Getting Started with ICAP Client

Important - In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Procedure:

1. Configure ICAP Client in Gateway mode

   1. Connect to the command line on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

   2. Log in to the Expert mode.

   3. Follow the instructions in the ICAP user-disclaimer:

      [Expert@GW:0]# IcapDisclaimer.sh

      If you agreed to the ICAP user-disclaimer, continue to the next step.

   4. Backup the default ICAP Client The ICAP Client functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Server responses (see RFC 3507), modify their content, and block the matched HTTP connections. configuration file:

      cp -v $FWDIR/conf/icap_client_blade_configuration.C{,_BKP}

   5. Configure the ICAP Client parameters:

      vi $FWDIR/conf/icap_client_blade_configuration.C

      For details, see these sections:

      • The ICAP Client Configuration File

      • Example of the ICAP Client Configuration File

   6. Save the changes in the file and exit the editor.

   7. To inspect the HTTPS traffic with the ICAP Client, you must:

      1. Enable the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. in the Security Gateway object.

      2. Configure the HTTPS Inspection Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

      For details, see HTTPS Inspection.

   8. Install the Access Control Policy on the Security Gateway:

      • If you enabled and configured the HTTPS Inspection, install the policy from the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

      • If you did not enable and configure the HTTPS Inspection, you can do one of these:

        • Install the policy from the SmartConsole.

        • Fetch the local policy with the this command on the Security Gateway:

          fw fetch localhost

      Note - If one of the ICAP configuration parameters is not configured correctly, SmartConsole shows an error with the name of the applicable parameter.

2. Make sure you have an ICAP Server The ICAP Server functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Client requests, send the files for inspection, and return the verdict. on the network, and that it can receive requests from the ICAP Client. To configure a Check Point Security Gateway as an ICAP Server, see Getting Started with ICAP Server.