This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2018-03-28 07:59 AM

McAfee Web Gateway ICAP and Sandblast Appliance (TEX)

  

Configuring ICAP Server on Check Point Sandblast Appliance (TEX) or Gateway:

Enable ICAP server on TEX appliance see SK111306 
Use hotfix 286 or higher for R77.30.

 

Enable ICAP Server

Start ICAP server on TEX appliance or gateway:

icap_server start

 

Enable ICAP Logs

tecli advanced remote emulator logs enable    <<< Hotfix 286 or higher automatically activates logging. 

 

Enable firewall rule to connect ICAP Server (TEX Appliance)

Source: McAfee Web Gateway
Destination: "ip-address of sandblast appliance"

Port: 1344

For more infos on the ICAP server please goto:

https://community.checkpoint.com/docs/DOC-2815-icap-server-on-sandblast-appliance-tex 

Configuration McAfee ICAP client

Note:

The below setup will work in "hold" mode meaning the MWG will wait for the ICAP answer until it provides the file to the end user.

Background mode on MWG is a bit more complex to achieve. You can find the below attached ruleset template as a starting point.

For a better understanding of background mode you might want to read Solved: McAfee Support Community - Don´t wait for ICAP Server response - McAfee Support Community 

Under Policy -> Settings -> ICAP Client change both the ReqMod and RespMod defaults (we configure both but you only need RespMod for file downloads and ReqMod for file uploads):

 

Please use URI icap://10.2.1.254:1344/sandblast from now on

Please use URI icap://10.2.1.254:1344/sandblast from now on

 

Under Policy -> Rule Sets check if ICAP Client section is present:

 

 

If not you can add it via Add -> Rule Set from Library:

 

 

 


 

To edit the imported rule set “Unlock View”:

 

 

You can disable “ReqMod” is it is not needed to pass downloaded files (only for file uploads):

 

 


 

If you want to bypass file downloads e.g. bigger than 1 MB you have to add the following “Skip files greater than 1MB” rule to the RespMod ruleset:

 

 

 

 

Don´t forget to save your changes at the end:

 

 

 

This is what you get when trying to download a malicious file detected by TE:

 

      Client McAfee Web Gateway Progress page:

 

Expected outcome on malicious file download:

 

When clicking on “here”:

 

 

The above response is a customizable template found in $FWDIR/c-icap/share/c_icap/templates/virus_scan/en/VIRUS_FOUND.

If you experience proxy timeouts like this:

 

 

Raise the timeout value from default 120sec. to > 300 sec.

 

ICAP Offline Scan.xml.zip
2 Replies
Jejj_Longman
Participant
‎2018-03-29 11:42 PM

nice job

Dilian_Chernev
Collaborator
‎2019-05-07 03:53 AM
In response to Jejj_Longman

Thank you for the excellent article Thomas!
I have a question - if there is a second Sandblast device working as a ICAP server also, can we configure it in McAfee WG as well hoping to achieve some kind of redundancy and load balancing?
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events