ICAP Client Functionality

The ICAP Client The ICAP Client functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Server responses (see RFC 3507), modify their content, and block the matched HTTP connections. functionality in your Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. enables it to interact with an ICAP Server The ICAP Server functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Client requests, send the files for inspection, and return the verdict. responses, modify their content, and block the matched HTTP connections.

In addition, you can add an ICAP Server decision to the enforcing logic on your Security Gateway, or Cluster (see Configuring Additional ICAP Response Headers for Enforcement).

The ICAP Client functionality in your Check Point Security Gateway or Cluster lets you work with 3rd party devices without changing your network topology.

The ICAP Client feature in your Check Point Security Gateway or Cluster supports these:

• HTTP request modification (ICAP REQMOD).

• HTTP response modification (ICAP RESPMOD).

• HTTPS traffic, which you can send to an ICAP Server.

  Important: You must enable and configure the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. on your Security Gateway or Cluster. The ICAP Client communication with the configured ICAP Servers is in clear (unencrypted) traffic.

• Multiple ICAP Servers:

  ICAP Client can send the HTTP messages to several ICAP Servers concurrently.

• User-defined ICAP request header extensions (X-Headers):

  • X-Client-IP, X-Server-IP (for the destination host), and X-Authenticated-User (if the ICAP Client knows it).

  • To work with user-defined ICAP response header extension, you must configure them explicitly (see Configuring Additional ICAP Response Headers for Enforcement).

  • See the Draft RFC - ICAP Extensions.

• Data Trickling mode.

• UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy..

This ICAP Client functionality was tested against an internal ICAP Server and against the Check Point ICAP Server.

Notes: There is no full Fail-Open support. In case of HTTP / HTTPS requests or responses with body and with only a single ICAP Server Service, the Fail Mode is always Fail-Close. ICAP Client in Check Point Security Gateway can support the Fail-Open with the Trickling From The End mode (see Configuring ICAP Client Data Trickling Parameters). To inspect IPv6 traffic: Enable IPv6 support on your Security Gateway or Cluster members Configure all ICAP Servers with IPv6 addresses.