The ICAP Client Configuration File

The ICAP ClientClosed The ICAP Client functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Server responses (see RFC 3507), modify their content, and block the matched HTTP connections. configuration file on Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. ($FWDIR/conf/icap_client_blade_configuration.C) contains a number of sections.

Each section contains the applicable parameters.

Some parameters accept only string values (notice the mandatory double quotes).

Some parameters accept only integer values.

Parameter

Accepted Values

Description

:enabled ()

  • "false"

  • "true"

Controls the ICAP Client feature:

  • "false" - Disables the feature

  • "true" - Enables the feature

Default: "false"

:filter_http_method ()

  • :method ("GET")

  • :method ("PUT")

  • :method ("POST")

  • :method ("CONNECT")

  • :method ("HEAD")

  • :method ("OPTIONS")

Controls which HTTP methods to process.

If this section is empty, there is no filter for HTTP requests. As a result, ICAP functionality is not activated on all HTTP requests.

Default: "GET", "PUT", and "POST"

:http_services ()

:port (NUMBER)

Integer from 1 to 65535

Controls on which port to process the HTTP packets.

This is in addition to the HTTP services that are defined by default in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. (such as: HTTP for TCP port 80 and HTTPS for TCP port 443).

You must explicitly add every port, on which you transfer HTTP packets. Ranges of ports are not supported.

ICAP filtering (HTTP methods) works on every port you define in this section. If traffic matches a filter, full ICAP functionality is activated on that port.

Default: 8080

Best Practice - Add only applicable ports.

:inspect_html_response ()

  • "false"

  • "true"

Controls whether ICAP Client sends HTTP responses with content-type "text/html":

  • "false" - ICAP Client does not send an HTTP response with content-type "text/html".

  • "true" - ICAP Client also sends an HTTP response with content-type "text/html".

Default: "false"

:user_check_interaction_name ()

Plain-text string (string length is up to 32 characters)

Controls the name of UserCheckClosed Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. block page.

If you change the default value, you must configure your value in the SmartConsole:

  1. Objects menu > Object Explorer > More object types > UserCheck > New Drop.

  2. Select the Access Control related policy.

  3. Click OK.

  4. You must enter the same name as you configured in the ICAP Client configuration file.

  5. Add the new message for the UserCheck Block page.

  6. Click OK.

  7. Install the Access Control Policy on the Security Gateway.

Default: "Blocked Message - Access Control"

:trickling_mode ()

  • 0

  • 1

  • 2

  • 3

Controls the Data Trickling mode (see Configuring ICAP Client Data Trickling Parameters).

To avoid HTTP connection timeout when you upload or download large files, you can use the Data Trickling to pass some of the original HTTP payload to its destination, while the ICAP ServerClosed The ICAP Server functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Client requests, send the files for inspection, and return the verdict. scans this HTTP payload.

  • 0 - No data trickling. ICAP Client always holds the HTTP connections until it gets a verdict from an ICAP Server (same functionality as for processing small files).

  • 1 - Read-only mode. The ICAP Client sends the entire HTTP payload to its original destination without waiting for the ICAP Server's response. When the ICAP Server responds, a log is generated according to the log configuration.

  • 2 - Trickling from the Start mode. ICAP Client sends the entire HTTP payload to its original destination, but slower than the original HTTP connection speed. This behavior is so that the ICAP Server verdict arrives before ICAP Client sends the HTTP payload to its original destination.

  • 3 - Trickling at the End mode. ICAP Client sends the entire HTTP payload to its original destination, except for the last (constant size) HTTP payload. Based on the verdict from the ICAP Server, ICAP Client sends or does not send this last HTTP payload.

Default: 0

:log_level ()

  • 0

  • 1

  • 2

  • 3

Controls the ICAP Client log level:

  • 0 - No logs.

  • 1 - Error logs (arrive with Alert).

  • 2 - Information logs (include verdict for the original HTTP connection).

  • 3 - Verbose logs (include service action for each ICAP Server connection).

Default: 0

:icap_servers ()

 

Defines the ICAP Servers, with this the ICAP Client works.

:icap_servers () - :name ()

Plain-text string (string length is up to 32 characters)

Defines the name of the ICAP Server. Used for logging.

:icap_servers () - :ip ()

IPv4 Address in quad-decimal format (string length is up to 32 characters)

Defines the IPv4 address of the ICAP Server.

This parameter is mandatory.

Note - For the ICAP Server on a Check Point clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., must enter the Cluster Virtual IPv4 address.

:icap_servers () - :ip6 ()

IPv6 Address (string length is up to 40 characters)

Defines the IPv6 address of the ICAP Server.

This parameter is optional.

Notes:

  • The ICAP server must have an IPv6 set up.

  • For the ICAP server on a Check Point cluster, must enter the Cluster Virtual IPv6 address.

