cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
chico
Nickel

sandblast icap on R80.20

Hello,

I configured the ICAP server on checkpoint R80.20, we use a F5 BIG-IP as a client ICAP. I configured the icap_uri value as mentionend on the checkpoint documentation "/sandblast" but with this value I get the error log

"24/Sep/2019:17:12:58 +0200, ICAPserver ICAPclient REQMOD sanblast 404

After configured the icap_uri value "avscan" the scan work pretty well

24/Sep/2019:16:55:24 +0200, ICAPserver ICAPclient REQMOD avscan?allow204=on&sizelimit=off&mode=simple 200

Tue Sep 24 16:55:24 2019, 492/3921324944, VIRUS DETECTED: Unknown , http client ip: x.x.x.x, http user: -

So someone could tell me why the value "sanblast" seems doesn't work ?

 

Best regards,

 

0 Kudos
5 Replies

Re: sandblast icap on R80.20

Hi @chico,

Use the service URL 

icap://<ip-address of sandblast appliance>/sandblast

or

icap://<ip-address of sandblast appliance>:1344/sandblast

 

Regards

BC

 

 

0 Kudos

Re: sandblast icap on R80.20

Or look at this article from @HeikoAnkenbrand :

ICAP and Sandblast Appliance

0 Kudos

Re: sandblast icap on R80.20

read here

 

0 Kudos

Re: sandblast icap on R80.20

Do you have Threat Emulation blade enabled and working? It seems that you can't use sandblast at all. Be sure to have a threat policy that applies Threat Emulation to ICAP traffic.

I have done some integrations but only over the TE appliances with ICAP, there are no secrets but to enable ICAP on the appliance and checking if it's working:

In my case the URL to point is icap://ip/sandblast

#icap_server start
#netstat -na | grep 1344
#ps ax | crep c-icap

Hope it helps,

____________
https://www.linkedin.com/in/federicomeiners/
Tags (2)
0 Kudos
Highlighted
chico
Nickel

Re: sandblast icap on R80.20

Hello,

 

Thank you for your reply, I made a mistake on the icap url...I wrote "sanblast" instead of "sandblast". 

But I don't understand how it's work...

I' m checking the checkpoint ICAP server on my lab and if I upload a eicar document, the checkpoint accept the eicar file.

I configured a ICAP profil ont the threat prevention layer with this options.

- If the threat emulation is activate ont the ICAP profil, the eicar test file is accept by checkpoint

-If I the threat emulation is not activate on the ICAP profil the eicar test document is prevent by the anti-virus blade  as shown as the attached picture.

I don't underand how it's works..

If someone can explain me the difference ?

 

Regards,

 

Miguel

0 Kudos