This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leonardo_Ferrei
Participant
‎2019-05-08 11:52 AM
Jump to solution

Problem to download large files when Sandblast Appliance is set as ICAP Server


Hello Guys,

We set the Sandblast Appliance as ICAP Server for a Fortigate gateway. The traffic is redirected as expected and the sandblast appliance is doing its job, except by large files (I've noticed files bigger than 400MB)

The users are unable to download any file bigger than 4000MB when the ICAP server is set. If I stop the icap process from sandblast appliance they are able to download their files.

Did anyone get the same problem?

SANDBLAST APPLIANCE = R80.20 Jumbo Take 47
MAXIMUM FILE SIZE FOR EMULATION = 15000KB (default)
ALL CONFIGURATION SET TO FAIL OPEN
THE USERS GET A BROWSER MESSAGE = An ICAP error was encountered while handling the request.


Best regards,
Leonardo Santos

1 Solution

Accepted Solutions
Leonardo_Ferrei
Participant
‎2019-07-19 07:16 AM
In response to HeikoAnkenbrand
Jump to solution

Hello Ivory,

 

Looks like this is the expected behavior. After a look into the traffic capture, I realized the user sends the request for getting the file to the FortiGate and it forwards the user traffic for the destination server. The incoming traffic (coming from destination web server) will be forwarded to sandblast gateway, (instead of being forward for the user) after the Sandblast gateway receive all the file it will decide if the file should be emulated or discarded due to the file size limit, in meantime, the user gets a timeout message because it stopped receive any response traffic from FortiGate until the sandblast gateway ends its analyzes.

Take a look the user request flow


origin-server
| /|\
| |
3 | | 2
| |
\|/ | 4
ICAP-client --------------> ICAP-resource
(surrogate) <-------------- on ICAP-server
| /|\ 5
| |
6 | | 1
| |
\|/ |
client

ICAP RFC3507 - https://tools.ietf.org/html/rfc3507

The timeout message for the user has been solved setting the "comfort client" in the fortigate configuration, but instead of receive a comfort bar the user receive a blank page (nothing friendly).

I suggested the customer to open a case with his fortigate support to configure it for not forwarding files bigger than the file size limit I set in the sandblast gateway configuration, but the support said this configuration is not possible when they are running as ICAP client.

So, I set the sandblast gateway in bridge mode!

 

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2019-05-08 04:29 PM
Jump to solution

SandBlast can emulate files up to 100MB if you configure it that way.
You're downloading a 4GB+ file, which definitely won't emulate.
What troubleshooting have you done on the Fortigate side of things to confirm it isn't an issue on that platform?
Any logs or similar on the Check Point side of things?
A TAC case is probably in order with both Fortinet and Check Point to do appropriate troubleshooting.
Leonardo_Ferrei
Participant
‎2019-05-10 12:27 PM
In response to PhoneBoy
Jump to solution

Hello PhoneBoy,

Thank you for the reply, We are working with TAC on this problem until now We have no solution.

Just checking if someone got the same behavior.

Regards,
Leonardo Santos

Leonardo_Ferrei
Participant
‎2019-05-10 12:33 PM
In response to PhoneBoy
Jump to solution

I was not able to see any logs in checkpoint side for this, We did some traffic capture and the communication looks working fine between the gateways:

 

RESPMOD icap://x.x.x.x:1344/sandblast ICAP/1.0

Host: x.x.x.x:1344

X-Client-IP: 172.20.16.200

X-Server-IP: 200.237.192.40

X-Authenticated-User: TERBUDovL0JSWUFOLkZFUk5BTkRFUw==

X-Authenticated-Groups: TERBUDovL3Vua25vd24vR0ktRFRJLUlORlJBLU4z

User-Agent: FortiOS

Encapsulated: res-hdr=0, res-body=243

HTTP/1.1 200 OK

Date: Mon, 06 May 2019 21:10:13 GMT

Server: Apache

Last-Modified: Sun, 10 Feb 2019 00:27:43 GMT

ETag: "77000000-5817f42acbdc0"

Accept-Ranges: bytes

Content-Length: 1996488704

Content-Type: application/x-iso9660-image

 

lpujol
Explorer
‎2019-06-25 01:23 PM
In response to Leonardo_Ferrei
Jump to solution

Did you find a solution? we have a similar case, users receive  "an icap error was encountered while handling the request" when trying to download big files and can't find anything on the logs.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-07-19 06:10 AM
Jump to solution

Hi @Leonardo_Ferrei,

Check the max file size for ICAP AV in the following file:

$FWDIR/c-icap/etc/virus_scan.conf

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Leonardo_Ferrei
Participant
‎2019-07-19 07:16 AM
In response to HeikoAnkenbrand
Jump to solution

Hello Ivory,

 

Looks like this is the expected behavior. After a look into the traffic capture, I realized the user sends the request for getting the file to the FortiGate and it forwards the user traffic for the destination server. The incoming traffic (coming from destination web server) will be forwarded to sandblast gateway, (instead of being forward for the user) after the Sandblast gateway receive all the file it will decide if the file should be emulated or discarded due to the file size limit, in meantime, the user gets a timeout message because it stopped receive any response traffic from FortiGate until the sandblast gateway ends its analyzes.

Take a look the user request flow


origin-server
| /|\
| |
3 | | 2
| |
\|/ | 4
ICAP-client --------------> ICAP-resource
(surrogate) <-------------- on ICAP-server
| /|\ 5
| |
6 | | 1
| |
\|/ |
client

ICAP RFC3507 - https://tools.ietf.org/html/rfc3507

The timeout message for the user has been solved setting the "comfort client" in the fortigate configuration, but instead of receive a comfort bar the user receive a blank page (nothing friendly).

I suggested the customer to open a case with his fortigate support to configure it for not forwarding files bigger than the file size limit I set in the sandblast gateway configuration, but the support said this configuration is not possible when they are running as ICAP client.

So, I set the sandblast gateway in bridge mode!

 

Leonardo_Ferrei
Participant
‎2019-07-19 07:19 AM
In response to HeikoAnkenbrand
Jump to solution

Hi @HeikoAnkenbrand ,

 

I tried to set it in this file but did not work. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events