https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7583#M14096 <HTML><HEAD></HEAD><BODY><P>Basically, what the fix here provides is the ability to turn your gateway into an ICAP server:&nbsp;<A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk111306" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk111306">Check Point support for Internet Content Adaptation Protocol (ICAP) server</A>&nbsp;</P><P>This allows your proxy to consult the Check Point Threat Emulation blade on the Security Gateway to determine if the file downloaded is benign or malicious.</P><P></P><P>It's worth noting that this hotfix, while considered GA, it is not integrated into a major release (i.e. not part of R80.10).</P><P>You also may have issues applying other hotfixes on top of this release.</P></BODY></HTML> Tue, 17 Oct 2017 00:54:05 GMT PhoneBoy 2017-10-17T00:54:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7582#M14095 <HTML><HEAD></HEAD><BODY><P>We currently run a 2-node VSX cluster w/R77.30 and are looking to implement TE with the gateways forwarding to the ThreatCloud for Emulation.</P><P></P><P>Our environment uses a Intel web gateway as a forward proxy - so we are trying to understand the options available.</P><P></P><P>Im hearing ICAP might be an option - but there isn’t really any information about it other than one SK.</P><P></P><P>I’m just looking for more information on what deployment options might be available.</P></BODY></HTML> Mon, 16 Oct 2017 22:13:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7582#M14095 dd84 2017-10-16T22:13:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7583#M14096 <HTML><HEAD></HEAD><BODY><P>Basically, what the fix here provides is the ability to turn your gateway into an ICAP server:&nbsp;<A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk111306" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk111306">Check Point support for Internet Content Adaptation Protocol (ICAP) server</A>&nbsp;</P><P>This allows your proxy to consult the Check Point Threat Emulation blade on the Security Gateway to determine if the file downloaded is benign or malicious.</P><P></P><P>It's worth noting that this hotfix, while considered GA, it is not integrated into a major release (i.e. not part of R80.10).</P><P>You also may have issues applying other hotfixes on top of this release.</P></BODY></HTML> Tue, 17 Oct 2017 00:54:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7583#M14096 PhoneBoy 2017-10-17T00:54:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7584#M14097 <HTML><HEAD></HEAD><BODY><P>Thanks for your response Daemon.</P><P></P><P>Is this the only supported deployment model in an environment that utilizes a forward proxy?</P><P></P><P>We were told that running the Sandblast Browser Agent would work - but we haven’t been able to get it functioning correctly with TAC and believe there is a limitation with forward proxy and SBA4B. &nbsp;Correct me if you believe otherwise?</P></BODY></HTML> Tue, 17 Oct 2017 01:00:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7584#M14097 dd84 2017-10-17T01:00:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7585#M14098 <HTML><HEAD></HEAD><BODY><P class="">For the above solution I mentioned, yes, that is correct.</P><P class="">SBA4B is a different way to solve the same problem but the client sends the files to ThreatCloud, returning either a “safe” version of the file, the original (if it’s safe), or block the download if it is malicious.</P><P class="">I am not aware of any issues with proxies and SBA4B but maybe <A _jive_internal="true" class="jive-link-profile-small jive_macro jive_macro_user" href="https://community.checkpoint.com/people/arzile9338099-64b6-3d9b-be29-fc67dc1788f6">Lior Arzi&nbsp;</A>or someone on his team can comment.</P></BODY></HTML> Tue, 17 Oct 2017 23:12:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7585#M14098 PhoneBoy 2017-10-17T23:12:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7586#M14099 <HTML><HEAD></HEAD><BODY><P>ICAP Server HF is integrated with the current JHF286.</P><P>But I am not sure about support of ICAP HF on VSX.</P><P></P><P>You can however install a separate CP GW with R77.30 and use ICAP HF there to emulate files in the cloud received from your proxy. So you might give it a try ...</P><P><BR />Regards Thomas</P></BODY></HTML> Fri, 27 Oct 2017 13:38:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sandblast-Proxy-HTTPS/m-p/7586#M14099 Thomas_Werner 2017-10-27T13:38:16Z