This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2018-03-26 03:50 AM

Symantec (Bluecoat) SG ICAP and Sandblast (TEX)

ICAP integration for R77.30 and R80.10

 

Configuring ICAP Server on Check Point Sandblast Appliance (TEX) or Gateway:

Enable ICAP server on TEX appliance see SK111306 and configure thread rules in Smart DashBoard. 
Use hotfix 286 or higher for R77.30.

 

Tip!

You can use more ICAP Server in "Web Content Layer" on Bluecoat SG for example CAS appliance and TEX appliance.

 

Enable ICAP Server

Start ICAP server on TEX appliance or gateway:

# icap_server start

 

Enable ICAP Logs

# tecli advanced remote emulator logs enable    <<< Hotfix 286 or higher automatically activates logging.

 

Enable firewall rule to connect ICAP Server (TEX Appliance)

Source: Symantec SG
Destination: "ip-address of sandblast appliance"

Port: 1344

 

Configure Thread Rules

Configure Thread rules in SmartDashboard

.

Configuring ICAP on Symantec SWG:


     ICAP Servers Request

  1. Go to Configuration  > content Analysis > ICAP and click on New.
  2. Enter a Name "sandblast_server" for the server.
  3. Go to Configuration  > content Analysis > ICAP and click on Edit "sandblast_server"

  4. Enter the Service URL icap://ip-address of sandblast appliance/sandblast
  5. Set the Maximum nummber of connection: 100 <<< You can configure this on sandblast appliance in config files. Set the same value. If you overstay the value you become an ICAP error!
  6. Set Method supported: request modification <<< Use request mod.
  7. Set Send: Client address/ Server address/ Auth user

    ICAP Servers Response
    1. Go to Configuration  > content Analysis > ICAP and click on New.
    2. Enter a Name "sandblast_server_response" for the server.
    3. Go to Configuration  > content Analysis > ICAP and click on Edit "sandblast_server_response"

    4. Enter the Service URL icap://ip-address of sandblast appliance/sandblast
    5. Set the Maximum nummber of connection: 100 <<< You can configure this on sandblast appliance in config files. Set the same value. If you overstay the value you become an ICAP error!
    6. Set Method supported: response modification <<< Use request mod.
    7. Set Send: Client address/ Server address/ Auth user

      ICAP Servers Response Analysis
      1. Go to Configuration  > Policy > Visual Policy Manager
      2. Add Web Content Layer
      3. Enter the new > Performe Response Analysis
      4. Add Available Service:sandblast_server_response <<< Response Service
      5. Enter the new > Performe Request Analysis

      6. Add Available Service:sandblast_server <<< Request Service
      7. See Web Conten Layer Rule

      Regards,

      Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
39 Replies
Coco_Wang
Employee
Employee
‎2018-09-12 07:32 PM

Hello Heiko, 

       I am looking for documentation for F5 LTM i2600 integration with Sandblast appliance. Do you have one? 

Thank you!

Regards,

Coco

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2018-09-13 12:19 AM

Hi Coco,

On F5 side this is a bit problematic. You can't limit the number of ICAP sessions. For example, if the TE appliance is set to 100 sessions and you open the 101 session, you will get an ICAP error.

Unfortunately, this cannot be adjusted on the F5 side. I have already opened a ticket at F5. But so far without success.

On the TE Appliance you have to configure it as described in my articles:

Symantec (Bluecoat) SG ICAP and Sandblast (TEX) 

Fortigate Firewall ICAP and Sandblast (TEX) 

Here you can find an article how it works with F5:

AskF5 | Manual Chapter: Configuring Content Adaptation for HTTP Requests 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Coco_Wang
Employee
Employee
‎2018-09-13 01:32 AM

Thank you for the sharing Heiko! Smiley Happy

In my design, customer will have F5 LTM work with 2-3 Sandblast appliances. In this case, will LTM be able to deliver the 101 session to next available Sandblast appliance? Thank you!

Regards,

Coco

HeikoAnkenbrand
Champion Champion
Champion
‎2018-09-13 03:17 AM

Hi Coco,

it is the same issue! The problem is only shifted (100* 3 Te appliances). So you have the ICAP error of the 301 connection. With Bluecoat or Fortigate you can define the upper limit "max ICAP connections". With F5 this is unfortunately not possible. This means that this can always be a problem if it is exceeded. I have not found a solution yet. 

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Alessandro_Marr
Advisor
‎2019-02-05 06:28 AM

Hello Mr. Heiko, congratulations for your exceptional knowledge about security and deep configuration of checkpoint products. Can I ask you for a new document about  icap integration with symantec DLP sever using the new capabilities of icap client on r80.20?

Thank you so much.

Regards.

Alessandro

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-02-05 07:28 AM

Sorry, I have no experience with R80.20 and ICAP yet.

I'll try that out in the next few days.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Alessandro_Marr
Advisor
‎2019-02-05 08:18 AM

Thank you!

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-09 11:28 AM

More coming soon!

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-09 11:30 AM

Thank's for this info.

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-09 11:31 AM

Testing at the moment with R80.20 and R80.30EA.

More coming soon.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top