topic Re: sandblast icap on R80.20 in Endpoint

sandblast icap on R80.20

chico — Wed, 25 Sep 2019 07:50:59 GMT

Hello,

I configured the ICAP server on checkpoint R80.20, we use a F5 BIG-IP as a client ICAP. I configured the icap_uri value as mentionend on the checkpoint documentation "/sandblast" but with this value I get the error log

"24/Sep/2019:17:12:58 +0200, ICAPserver ICAPclient REQMOD sanblast 404

After configured the icap_uri value "avscan" the scan work pretty well

24/Sep/2019:16:55:24 +0200, ICAPserver ICAPclient REQMOD avscan?allow204=on&sizelimit=off&mode=simple 200

Tue Sep 24 16:55:24 2019, 492/3921324944, VIRUS DETECTED: Unknown , http client ip: x.x.x.x, http user: -

So someone could tell me why the value "sanblast" seems doesn't work ?

Best regards,

Re: sandblast icap on R80.20

Black_Cyborg — Wed, 25 Sep 2019 10:15:49 GMT

Hi @chico,

Use the service URL

icap://<ip-address of sandblast appliance>/sandblast

icap://<ip-address of sandblast appliance>:1344/sandblast

Regards

Re: sandblast icap on R80.20

Black_Cyborg — Wed, 25 Sep 2019 10:19:19 GMT

Or look at this article from @HeikoAnkenbrand :

ICAP and Sandblast Appliance

Re: sandblast icap on R80.20

_Val_ — Wed, 25 Sep 2019 10:32:55 GMT

read here

Re: sandblast icap on R80.20

FedericoMeiners — Wed, 25 Sep 2019 12:18:29 GMT

Do you have Threat Emulation blade enabled and working? It seems that you can't use sandblast at all. Be sure to have a threat policy that applies Threat Emulation to ICAP traffic.

I have done some integrations but only over the TE appliances with ICAP, there are no secrets but to enable ICAP on the appliance and checking if it's working:

In my case the URL to point is icap://ip/sandblast

#icap_server start
#netstat -na | grep 1344
#ps ax | crep c-icap

Hope it helps,

Re: sandblast icap on R80.20

chico — Fri, 27 Sep 2019 09:40:56 GMT

Hello,

Thank you for your reply, I made a mistake on the icap url...I wrote "sanblast" instead of "sandblast".

But I don't understand how it's work...

I' m checking the checkpoint ICAP server on my lab and if I upload a eicar document, the checkpoint accept the eicar file.

I configured a ICAP profil ont the threat prevention layer with this options.

- If the threat emulation is activate ont the ICAP profil, the eicar test file is accept by checkpoint

-If I the threat emulation is not activate on the ICAP profil the eicar test document is prevent by the anti-virus blade as shown as the attached picture.

I don't underand how it's works..

If someone can explain me the difference ?

Regards,

Miguel