Getting Started with ICAP Server

To enable ICAP Server support on the Security Gateway / Cluster:

Step

Instructions

1

  1. From the left navigation panel, click Gateways & Servers.

  2. Double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

  3. From the left tree, go to ICAP Server.

  4. Select Enable ICAP Server.

  5. In Service, the default service is TCP ICAP, which runs on port 1344.

    1. Go to the Object Explorer and select New > More > Service > TCP.

    2. Enter the object name and add a comment if necessary.

    3. In General, do not select a protocol.

    4. In Match By, select the Port you want the service to run on.

    5. Optional: Configure the Advanced features. For a detailed explanation on the advanced service features, check the online help.

    6. Click OK

      The new service now appears in the drop-down Service list.

    From R81.20, Check Point Security Gateway supports encrypted connection between the ICAP ServerClosed The ICAP Server functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Client requests, send the files for inspection, and return the verdict. and ICAP ClientClosed The ICAP Client functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Server responses (see RFC 3507), modify their content, and block the matched HTTP connections..

    1. Go to the Object Explorer and select New > More > Service > TCP.

    2. Enter the object name and add a comment if necessary.

    3. In General, do not select a protocol.

    4. In Match By, select the Port you want the service to run on.

    5. Optional: Configure the Advanced features. For a detailed explanation on the advanced service features, check the online help.

    6. Click OK.

    7. Create the CA certificate and ICAP Server certificate through your application of choice.

    8. Export the certificates in PEM file formats:

    9. Copy the server certificate "icapcert.pem" to the Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster. to some directory (for example, /home/admin).

    10. Connect to the command line on the Security Gateway / each Cluster Member.

    11. Log in to the Expert mode.

    12. Edit the ICAP Server configuration file:

      vi $FWDIR/c-icap/etc/c-icap.conf

    13. Add this line with the path of the server certificate:

      TlsPort [port_number] cert=/home/admin/icapcert.pem

    14. Save the changes in the file and exit the editor.

    15. Load the updated ICAP Server configuration with this command on the Security Gateway / each Cluster Member.:

      icap_server reconf

    16. Copy the CA certificate PEM file of the ICAP Server to the ICAP Client.

    17. Configure the ICAP Client so it is able to connect to the ICAP Server over TLS. Note these parameters:

      • ICAP protocol (icaps - for TLS).

      • ICAP Server IP address and port number.

      • Direct the ICAP modification requests to the ICAP Server SandBlast service.

      • TLS specifications

      For example:

      Third party ICAP Client (Squid) configuration:

      Copy 
      adaptation_send_client_ip on
      adaptation_send_username on
      icap_client_username_encode on
      icap_client_username_header X-Authenticated-User
      icap_service service_req_pre reqmod_precache icaps://<IP_ADDRESS>:<PORT_NUMBER>/sandblast tls-cafile=<CERTIFICATE_FILE> tls-domain=<DOMAIN_NAME>
      icap_service service_req_post reqmod_postcache icaps://<IP_ADDRESS>:<PORT_NUMBER>/sandblast tls-cafile=<CERTIFICATE_FILE> tls-domain=<DOMAIN_NAME>
      icap_service service_resp_pre respmod_precache icaps://<IP_ADDRESS>:<PORT_NUMBER>/sandblast tls-cafile=<CERTIFICATE_FILE> tls-domain=<DOMAIN_NAME>
      icap_service service_resp_post respmod_postcache icaps://<IP_ADDRESS>:<PORT_NUMBER>/sandblast tls-cafile=<CERTIFICATE_FILE> tls-domain=<DOMAIN_NAME>
      adaptation_access service_req_post allow all
      adaptation_access service_resp_pre allow all
      adaptation_access service_resp_post allow all

  6. Configure Fail Mode - In case of an error, configure if requests to the ICAP server are blocked or allowed.

  7. You can configure an implied ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for ICAP in the Access Control policy.

  8. Click OK.

2

Configure the ICAP client to connect to the Gateway. See Getting Started with ICAP Client.

3

When you enable ICAP Server in the Security Gateway or Cluster object, SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. automatically creates a rule in the Threat Prevention Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

One rule is created for each Security Gateway / Cluster that has ICAP Server enabled.

Configure the applicable action in the Action column of this rule.

You can select a different profile for each ICAP rule.

 

Notes:

4

For Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. support, in the Threat Prevention profile editor, go to Threat Extraction > General page > Protocol > select Web (HTTP/HTTPS).

5

To scan files with Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., in the Threat Prevention profile, go to the Anti-Virus page, and select Enable deep inspection scanning (impacts performance).

6

The ICAP Server uses processes to handle the requests it receives from the ICAP Client. Each process generates multiple threads, and each thread handles one request from the ICAP Client to the ICAP Server.

The ICAP Server supports dynamic scaling of the number of processes for optimal performance.

  1. From the left navigation panel, click Gateways & Servers.

  2. Double-click the Security Gateway / Cluster object.

  3. From the left tree, go to ICAP Server > Advanced.

  4. Configure the applicable settings:

    • The maximum allowed number of server processes

      The number of processes increases or decreases as needed.

      You can configure the maximum value.

      Range: 1-100

      The maximum number of concurrent connections that the ICAP Server can handle:

      (The maximum allowed number of server processes) x (The number of threads per a child process)

    • The number of threads per a child process

      The number of available threads increases or decreases as needed.

      You can configure the maximum value.

      Range: 1-100

    • Start a new child process if the number of available threads is less than [x]

      This option allows dynamic growth and lets you configure the number of new threads as needed.

      The ICAP Server counts the total number of available (idle) threads.

      If this number is lower than the number configured in this field, it creates a new child process.

    • End a child process if the number of available threads is more than [x]

      This option allows dynamic reduction of the number of threads as needed.

      The ICAP Server counts the total number of available (idle) threads.

      If this number is higher than the number configured in this field, it ends a child process.

  5. Click OK.

  6. Install the Threat Prevention Policy.

7

Install the Threat Prevention policy.

For information on how to test ICAP Server functionality, see sk174487.