Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ICAP Server
The official ICAP Server SK mentions requirements, release notes and general information regarding the new ICAP server functionality.
Check Point support for Internet Content Adaptation Protocol (ICAP) server
ICAP Server is included since JHF 272.
Start: # icap_server start
Stop: # icap_server stop
Reconfiguration: # icap_server reconf
Note:
- ICAP does not choose emulation images based on any of your TP profiles; so there is no need to configure a TP policy for ICAP but you need one to get emulation images on your SandBlast appliance
- GUI configuration will be added to R80.20 (currently in controlled EA)
- GUI configuration will be added to R80.20 (currently in controlled EA)
- Choosing to emulate on all images will result in an attempt to emulate the files on all known images, even if some of them aren’t available.
- “Recommended Images” means two images (Win7/Office2013, WinXP/Office2003-7)
Configuration
Configuration files
Filename | Location | Purpose |
c-icap.conf | $FWDIR/c-icap/etc/ | ICAP Server process configuration file e.g. for changing ICAP server port |
c-icap.magic | $FWDIR/c-icap/etc/ | Filetypes supported by ICAP |
virus_scan.conf | $FWDIR/c-icap/etc/ | e.g. for adding filetypes from c-icap.magic, maximum file size |
libsb_mod.conf | $FWDIR/c-icap/etc/ | e.g. for adding filetypes from c-icap.magic |
Tpapi.py | $FWDIR/c-icap/scripts/ | Script used to send ICAP received files to TE API |
Block message | $FWDIR/c-icap/share/c_icap/templates/virus_scan/en
-rwxr-x--- 1 admin bin 392 Mar 30 09:02 VIRUS_FOUND | Block messages displayed when malware is found. If you change them don´t forget to run ICAP daemon reconf command
VIRUS_FOUND is used as template for a block message; this message can be localized |
Configure emulation images
All or recommended images
Choose emulation on all images or only on recommended images:
- Open for editing: $FWDIR/c-icap/etc/libsb_mod.conf
- Change the field sb_mod.AllImages to off (for recommended) or on (for all)
Configure specific emulation images
Not officially supported but there is a way of selecting only specific images to emulate on:
- Edit $FWDIR/c-icap/etc/libsb_mod.conf
- Change the field AllImages to on
- Edit $FWDIR/c-icap/scripts/TPAPI.py
- Add "#" in front of images you do not want to emulate on:
image_to_name = {
# 'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',
'7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',
'8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',
'5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',
# '3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',
# '6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',
}
te_images = [
# {'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},
{'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},
{'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},
{'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},
# {'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},
# {'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},
]
Adding Windows 10 image for ICAP emulation
Even though you activate the Win10 image in the GUI it will not be used by the ICAP emulation because the images for image are solely selected based on a configuration file. To add the Win10 image follow this procedure:
- Edit $FWDIR/c-icap/etc/libsb_mod.conf
- Change the field AllImages to on
Edit $FWDIR/c-icap/scripts/TPAPI.py and add the following yellow lines:
image_to_name = {
'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',
'7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',
'8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',
'5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',
'3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',
'6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',
'10B4A9C6-E414-425C-AE8B-FE4DD7B25244': 'Win10 64b,Office 2016, Adobe DC'
}
te_images = [
{'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},
{'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},
{'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},
{'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},
{'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},
{'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},
{'id': '10B4A9C6-E414-425C-AE8B-FE4DD7B25244', 'revision': 1}
]
Attaching an ICAP Client
Configure the ICAP client to communicate with the ICAP server’s “sandblast” service.
For example: icap://<ip address>:1344/sandblast
Logging
General logging
Logging (besides benign/malicious findings) is currently limited to the following log files – so no ICAP daemon logs in the GUI/SmartLog:
$FWDIR/log/c-icap/server.log
$FWDIR/log/c-icap/access.log
To extend the by default limited access log follow these steps:
- vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
- Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log”
- Add this line before the above finding:
- LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
- Change the AccessLog line to:
- AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat
So the section in c-icap.conf should now look like this:
LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat
Enable logging of benign files
Enable/Disable logs on benign files:
- Open for editing: $FWDIR/c-icap/etc/libsb_mod.conf
- Change the field sb_mod.LogBenign to on
Debug logging
To enable debug logging:
- Open for editing: $FWDIR/c-icap/etc/c-icap.conf
- Change DebugLevel value to: 7
- Restart the c-icap service.
Note ! Enabling debug logs can affect performance.
ICAP daemon troubleshooting
Start manually and get errors on startup
To get ICAP server daemon error messages on the terminal when starting launch daemon with:
# $FWDIR/c-icap/bin/c-icap -N -D -d 10 -f $FWDIR/c-icap/etc/c-icap.conf
Verify ICAP daemon is running
[Expert@sandblast]# netstat -na | grep 1344
Result should show:
tcp 0 0 0.0.0.0:1344 0.0.0.0:* LISTEN
[Expert@sandblast]# ps ax | grep c-icap
Result should show:
16443 ? Ss 0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
16448 ? Sl 0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
16453 ? Sl 0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
16460 ? Sl 0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
19319 pts/2 S+ 0:00 grep c-icap
ICAP Server response codes
{100, "Continue"}, /*Continue after ICAP Preview */
{200, "OK"},
{204, "Unmodified"}, /*No modifications needed */
{206, "Partial Content"}, /*Partial content modification*/
{400, "Bad request"}, /*Bad request */
{403, "Forbidden"},
{404, "Service not found"}, /*ICAP Service not found */
{405, "Not allowed"}, /*Method not allowed for service (e.g., RESPMOD requested
For service that supports only REQMOD). */
{408, "Request timeout"}, /*Request timeout. ICAP server gave up waiting for a
Request from an ICAP client */
{500, "Server error"}, /*Server error. Error on the ICAP server, such as "out of
disk
ICAP Performance statistics
Something I found on the web regarding c-icap performance statistics - did not have time to verify it by now but maybe someone can do and give feedback:
https://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP#Performance_and_tuning
1 Solution
Accepted Solutions
Hi,
The IDs from the downloaded image is correct and the image is "ready"
Here is the screenshot of the tecli s e e command:
