McAfee Web Gateway ICAP and Sandblast Appliance (TEX)

Document created by Thomas Werner Employee on Mar 28, 2018Last modified by Thomas Werner Employee on Mar 28, 2018
Version 8Show Document
  • View in full screen mode

  

 

Configuring ICAP Server on Check Point Sandblast Appliance (TEX) or Gateway:

Enable ICAP server on TEX appliance see SK111306 
Use hotfix 286 or higher for R77.30.

 

Enable ICAP Server

Start ICAP server on TEX appliance or gateway:

icap_server start

 

Enable ICAP Logs

tecli advanced remote emulator logs enable    <<< Hotfix 286 or higher automatically activates logging. 

 

Enable firewall rule to connect ICAP Server (TEX Appliance)

Source: McAfee Web Gateway
Destination: "ip-address of sandblast appliance"

Port: 1344

 

For more infos on the ICAP server please goto:

ICAP Server on Sandblast Appliance (TEX) 

 

 

Configuration McAfee ICAP client

 

Note:

The below setup will work in "hold" mode meaning the MWG will wait for the ICAP answer until it provides the file to the end user.

Background mode on MWG is a bit more complex to achieve. You can find the below attached ruleset template as a starting point.

For a better understanding of background mode you might want to read Solved: McAfee Support Community - Don´t wait for ICAP Server response - McAfee Support Community 

 

Under Policy -> Settings -> ICAP Client change both the ReqMod and RespMod defaults (we configure both but you only need RespMod for file downloads and ReqMod for file uploads):

 

 

 

Please use URI icap://10.2.1.254:1344/sandblast from now on

 

Please use URI icap://10.2.1.254:1344/sandblast from now on

 

Under Policy -> Rule Sets check if ICAP Client section is present:

 

 

If not you can add it via Add -> Rule Set from Library:

 

 

 


 

To edit the imported rule set “Unlock View”:

 

 

 

You can disable “ReqMod” is it is not needed to pass downloaded files (only for file uploads):

 

 


 

If you want to bypass file downloads e.g. bigger than 1 MB you have to add the following “Skip files greater than 1MB” rule to the RespMod ruleset:

 

 

 

 

 

 

Don´t forget to save your changes at the end:

 

 

 

 

This is what you get when trying to download a malicious file detected by TE:

 

      Client McAfee Web Gateway Progress page:

 

 

 

Expected outcome on malicious file download:

 

 

 

When clicking on “here”:

 

 

 

The above response is a customizable template found in $FWDIR/c-icap/share/c_icap/templates/virus_scan/en/VIRUS_FOUND.

 

If you experience proxy timeouts like this:

 

 

Raise the timeout value from default 120sec. to > 300 sec.

 

19 people found this helpful

Attachments

Outcomes