:icap_servers () - :port ()

Integer from 1 to 65535

Defines the port on the ICAP Server.

Default: 1344

:icap_servers () - :service ()

Plain-text string up to 32 characters

Defines the name of the ICAP service.

Default: "echo"

:icap_servers () - :proto ()

"icap"

Defines the ICAP protocol.

Note - You must not change this value.

Default: "icap"

:icap_servers () - :modification_mode ()

  • "reqmod"

  • "respmod"

  • "both"

Defines the ICAP modification mode:

  • "reqmod" - HTTP request modification (REQMOD) only.

  • "respmod" - HTTP response modification (RESPMOD) only.

  • "both" - Both HTTP request and HTTP response modification modes.

Default: "both"

:icap_servers () - :transp ()

"3rd_cpas"

Defines the 3rd party connection type.

Note - You must not change this value.

Default: "3rd_cpas"

:icap_servers () - :failmode ()

  • close

  • open

Defines the ICAP Client fail mode:

  • close - In case of an ICAP error, the original HTTP connection is closed.

  • open - In case of an ICAP error, the original HTTP connection stays opened.

  • Logs will be according to :log_level () value.

For HTTP requests or responses with a body, the last service fail-mode action is always treated as close, regardless of the defined value.

Default: close

:icap_servers () - :timeout ()

Integer from 1 to (2^32)-1

Defines the ICAP Client timeout (in seconds).

After this time passes, the ICAP Client sends a reset to the ICAP Server.

Default: 61

:icap_servers () - :max_conns ()

Integer from 1 to (2^32)-1

Defines the maximum number of ICAP opened connections to each configured ICAP Server.

Default: 250

:icap_servers () - :user_check_action ()

  • 0

  • 1

  • 2

Defines the UserCheck action:

  • 0 - No "Block" page.

  • 1 - ICAP "Block" page.

  • 2 - Redirect to UserCheck Portal ("Block" page). On the Security Gateway, you must enable at least one of the supported Software Blades and the UserCheck.

Default: 1

:icap_servers () - :x_headers ()

 

Controls the X-Headers: X-Client-IP, X-Server-IP, and X-Authenticated-User.

:icap_servers () - :x_headers () - :x_client_ip ()

  • "false"

  • "true"

Controls the X-Header X-Client-IP:

  • "false" - Does not process this X-Header.

  • "true" - Adds the XFF header value of the original HTTP request, if this X-Header exists, or the source IP address if it does not.

Default: "false"

:icap_servers () - :x_headers () - :x_server_ip ()

  • "false"

  • "true"

Controls the X-Header X-Server-IP:

  • "false" - Does not process this X-Header.

  • "true" - Adds the destination IP address (proxy's IP address or resolving HTTP Hostname).

Default: "false"

:icap_servers () - :x_headers () - :x_authenticated_user ()

  • "false"

  • "true"

Controls the X-Header X-Authenticated-User:

Default: "false"

:icap_servers () - :x_headers () - :authentication_source ()

  • "WinNT"

  • "LDAP"

  • "Radius"

  • "Local"

Defines the Auth-Scheme for user authentication URI.

Note - URI is given as plain-text, and not in the Base64 encoding.

Default: "Local"

:icap_servers () - :x_headers () - :base64_username_encode ()

  • "false"

  • "true"

Controls whether to encode the X-Header X-authenticated-user with Base64 encoding

  • "false" - Does not encode.

  • "true" - Encodes with the Base64 encoding.

Default: "true"

:rules_type ()

  • "none"

  • "include"

  • "exclude"

Controls the network filter rules:

  • "none" - Disables the network filter rules. ICAP Client ignores all other parameters of network filter rules. Same as "any" in the Source and Destination.

  • "include" - ICAP Client sends all IP addresses in the IP ranges (see below) to the ICAP Server

  • "exclude" - ICAP Client does not send the IP addresses in the IP ranges (see below) to the ICAP Server

Default: "none"

:network_filter_rules_ip4 ()

 

Controls the network filter rules for source and destination IPv4 addresses.

:network_filter_rules_ip4 () - :src_ip_ranges ()

 

Defines the source IPv4 addresses.

Each ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. can contain only one ":src_ip_ranges ()" parameter.

The ":src_ip_ranges ()" parameter can contain more than one ":min_ip ()" and ":max_ip ()" parameters.

:network_filter_rules_ip4 () - :src_ip_ranges () - :min_ip ()

  • any

  • IPv4 Address in quad-decimal format

Defines the minimum source IPv4 address in the range of IPv4 source addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you defined ":min_ip (any)", you must also define ":max_ip (any)".

  • IPv4 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv4 addresses start from this configured IPv4 address.

:network_filter_rules_ip4 () - :src_ip_ranges () - :max_ip ()

  • any

  • IPv4 Address in quad-decimal format

Defines the maximum source IPv4 address in the range of IPv4 source addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you defined ":max_ip (any)", you must also define ":min_ip (any)".

