Showing results for 
Search instead for 
Did you mean: 
Create a Post

sandblast icap on R80.20


I configured the ICAP server on checkpoint R80.20, we use a F5 BIG-IP as a client ICAP. I configured the icap_uri value as mentionend on the checkpoint documentation "/sandblast" but with this value I get the error log

"24/Sep/2019:17:12:58 +0200, ICAPserver ICAPclient REQMOD sanblast 404

After configured the icap_uri value "avscan" the scan work pretty well

24/Sep/2019:16:55:24 +0200, ICAPserver ICAPclient REQMOD avscan?allow204=on&sizelimit=off&mode=simple 200

Tue Sep 24 16:55:24 2019, 492/3921324944, VIRUS DETECTED: Unknown , http client ip: x.x.x.x, http user: -

So someone could tell me why the value "sanblast" seems doesn't work ?


Best regards,


0 Kudos
5 Replies

Re: sandblast icap on R80.20

Hi @chico,

Use the service URL 

icap://<ip-address of sandblast appliance>/sandblast


icap://<ip-address of sandblast appliance>:1344/sandblast






0 Kudos

Re: sandblast icap on R80.20

Or look at this article from @HeikoAnkenbrand :

ICAP and Sandblast Appliance

0 Kudos

Re: sandblast icap on R80.20

read here


0 Kudos

Re: sandblast icap on R80.20

Do you have Threat Emulation blade enabled and working? It seems that you can't use sandblast at all. Be sure to have a threat policy that applies Threat Emulation to ICAP traffic.

I have done some integrations but only over the TE appliances with ICAP, there are no secrets but to enable ICAP on the appliance and checking if it's working:

In my case the URL to point is icap://ip/sandblast

#icap_server start
#netstat -na | grep 1344
#ps ax | crep c-icap

Hope it helps,

Tags (2)
0 Kudos

Re: sandblast icap on R80.20



Thank you for your reply, I made a mistake on the icap url...I wrote "sanblast" instead of "sandblast". 

But I don't understand how it's work...

I' m checking the checkpoint ICAP server on my lab and if I upload a eicar document, the checkpoint accept the eicar file.

I configured a ICAP profil ont the threat prevention layer with this options.

- If the threat emulation is activate ont the ICAP profil, the eicar test file is accept by checkpoint

-If I the threat emulation is not activate on the ICAP profil the eicar test document is prevent by the anti-virus blade  as shown as the attached picture.

I don't underand how it's works..

If someone can explain me the difference ?





0 Kudos