How to setting Sandblast detect both traffic ICAP ...

quyentv · ‎2020-08-28

Can someone guide me to configure Sandblast to detect both ICAP traffic and SPAN traffic?
When I configure SPAN or ICAP individually, everything works fine, but when I configure both only ICAP works and SPAN doesn't. Currently I am configuring both protocols on an interface.

_Val_ · ‎2020-08-28

Not sure I understand. For ICAP, is your Security Gateway configured as a ICAP client or ICAP server?

Also, you want the same GW to work in both active traffic forwarding and also mirror mode?

ISHFAQ-MALIK · ‎2021-09-27

Hello

can you confirm the below, how you have done the icap integration?

1. do you have checkpoint dedicated appliance.

2.are you doing icap integration between f5 and sandblast or between any firewall to sandblast.

3.which is the perimeter firewall.

4.how is the flow of your inbound and outbound traffic ( it is compulsory to understand your design)

Use case 1:

-----------

if you are doing icap integration between checkpoint firewall and sandblast then enable threat extraction and https inspection on firewall and only enable threat emulation and Anti virus on sandblast appliance for both MTA traffic as well as icap traffic.

Note: Once you will enable the icap services on both ways then span port will not come into picture. And icap service will not follow the complete web traffic it will only look into attachments.

use case 2:

-----------

if yo are doing icap integraion between 3rd party firewall to checkpoint sandblast, how you are sending the traffic to sandblast.

once you will revert back then may be we can assist you in the proper direction.

Are you a member of CheckMates?

How to setting Sandblast detect both traffic ICAP and SPAN