print__'
-
Print the list of the configured HTTP headers:
dmesg | grep append_icap_unwrap_headers
Example:
|
Note - In this mode, the ICAP Client does not block the matched HTTP connections. |
-
Set the value of this string kernel parameter to the name if the X-header:
fw ctl set str icap_unwrap_append_header_str '<Name of X-header>'
-
Print the list of the configured HTTP headers:
dmesg | grep append_icap_unwrap_headers
Example:
-
Set the value of this kernel parameter to an empty string
''
:fw ctl set str icap_unwrap_append_header_str ''
-
Print the list of the configured HTTP headers:
fw ctl set str icap_unwrap_append_header_str '__print__'
dmesg | grep append_icap_unwrap_headers
Example:
-
Set the value of this kernel parameter to the strings
'X-Virus-ID'
,'X-Violations-Found'
, and'X-Infection-Found'
:fw ctl set str icap_unwrap_append_header_str 'X-Virus-ID'
fw ctl set str icap_unwrap_append_header_str 'X-Violations-Found'
fw ctl set str icap_unwrap_append_header_str 'X-Infection-Found'
-
Print the list of the configured HTTP headers:
fw ctl set str icap_unwrap_append_header_str 'X-Infection-Found'
dmesg | grep append_icap_unwrap_headers