This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion
Champion
‎2018-03-26 01:50 AM

Fortigate Firewall ICAP and Sandblast (TEX)

ICAP integration for R77.30 and R80.10

 

Configuring ICAP Server on Check Point Sandblast Appliance (TEX) or Gateway:

Enable ICAP-Server on TEX Appliance see SK111306 and configure Thread rules in DashBoard. 
Use Hotfix 286 or higher for R77.30.

 

Enable ICAP Server

Start ICAP server on TEX appliance or gateway:

# icap_server start

 

Enable ICAP Logs

# tecli advanced remote emulator logs enable    <<< Hotfix 286 or higher automatically activates logging.

Enable firewall rule to connect ICAP Server (TEX Appliance)

Source: Fortigate
Destination: "ip-address of sandblast appliance"

Port: 1344

 

Configure Thread Rules

Configure Thread rules in SmartDashboard

.

Configuring ICAP on Fortigate:

 

ICAP Servers

  1. Go to Security Profiles > ICAP Servers and click on Create New.
  2. Enter a Name "sandblast_server" for the server.
  3. Enter the server's IP Address ip-address of sandblast appliance
  4. Set the Port; 1344 is default TCP port used for the ICAP traffic.

Maximum Connections

config icap server

edit sandblast_server

set max-connection 100   <<< You can configure this on sandblast appliance in config files. Set the same value. If you overstay the value you become an ICAP error!

end

Profile

  1. Go to Security Profiles > ICAP and click on Create New.
  2. Enter a Name  "Sandblast_Profile" for the server.
  3. Enable settings as required.
    1. Enable Request Processing allows the ICAP server to process request messages. If enabled this setting will also require:
        • Server - This is the name of the ICAP server >>> sandblast_server
        • Path - This is the path on the server to the processing content “icap://<ip-address of sandblast appliance>:1344/sandblast”.
        • On Failure  Error or Bypass.
    2. Enable Response Processing allows the ICAP server to process response messages. If enabled this setting will also require:
        • Server - This is the name of the ICAP server >>> sandblast_server
        • Path - This is the path on the server to the processing compent "icap://<ip-address of sandblast appliance>:1344/sandblast”.
        • On Failure  Error or Bypass.
    3. Enable Streaming Media Bypass allows streaming media to ignore offloading to the ICAP server.
  4. Select Apply.

 

Enable firewall rule to connect ICAP Server (TEX Appliance)

Source: Fortigate
Destination: "ip-address of sandblast appliance"

Port: 1344

 

Enable firewall rule to use ICAP Profile  

Source: xyz-ip 
Destination: xyz-ip

Port: http

Profile: "Sandblast_Profile"

 

 ---

Better:

Use a Check Point Firewall! Smiley Happy

 

Regards,

Heiko


➜ CCSM Elite, CCME, CCTE
13 Replies
Jejj_Longman
Participant
‎2018-03-26 11:02 AM

With which Fortigate version does this work?

HeikoAnkenbrand
Champion
Champion
‎2018-03-26 11:30 AM

I had checked this with FortiOS 5.4 and 5.6


➜ CCSM Elite, CCME, CCTE
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2018-03-27 09:28 AM

Hi Heiko,

this is not needed anymore:

Enable ICAP Logs

# tecli advanced remote emulator logs enable

The included ICAP server (since JHF286) will create logs automatically.

I also assume the caption should read "Fortigate" 🙂

Regards Thomas

HeikoAnkenbrand
Champion
Champion
‎2018-03-27 09:39 AM

THX Thomas

I'll change that tomorrow.

Regards,

Heiko


➜ CCSM Elite, CCME, CCTE
Pablo_Montega
Contributor
‎2018-03-29 02:15 AM

Is it possible to use ICAP with other firewall?

Anybody got experience?

Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2018-03-29 02:43 AM

Hi Pablo,

what do you exactly mean ?

Attaching a FW with ICAP client functionality to the SandBlast ICAP server ?

Actually you can attach any RFE ICAP client to our solution ...

Regards Thomas

S__B_
Participant
‎2018-04-02 12:10 AM

Is it possible to use the FortiProxy on Fortigate with ICAP?

HeikoAnkenbrand
Champion
Champion
‎2018-04-02 02:14 AM

Yes,  it is possible for the proxy function in the fortigate firewall.

Regards,

Heiko


➜ CCSM Elite, CCME, CCTE
Slavisa_Stojkov
Participant
‎2018-05-13 04:29 AM

Forti OS 5.4.7 doesn‘t work as proxy. I become an icap error: To many icap connections.

HeikoAnkenbrand
Champion
Champion
‎2018-05-25 05:40 AM

Hello Slavisa,

FortiOS 5.4.7 is very buggy. I would use the 5.4.8 version. But we should not discuss in Check Point forum.Smiley Happy

Regards,

Heiko


➜ CCSM Elite, CCME, CCTE
Oleksandr_Rapp
Employee Alumnus
Employee Alumnus
‎2019-02-26 06:22 AM

Maximum Connections

config icap server

edit sandblast_server

set max-connection 100   <<< You can configure this on sandblast appliance in config files. Set the same value. If you overstay the value you become an ICAP error!

end

Which config files on sandblast appliance should i configure?

Tsvika_Skupinsk
Employee Alumnus
Employee Alumnus
‎2019-02-27 02:22 AM

All, please be noted that the R77.30 RFE is not relevant anymore on MT with GUI (R80.20 GA or R80.10 JHF>167)

See Admin Guide (ICAP Server): https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_ThreatPrevention_AdminGui...

 

Relevant sk’s are: sk123412 (ICAP Server support for Threat Prevention) & sk122853 (R80.20 Management Threat Prevention new features supported with R80.10 Jumbo Hotfix)

0 Kudos
ruggy
Participant
‎2020-06-21 02:30 AM

Nice solution!

0 Kudos