  • IPv4 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv4 addresses end with this configured IPv4 address.

:network_filter_rules_ip4 () - :dst_ip_ranges ()

 

Defines the destination IPv4 addresses.

Each rule can contain only one ":dst_ip_ranges ()" parameter.

The ":dst_ip_ranges ()" parameter can contain more than one ":min_ip ()" and ":max_ip ()" parameters.

:network_filter_rules_ip4 () - :dst_ip_ranges () - :min_ip ()

  • any

  • IPv4 Address in quad-decimal format

Defines the minimum destination IPv4 address in the range of IPv4 destination addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you defined ":min_ip (any)", you must also define ":max_ip (any)".

  • IPv4 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv4 addresses start from this configured IPv4 address.

:network_filter_rules_ip4 () - :dst_ip_ranges () - :max_ip ()

  • any

  • IPv4 Address in quad-decimal format

Defines the maximum destination IPv4 address in the range of IPv4 destination addresses.

  • any - ICAP Client processes the HTTP traffic sent to all HTTP servers.

    If you defined ":max_ip (any)", you must also define ":min_ip (any)".

  • IPv4 Address - ICAP Client processes the HTTP traffic sent to HTTP servers, whose IPv4 addresses end with this configured IPv4 address.

:network_filter_rules_ip6 ()

 

Controls the network filter rules for source and destination IPv6 addresses.

:network_filter_rules_ip6 () - :src_ip_ranges ()

 

Defines the source IPv6 addresses.

Each rule can contain only one ":src_ip_ranges ()" parameter.

The ":src_ip_ranges ()" parameter can contain more than one ":min_ip ()" and ":max_ip ()" parameters.

:network_filter_rules_ip6 () - :src_ip_ranges () - :min_ip ()

  • any

  • IPv6 Address

Defines the minimum source IPv6 address in the range of IPv6 source addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you defined ":min_ip (any)", you must also define ":max_ip (any)".

  • IPv6 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv6 addresses start from this configured IPv6 address.

:network_filter_rules_ip6 () - :src_ip_ranges () - :max_ip ()

  • any

  • IPv6 Address

Defines the maximum source IPv6 address in the range of IPv6 source addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you defined ":max_ip (any)", you must also define ":min_ip (any)".

  • IPv6 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv6 addresses end with this configured IPv6 address.

:network_filter_rules_ip6 () - :dst_ip_ranges ()

 

Defines the destination IPv6 addresses.

Each rule can contain only one ":dst_ip_ranges ()" parameter.

The ":dst_ip_ranges ()" parameter can contain more than one ":min_ip ()" and ":max_ip ()" parameters.

:network_filter_rules_ip6 () - :dst_ip_ranges () - :min_ip ()

  • any

  • IPv6 Address

Defines the minimum destination IPv6 address in the range of IPv6 destination addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you defined ":min_ip (any)", you must also define ":max_ip (any)".

  • IPv6 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv6 addresses start from this configured IPv6 address.

:network_filter_rules_ip6 () - :dst_ip_ranges () - :max_ip ()

  • any

  • IPv6 Address

Defines the maximum destination IPv6 address in the range of IPv6 destination addresses.

  • any - ICAP Client processes the HTTP traffic from all HTTP clients.

    If you defined ":max_ip (any)", you must also define ":min_ip (any)".

  • IPv6 Address - ICAP Client processes the HTTP traffic from HTTP clients, whose IPv6 addresses end with this configured IPv6 address.

Notes about the ":network_filter_rules_ip4 ()" and ":network_filter_rules_ip6 ()" parameters:

  • Each ":network_filter_rules_ipX ()" rule can contain only one ":src_ip_ranges ()" parameter.

    The ":src_ip_ranges ()" parameter in the rule can contain more than one ":min_ip ()" and ":max_ip ()" parameters.

  • Each ":network_filter_rules_ipX ()" rule can contain only one ":dst_ip_ranges ()" parameter.

    The ":dst_ip_ranges ()" parameter in the rule can contain more than one ":min_ip ()" and ":max_ip ()" parameters.

  • ICAP Client performs these logical operations in parallel:

    • [:network_filter_rules_ip4 ()] OR [:network_filter_rules_ip6 ()]

    • [:src_ip_ranges ()] AND [:dst_ip_ranges ()]

    • In the ":src_ip_ranges ()" parameter - [:min_ip ()] OR [:max_ip ()]

    • In the ":dst_ip_ranges ()" parameter - [:min_ip ()] OR [:max_ip ()]

    If the result of these logical operations is TRUE and :rules_type ("include"), then ICAP Client works.

    If the result of these logical operations is TRUE and :rules_type ("exclude"), then ICAP Client does not work.