This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Niels_van_Sluis
Contributor
‎2018-10-06 08:30 AM

F5 BIG-IP ICAP and SandBlast (TEX)

Enable SandBlast ICAP server

Login to export mode and start the ICAP server on the TEX appliance or security gateway.

[Expert@cp-fw-01:0]# icap_server start
cpwd_admin:  Process CICAP started successfully (pid=31792)  
[Expert@cp-fw-01:0]#

Check if the ICAP processes are running.

[Expert@cp-fw-01:0]#  ps -def |grep icap admin    
31792  4631  0 19:19 ?        00:00:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf admin    
31813 31792  0 19:19 ?        00:00:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf admin    
31820 31792  0 19:19 ?        00:00:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf admin    
31826 31792  0 19:19 ?        00:00:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf admin    
31931 31651  0 19:20 pts/1    00:00:00 grep icap 
[Expert@cp-fw-01:0]#

Enable ICAP logging.

[Expert@cp-fw-01:0]# tecli advanced remote emulator logs enable 
remote emulator logs set to enabled successfully 
[Expert@cp-fw-01:0]#

Also make sure that your firewall rules allow access to the ICAP server port 1344/TCP on the TEX appliance or security gateway.

Please note that Jumbo Hotfix Accumulator Take_286 or higher for R77.30 should be used.

More information can be found in sk111306: Check Point support for Internet Content Adaptation Protocol (ICAP) server 

Prepare the F5 BIG-IP

Download the f5.checkpoint_sandblast_icap iApp template from the link below. This is an iApp template that creates ICAP related elements (nodes, pool, internal virtual server, profiles). The newly created request and response adapt profiles can be used by standard virtual servers so they can interact with a Check Point SandBlast ICAP Server.

GitHub - nvansluis/f5.checkpoint_sandblast_icap: iApp template to integrate F5 BIG-IP with Check Poi... 

  • Login to the Configuration Utility and Import the iApp template: iApps > Templates > Import.

Import the iApp template

  • Deploy a new application by using the iApp: iApps > Application Services > Applications > Create.

Deploy a new application by using the iApp template

  • Click Finished to deploy the iApp. You will see the components that have been configured.

Overview of components being created by the iApp

  • You can now use the newly created Request and Response Adapt profiles and attach them to a Virtual Server that has been configured with a HTTP profile.

You can now use the created Request and Response Adapt profiles on a Virtual Server

Testing Check Point SandBlast

Below you'll see some screenshots of what happens when a user attempts to upload or download malicous files.

Malicious uploads

  • Upload a file that triggers Threat Emulation (Zero-Day Protection).

Upload malicious file

  • The upload of this malicious file is prevented by Check Point SandBlast.

Upload prevented

  • Here you can see the log message that is created by Check Point.

Log message

Malicious downloads

  • A user tries to download a malicious file.

User tries to download a malicious file

  • The download of a malicious file is prevented by Check Point SandBlast.

download prevented

  • Below of an example what log message is created by Check Point.

Log message

13 Replies
This widget could not be displayed.