Create a Post
Showing results for 
Search instead for 
Did you mean: 
Employee Alumnus
Employee Alumnus

McAfee Web Gateway ICAP and Sandblast Appliance (TEX)


Configuring ICAP Server on Check Point Sandblast Appliance (TEX) or Gateway:

Enable ICAP server on TEX appliance see SK111306 
Use hotfix 286 or higher for R77.30.


Enable ICAP Server

Start ICAP server on TEX appliance or gateway:

icap_server start


Enable ICAP Logs

tecli advanced remote emulator logs enable    <<< Hotfix 286 or higher automatically activates logging. 


Enable firewall rule to connect ICAP Server (TEX Appliance)

Source: McAfee Web Gateway
Destination: "ip-address of sandblast appliance"

Port: 1344

For more infos on the ICAP server please goto: 

Configuration McAfee ICAP client


The below setup will work in "hold" mode meaning the MWG will wait for the ICAP answer until it provides the file to the end user.

Background mode on MWG is a bit more complex to achieve. You can find the below attached ruleset template as a starting point.

For a better understanding of background mode you might want to read Solved: McAfee Support Community - Don´t wait for ICAP Server response - McAfee Support Community 

Under Policy -> Settings -> ICAP Client change both the ReqMod and RespMod defaults (we configure both but you only need RespMod for file downloads and ReqMod for file uploads):


Please use URI icap:// from now on

Please use URI icap:// from now on


Under Policy -> Rule Sets check if ICAP Client section is present:



If not you can add it via Add -> Rule Set from Library:





To edit the imported rule set “Unlock View”:



You can disable “ReqMod” is it is not needed to pass downloaded files (only for file uploads):




If you want to bypass file downloads e.g. bigger than 1 MB you have to add the following “Skip files greater than 1MB” rule to the RespMod ruleset:





Don´t forget to save your changes at the end:




This is what you get when trying to download a malicious file detected by TE:


      Client McAfee Web Gateway Progress page:


Expected outcome on malicious file download:


When clicking on “here”:



The above response is a customizable template found in $FWDIR/c-icap/share/c_icap/templates/virus_scan/en/VIRUS_FOUND.

If you experience proxy timeouts like this:



Raise the timeout value from default 120sec. to > 300 sec.


2 Replies

nice job


Thank you for the excellent article Thomas!
I have a question - if there is a second Sandblast device working as a ICAP server also, can we configure it in McAfee WG as well hoping to achieve some kind of redundancy and load balancing?
0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events