Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Symantec (Bluecoat) SG ICAP and Sandblast (TEX)

ICAP integration for R77.30 and R80.10

 

Configuring ICAP Server on Check Point Sandblast Appliance (TEX) or Gateway:

Enable ICAP server on TEX appliance see SK111306 and configure thread rules in Smart DashBoard. 
Use hotfix 286 or higher for R77.30.

 

Tip!

You can use more ICAP Server in "Web Content Layer" on Bluecoat SG for example CAS appliance and TEX appliance.

 

Enable ICAP Server

Start ICAP server on TEX appliance or gateway:

# icap_server start

 

Enable ICAP Logs

# tecli advanced remote emulator logs enable    <<< Hotfix 286 or higher automatically activates logging.

 

Enable firewall rule to connect ICAP Server (TEX Appliance)

Source: Symantec SG
Destination: "ip-address of sandblast appliance"

Port: 1344

 

Configure Thread Rules

Configure Thread rules in SmartDashboard

.

Configuring ICAP on Symantec SWG:


     ICAP Servers Request

  1. Go to Configuration  > content Analysis > ICAP and click on New.
  2. Enter a Name "sandblast_server" for the server.
  3. Go to Configuration  > content Analysis > ICAP and click on Edit "sandblast_server"

  4. Enter the Service URL icap://ip-address of sandblast appliance/sandblast
  5. Set the Maximum nummber of connection: 100 <<< You can configure this on sandblast appliance in config files. Set the same value. If you overstay the value you become an ICAP error!
  6. Set Method supported: request modification <<< Use request mod.
  7. Set Send: Client address/ Server address/ Auth user

    ICAP Servers Response
    1. Go to Configuration  > content Analysis > ICAP and click on New.
    2. Enter a Name "sandblast_server_response" for the server.
    3. Go to Configuration  > content Analysis > ICAP and click on Edit "sandblast_server_response"

    4. Enter the Service URL icap://ip-address of sandblast appliance/sandblast
    5. Set the Maximum nummber of connection: 100 <<< You can configure this on sandblast appliance in config files. Set the same value. If you overstay the value you become an ICAP error!
    6. Set Method supported: response modification <<< Use request mod.
    7. Set Send: Client address/ Server address/ Auth user

      ICAP Servers Response Analysis

      1. Go to Configuration  > Policy > Visual Policy Manager
      2. Add Web Content Layer
      3. Enter the new > Performe Response Analysis
      4. Add Available Service:sandblast_server_response <<< Response Service
      5. Enter the new > Performe Request Analysis

      6. Add Available Service:sandblast_server <<< Request Service
      7. See Web Conten Layer Rule


      Regards,

      Heiko

39 Replies
Highlighted
Employee
Employee

Hello Heiko, 

       I am looking for documentation for F5 LTM i2600 integration with Sandblast appliance. Do you have one? 

Thank you!

Regards,

Coco

0 Kudos
Highlighted

Hi Coco,

On F5 side this is a bit problematic. You can't limit the number of ICAP sessions. For example, if the TE appliance is set to 100 sessions and you open the 101 session, you will get an ICAP error.

Unfortunately, this cannot be adjusted on the F5 side. I have already opened a ticket at F5. But so far without success.

On the TE Appliance you have to configure it as described in my articles:

Symantec (Bluecoat) SG ICAP and Sandblast (TEX) 

Fortigate Firewall ICAP and Sandblast (TEX) 

Here you can find an article how it works with F5:

AskF5 | Manual Chapter: Configuring Content Adaptation for HTTP Requests 

Regards

Heiko

Highlighted
Employee
Employee

Thank you for the sharing Heiko! Smiley Happy

In my design, customer will have F5 LTM work with 2-3 Sandblast appliances. In this case, will LTM be able to deliver the 101 session to next available Sandblast appliance? Thank you!

Regards,

Coco

Highlighted

Hi Coco,

it is the same issue! The problem is only shifted (100* 3 Te appliances). So you have the ICAP error of the 301 connection. With Bluecoat or Fortigate you can define the upper limit "max ICAP connections". With F5 this is unfortunately not possible. This means that this can always be a problem if it is exceeded. I have not found a solution yet. 

Regards,

Heiko

Highlighted

Hello Mr. Heiko, congratulations for your exceptional knowledge about security and deep configuration of checkpoint products. Can I ask you for a new document about  icap integration with symantec DLP sever using the new capabilities of icap client on r80.20?

Thank you so much.

Regards.

Alessandro

0 Kudos
Highlighted

Sorry, I have no experience with R80.20 and ICAP yet.

I'll try that out in the next few days.

Highlighted

Thank you!

0 Kudos
Highlighted

More coming soon!

0 Kudos
Highlighted

Thank's for this info.

Heiko

0 Kudos
Highlighted

Testing at the moment with R80.20 and R80.30EA.

More coming soon.

0 Kudos