Configuring ICAP Client in VSX mode

You configure the ICAP Client The ICAP Client functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Server responses (see RFC 3507), modify their content, and block the matched HTTP connections. functionality in the context of each applicable Virtual System.

Important - In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Procedure:

1. Connect to the command line on the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0..

2. Log in to the Expert mode.

3. Go to the context of the applicable Virtual System:

   vsenv <VSID>

4. Follow the instructions in the ICAP user-disclaimer:

   IcapDisclaimer.sh

   If you agreed to the ICAP user-disclaimer, continue to the next step.

5. Backup the default ICAP Client configuration file:

   cp -v $FWDIR/conf/icap_client_blade_configuration.C{,_BKP}

6. Configure the ICAP Client parameters:

   vi $FWDIR/conf/icap_client_blade_configuration.C

   For details, see these sections:

   • The ICAP Client Configuration File

   • Example of the ICAP Client Configuration File

7. Save the changes in the file and exit the editor.

8. To inspect the HTTPS traffic with the ICAP Client, you must:

   1. Enable the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. in the Virtual System object.

   2. Configure the HTTPS Inspection Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

   For details, see HTTPS Inspection.

9. Install the Access Control Policy on the Virtual System:

   • If you enabled and configured the HTTPS Inspection, install the policy from the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.

   • If you did not enable and configure the HTTPS Inspection, you can do one of these:

     • Install the policy from the SmartConsole.

     • Fetch the local policy with the this command in the context of this Virtual System:

       fw fetch localhost

   Note - If one of the ICAP configuration parameters is not configured correctly, SmartConsole shows an error with the name of the applicable parameter.