This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
dd84
Participant
‎2017-10-16 03:13 PM

Sandblast - Proxy - HTTPS

We currently run a 2-node VSX cluster w/R77.30 and are looking to implement TE with the gateways forwarding to the ThreatCloud for Emulation.

Our environment uses a Intel web gateway as a forward proxy - so we are trying to understand the options available.

Im hearing ICAP might be an option - but there isn’t really any information about it other than one SK.

I’m just looking for more information on what deployment options might be available.

4 Replies
PhoneBoy
Admin
Admin
‎2017-10-16 05:54 PM

Basically, what the fix here provides is the ability to turn your gateway into an ICAP server: Check Point support for Internet Content Adaptation Protocol (ICAP) server 

This allows your proxy to consult the Check Point Threat Emulation blade on the Security Gateway to determine if the file downloaded is benign or malicious.

It's worth noting that this hotfix, while considered GA, it is not integrated into a major release (i.e. not part of R80.10).

You also may have issues applying other hotfixes on top of this release.

dd84
Participant
‎2017-10-16 06:00 PM
In response to PhoneBoy

Thanks for your response Daemon.

Is this the only supported deployment model in an environment that utilizes a forward proxy?

We were told that running the Sandblast Browser Agent would work - but we haven’t been able to get it functioning correctly with TAC and believe there is a limitation with forward proxy and SBA4B.  Correct me if you believe otherwise?

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-17 04:12 PM
In response to dd84

For the above solution I mentioned, yes, that is correct.

SBA4B is a different way to solve the same problem but the client sends the files to ThreatCloud, returning either a “safe” version of the file, the original (if it’s safe), or block the download if it is malicious.

I am not aware of any issues with proxies and SBA4B but maybe Lior Arzi or someone on his team can comment.

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2017-10-27 06:38 AM
In response to PhoneBoy

ICAP Server HF is integrated with the current JHF286.

But I am not sure about support of ICAP HF on VSX.

You can however install a separate CP GW with R77.30 and use ICAP HF there to emulate files in the cloud received from your proxy. So you might give it a try ...


Regards Thomas