- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Symantec (Bluecoat) SG ICAP and Sandblast (TEX...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Symantec (Bluecoat) SG ICAP and Sandblast (TEX)
ICAP integration for R77.30 and R80.10
Configuring ICAP Server on Check Point Sandblast Appliance (TEX) or Gateway:
Enable ICAP server on TEX appliance see SK111306 and configure thread rules in Smart DashBoard.
Use hotfix 286 or higher for R77.30.
Tip!
You can use more ICAP Server in "Web Content Layer" on Bluecoat SG for example CAS appliance and TEX appliance.
Enable ICAP Server
Start ICAP server on TEX appliance or gateway:
# icap_server start
Enable ICAP Logs
# tecli advanced remote emulator logs enable <<< Hotfix 286 or higher automatically activates logging.
Enable firewall rule to connect ICAP Server (TEX Appliance)
Source: Symantec SG
Destination: "ip-address of sandblast appliance"
Port: 1344
Configure Thread Rules
Configure Thread rules in SmartDashboard
.
Configuring ICAP on Symantec SWG:
ICAP Servers Request
- Go to Configuration > content Analysis > ICAP and click on New.
- Enter a Name "sandblast_server" for the server.
- Go to Configuration > content Analysis > ICAP and click on Edit "sandblast_server"
- Enter the Service URL “icap://ip-address of sandblast appliance/sandblast”
- Set the Maximum nummber of connection: 100 <<< You can configure this on sandblast appliance in config files. Set the same value. If you overstay the value you become an ICAP error!
- Set Method supported: request modification <<< Use request mod.
- Set Send: Client address/ Server address/ Auth user
ICAP Servers Response
- Go to Configuration > content Analysis > ICAP and click on New.
- Enter a Name "sandblast_server_response" for the server.
- Go to Configuration > content Analysis > ICAP and click on Edit "sandblast_server_response"
- Enter the Service URL “icap://ip-address of sandblast appliance/sandblast”
- Set the Maximum nummber of connection: 100 <<< You can configure this on sandblast appliance in config files. Set the same value. If you overstay the value you become an ICAP error!
- Set Method supported: response modification <<< Use request mod.
- Set Send: Client address/ Server address/ Auth user
ICAP Servers Response Analysis
- Go to Configuration > Policy > Visual Policy Manager
- Add Web Content Layer
- Enter the new > Performe Response Analysis
- Add Available Service:sandblast_server_response <<< Response Service
- Enter the new > Performe Request Analysis
- Add Available Service:sandblast_server <<< Request Service
- See Web Conten Layer Rule
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice!
Is this also possible with F5?
Do you have a documentation for F5?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Response Service
- Request Service
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Comming soon!
I am currently writing a documentation for Trustwave SWG and F5 LTM. The F5 ICAP configuration is a bit more complex. Therefore, this will be a longer article. But it works without any problems. Further information can be found at F5 under the following link: Configuring Content Adaptation for HTTP Requests.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think Response mode makes more sense, because the Sandblast Appliance can check the documents (DOC, PDF,...).
But in principle this also works.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you publish this for F5?
Can you publish this for F5?
Thanks in advanced!
Pablo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will publish this in the next days.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a documentation for other manufacturers?
E. g. Ironport, Squit, ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I Chris, Thomas Werner from Check Point has a very nice POC implementation guide with many examples for ICAP integration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to user more Symantec SG „Web Content Layer“ one for the CAS appliance and one for sandblast appliance?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is possible to use several ICAP services in one "web content layer". I think we should discuss this in a Symantec forum.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to use one layer or do I need two layers "web content layer" and " web access layer"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need two layers - the web access layer will allow your connections and the content layer is responsible for the ICAP req/resp modifications. I'm not sure if you can combine actions from access and content layers (It's been a while since I've used a Proxy SG).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is really great info. We also look for the same kind of solution for our McAfee customers, where for example the TIE server sends files for emulation to TEX, based on the ThreatPrevention API for example.
Did you, or anyone else try to build something like this ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Heiko,
this is not needed anymore:
Enable ICAP Logs
# tecli advanced remote emulator logs enable
The included ICAP server (since JHF286) will create logs automatically.
Regards Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jeroen,
it is possible with McAfee WebGateway.
I already installed it at a customer environment.
Maybe Thomas Werner from Check Point can send you the POC Guide. He described the integration of the McAfee SWG here.
Regards
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is possible! You can combine actions from access and content layers.
> web access layer for ICAP requests
> web content layer for ICAP response
Regards
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I followed Heikos initiative and posted a sample config for McAfee Web Gateway https://community.checkpoint.com/docs/DOC-2814-mcafee-web-gateway-icap-and-sandblast-appliance-tex
Regards Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jeroen,
without deeper knowledge of the McAfee TIE Server it looks like TIE2ATD integration is proprietary, so there is no way to leverage our API here:
McAfee Support Community - How to integrate McAfee Threat Intelligence Exchan... - McAfee Support Co... (check Video at 3:30)
But you can attach our Sandbox to McAfee Web Gateway and also within your mail flow via MTA. Here is the MWG ICAP config:
https://community.checkpoint.com/docs/DOC-2814-mcafee-web-gateway-icap-and-sandblast-appliance-tex
Afterwards you can share our Threat Intelligence via our McAfee DXL integration:
LEA/DXL Connector for McAfee ePO Integration
Regards Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nice job
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am getting an "unauthorized" message when clicking on the link https://community.checkpoint.com/docs/DOC-2838 . Is there another link available or a way to get access to this?
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works without any problems.
But I still have one question? Can I limit the maximum number of ICAP connections on the Sandblast Appliance?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Max,
you can change the amount of processes and threads in the ICAP config file:
1. Open for editing: $FWDIR/c-icap/etc/c-icap.conf
2. Change the number of processes and threads: MaxServers ThreadsPerChild MinSpareThreads MaxSpareThreads
It can be found in the ICAP Server documentation:
Check Point support for Internet Content Adaptation Protocol (ICAP) server
I did not find a maximum connection setting for the underlying c-icap server.
Regards Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi werner,
On default configuration the sizing for this parameter ia 10. But i have experience icap server bussy when run it. For proxy wiith around 1000 users, could you advice what number that should i configure for this parameter?
ThreadsPerChild
MinSpareThreads
MaxSpareThreads
MaxServer
Actually i a bit confused to configure it cause dont now the number exactly represent of what?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martinus,
you can find a description of the parameters here:
The least recommendation I can give is to adapt these numbers to the proxy´s ICAP settings like "Max number of connections" etc.
Regards Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do I need:
web access layer and web content layer
or
two web access layer
Regards
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Thomas,
nice info.
THX
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something I found on the web regarding c-icap performance statistics - did not have time to verify it by now but maybe someone can do and give feedback:
https://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP#Performance_and_tuning
Regards Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Thomas,
Does Check Point support all settings or are they restricted?
Regards,