- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Problem to download large files when Sandblast...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem to download large files when Sandblast Appliance is set as ICAP Server
Hello Guys,
We set the Sandblast Appliance as ICAP Server for a Fortigate gateway. The traffic is redirected as expected and the sandblast appliance is doing its job, except by large files (I've noticed files bigger than 400MB)
The users are unable to download any file bigger than 4000MB when the ICAP server is set. If I stop the icap process from sandblast appliance they are able to download their files.
Did anyone get the same problem?
SANDBLAST APPLIANCE = R80.20 Jumbo Take 47
MAXIMUM FILE SIZE FOR EMULATION = 15000KB (default)
ALL CONFIGURATION SET TO FAIL OPEN
THE USERS GET A BROWSER MESSAGE = An ICAP error was encountered while handling the request.
Best regards,
Leonardo Santos
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ivory,
Looks like this is the expected behavior. After a look into the traffic capture, I realized the user sends the request for getting the file to the FortiGate and it forwards the user traffic for the destination server. The incoming traffic (coming from destination web server) will be forwarded to sandblast gateway, (instead of being forward for the user) after the Sandblast gateway receive all the file it will decide if the file should be emulated or discarded due to the file size limit, in meantime, the user gets a timeout message because it stopped receive any response traffic from FortiGate until the sandblast gateway ends its analyzes.
Take a look the user request flow
origin-server
| /|\
| |
3 | | 2
| |
\|/ | 4
ICAP-client --------------> ICAP-resource
(surrogate) <-------------- on ICAP-server
| /|\ 5
| |
6 | | 1
| |
\|/ |
client
ICAP RFC3507 - https://tools.ietf.org/html/rfc3507
The timeout message for the user has been solved setting the "comfort client" in the fortigate configuration, but instead of receive a comfort bar the user receive a blank page (nothing friendly).
I suggested the customer to open a case with his fortigate support to configure it for not forwarding files bigger than the file size limit I set in the sandblast gateway configuration, but the support said this configuration is not possible when they are running as ICAP client.
So, I set the sandblast gateway in bridge mode!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're downloading a 4GB+ file, which definitely won't emulate.
What troubleshooting have you done on the Fortigate side of things to confirm it isn't an issue on that platform?
Any logs or similar on the Check Point side of things?
A TAC case is probably in order with both Fortinet and Check Point to do appropriate troubleshooting.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello PhoneBoy,
Thank you for the reply, We are working with TAC on this problem until now We have no solution.
Just checking if someone got the same behavior.
Regards,
Leonardo Santos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was not able to see any logs in checkpoint side for this, We did some traffic capture and the communication looks working fine between the gateways:
RESPMOD icap://x.x.x.x:1344/sandblast ICAP/1.0
Host: x.x.x.x:1344
X-Client-IP: 172.20.16.200
X-Server-IP: 200.237.192.40
X-Authenticated-User: TERBUDovL0JSWUFOLkZFUk5BTkRFUw==
X-Authenticated-Groups: TERBUDovL3Vua25vd24vR0ktRFRJLUlORlJBLU4z
User-Agent: FortiOS
Encapsulated: res-hdr=0, res-body=243
HTTP/1.1 200 OK
Date: Mon, 06 May 2019 21:10:13 GMT
Server: Apache
Last-Modified: Sun, 10 Feb 2019 00:27:43 GMT
ETag: "77000000-5817f42acbdc0"
Accept-Ranges: bytes
Content-Length: 1996488704
Content-Type: application/x-iso9660-image
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you find a solution? we have a similar case, users receive "an icap error was encountered while handling the request" when trying to download big files and can't find anything on the logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Leonardo_Ferrei,
Check the max file size for ICAP AV in the following file:
$FWDIR/c-icap/etc/virus_scan.conf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ivory,
Looks like this is the expected behavior. After a look into the traffic capture, I realized the user sends the request for getting the file to the FortiGate and it forwards the user traffic for the destination server. The incoming traffic (coming from destination web server) will be forwarded to sandblast gateway, (instead of being forward for the user) after the Sandblast gateway receive all the file it will decide if the file should be emulated or discarded due to the file size limit, in meantime, the user gets a timeout message because it stopped receive any response traffic from FortiGate until the sandblast gateway ends its analyzes.
Take a look the user request flow
origin-server
| /|\
| |
3 | | 2
| |
\|/ | 4
ICAP-client --------------> ICAP-resource
(surrogate) <-------------- on ICAP-server
| /|\ 5
| |
6 | | 1
| |
\|/ |
client
ICAP RFC3507 - https://tools.ietf.org/html/rfc3507
The timeout message for the user has been solved setting the "comfort client" in the fortigate configuration, but instead of receive a comfort bar the user receive a blank page (nothing friendly).
I suggested the customer to open a case with his fortigate support to configure it for not forwarding files bigger than the file size limit I set in the sandblast gateway configuration, but the support said this configuration is not possible when they are running as ICAP client.
So, I set the sandblast gateway in bridge mode!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
