SQUID proxy ICAP and SandBlast (TEX)

Thomas_Werner — Thu, 27 Dec 2018 13:20:36 GMT

Configuring ICAP Server on Check Point Sandblast Appliance (TEX) or Gateway

Enable ICAP server on TEX appliance see SK111306 and configure thread rules in Smart DashBoard.
Use hotfix 286 or higher for R77.30.

Tip!

You can use more ICAP Server in "Web Content Layer" on Bluecoat SG for example CAS appliance and TEX appliance.

Enable ICAP Server

Start ICAP server on TEX appliance or gateway:

# icap_server start

Enable ICAP Logs

# tecli advanced remote emulator logs enable <<< Hotfix 286 or higher automatically activates logging.

Enable firewall rule to connect ICAP Server (TEX Appliance)

Source: Symantec SG
Destination: "ip-address of sandblast appliance"

Port: 1344

Configure Thread Rules

Configure Thread rules in SmartDashboard

Configuring SQUID proxy

SQUID compilation flags and version

Squid Cache: Version 3.3.8

Ubuntu - configure options:

'--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--enable-ssl' '--enable-ssl-crtd' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security'

SQUID sample configuration

acl localnet src 192.168.6.0/24

acl localnet src 10.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

#Next Proxy configuration

#follow_x_forwarded_for allow all

#cache_peer 194.29.36.43 parent 8080 0 no-query no-digest

#never_direct deny localnet

#never_direct allow all

#forwarded_for on

#access list

http_access allow Safe_ports

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access allow localhost

http_access allow localnet

http_access deny all

#sslproxy_cert_error allow all

#always_direct allow all

#ssl_bump allow all

http_port 8080

#http_port 8080 ssl-bump cert=/etc/squid3/certs/teProxy.pem key=/etc/squid3/certs/teProxy.pem ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# SSL Bump Config

#ssl_bump stare all

#ssl_bump bump all

hierarchy_stoplist cgi-bin ?

debug_options ALL,1

coredump_dir /var/spool/squid3

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880

refresh_pattern . 0 20% 4320

visible_hostname Azoulay's proxy

#ICAP

icap_enable off

icap_preview_enable on

icap_preview_size 1024

icap_send_client_ip on

icap_service service_req reqmod_precache icap://82.80.83.10:1344/sandblast

#adaptation_access service_req allow all

#icap_service service_resp_pre respmod_precache icap://82.80.83.10:1344/sandblast

#icap_service service_resp_post respmod_postcache icap://82.80.83.10:1344/sandblast

#adaptation_access service_resp_pre allow all

#adaptation_access service_resp_post allow all

#Until HERE

#DO NOT COPY

#new_c-icap_integration

#icap_service service_req reqmod_precache icap://192.168.24.250:1344/virus_scan

#adaptation_access service_req allow all

#icap_service service_resp_pre respmod_precache icap://192.168.6.25:1344/virus_scan

#icap_service service_resp_post respmod_postcache icap://192.168.6.25:1344/virus_scan

#adaptation_access service_resp_pre allow all

#adaptation_access service_resp_post allow all

topic SQUID proxy ICAP and SandBlast (TEX) in Firewall and Security Management

SQUID proxy ICAP and SandBlast (TEX)