This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chico
Contributor
‎2019-09-25 12:50 AM

sandblast icap on R80.20

Hello,

I configured the ICAP server on checkpoint R80.20, we use a F5 BIG-IP as a client ICAP. I configured the icap_uri value as mentionend on the checkpoint documentation "/sandblast" but with this value I get the error log

"24/Sep/2019:17:12:58 +0200, ICAPserver ICAPclient REQMOD sanblast 404

After configured the icap_uri value "avscan" the scan work pretty well

24/Sep/2019:16:55:24 +0200, ICAPserver ICAPclient REQMOD avscan?allow204=on&sizelimit=off&mode=simple 200

Tue Sep 24 16:55:24 2019, 492/3921324944, VIRUS DETECTED: Unknown , http client ip: x.x.x.x, http user: -

So someone could tell me why the value "sanblast" seems doesn't work ?

 

Best regards,

 

0 Kudos
5 Replies
Black_Cyborg
Participant
‎2019-09-25 03:15 AM

Hi @chico,

Use the service URL 

icap://<ip-address of sandblast appliance>/sandblast

or

icap://<ip-address of sandblast appliance>:1344/sandblast

 

Regards

BC

 

 

0 Kudos
_Val_
Admin
Admin
‎2019-09-25 03:32 AM

read here

 

0 Kudos
FedericoMeiners
Advisor
‎2019-09-25 05:17 AM

Do you have Threat Emulation blade enabled and working? It seems that you can't use sandblast at all. Be sure to have a threat policy that applies Threat Emulation to ICAP traffic.

I have done some integrations but only over the TE appliances with ICAP, there are no secrets but to enable ICAP on the appliance and checking if it's working:

In my case the URL to point is icap://ip/sandblast

#icap_server start
#netstat -na | grep 1344
#ps ax | crep c-icap

Hope it helps,

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
chico
Contributor
‎2019-09-27 02:38 AM
In response to FedericoMeiners

Hello,

 

Thank you for your reply, I made a mistake on the icap url...I wrote "sanblast" instead of "sandblast". 

But I don't understand how it's work...

I' m checking the checkpoint ICAP server on my lab and if I upload a eicar document, the checkpoint accept the eicar file.

I configured a ICAP profil ont the threat prevention layer with this options.

- If the threat emulation is activate ont the ICAP profil, the eicar test file is accept by checkpoint

-If I the threat emulation is not activate on the ICAP profil the eicar test document is prevent by the anti-virus blade  as shown as the attached picture.

I don't underand how it's works..

If someone can explain me the difference ?

 

Regards,

 

Miguel

icap_test.png
Preview file
14 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top