Who rated this post

Showing results for 
Search instead for 
Did you mean: 
Employee Alumnus
Employee Alumnus

ICAP Server on Sandblast Appliance (TEX)

ICAP Server

The official ICAP Server SK mentions requirements, release notes and general information regarding the new ICAP server functionality.


Check Point support for Internet Content Adaptation Protocol (ICAP) server



ICAP Server is included since JHF 272.


Start:                       # icap_server start

Stop:                       # icap_server stop

Reconfiguration:       # icap_server reconf




  • ICAP does not choose emulation images based on any of your TP profiles; so there is no need to configure a TP policy for ICAP but you need one to get emulation images on your SandBlast appliance
    • GUI configuration will be added to R80.20 (currently in controlled EA)
  • Choosing to emulate on all images will result in an attempt to emulate the files on all known images, even if some of them aren’t available.
  • “Recommended Images” means two images (Win7/Office2013, WinXP/Office2003-7)



Configuration files







ICAP Server process configuration file

e.g. for changing ICAP server port



Filetypes supported by ICAP



e.g. for adding filetypes from c-icap.magic, maximum file size



e.g. for adding filetypes from c-icap.magic



Script used to send ICAP received files to TE API

Block message



-rwxr-x--- 1 admin bin  392 Mar 30 09:02 VIRUS_FOUND

Block messages displayed when malware is found. If you change them don´t forget to run ICAP daemon reconf command


VIRUS_FOUND is used as template for a block message; this message can be localized


Configure emulation images

 All or recommended images


Choose emulation on all images or only on recommended images:


  1. Open for editing: $FWDIR/c-icap/etc/libsb_mod.conf
  2. Change the field sb_mod.AllImages to off (for recommended) or on (for all)

 Configure specific emulation images


     Not officially supported but there is a way of selecting only specific images to emulate on:


  • Edit $FWDIR/c-icap/etc/libsb_mod.conf
  • Change the field AllImages to on
  • Edit $FWDIR/c-icap/scripts/TPAPI.py


  • Add "#" in front of images you do not want to emulate on:


image_to_name = {

   #  'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',

    '7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',

    '8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',

    '5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',

   # '3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',

   #  '6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',



te_images = [

   #  {'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},

    {'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},

    {'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},

    {'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},

  #  {'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},

  #  {'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},



Adding Windows 10 image for ICAP emulation


Even though you activate the Win10 image in the GUI it will not be used by the ICAP emulation because the images for image are solely selected based on a configuration file. To add the Win10 image follow this procedure:


  • Edit $FWDIR/c-icap/etc/libsb_mod.conf
  • Change the field AllImages to  on


Edit $FWDIR/c-icap/scripts/TPAPI.py and add the following yellow lines:


image_to_name = {

    'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',

    '7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',

    '8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',

    '5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',

    '3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',

    '6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',

    '10B4A9C6-E414-425C-AE8B-FE4DD7B25244': 'Win10 64b,Office 2016, Adobe DC'



te_images = [

    {'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},

    {'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},

    {'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},

    {'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},

    {'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},

    {'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},

    {'id': '10B4A9C6-E414-425C-AE8B-FE4DD7B25244', 'revision': 1}


Attaching an ICAP Client


Configure the ICAP client to communicate with the ICAP server’s “sandblast” service.

             For example: icap://<ip address>:1344/sandblast




General logging


Logging (besides benign/malicious findings) is currently limited to the following log files – so no ICAP daemon logs in the GUI/SmartLog:





To extend the by default limited access log follow these steps:


  • vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
  • Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log”
  • Add this line before the above finding:
    • LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
  • Change the AccessLog line to:
    • AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat


So the section in c-icap.conf should now look like this:


LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"

AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

Enable logging of benign files


Enable/Disable logs on benign files:


  1. Open for editing: $FWDIR/c-icap/etc/libsb_mod.conf
  2. Change the field sb_mod.LogBenign to on


Debug logging


To enable debug logging:


  1. Open for editing: $FWDIR/c-icap/etc/c-icap.conf
    • Change DebugLevel value to: 7
  2. Restart the c-icap service.


Note ! Enabling debug logs can affect performance.


ICAP daemon troubleshooting

Start manually and get errors on startup


To get ICAP server daemon error messages on the terminal when starting launch daemon with:


   # $FWDIR/c-icap/bin/c-icap -N -D -d 10 -f $FWDIR/c-icap/etc/c-icap.conf


Verify ICAP daemon is running


[Expert@sandblast]# netstat -na | grep 1344


Result should show:

tcp        0      0      *                   LISTEN


[Expert@sandblast]# ps ax | grep c-icap


Result should show:

16443 ?        Ss     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

16448 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

16453 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

16460 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

19319 pts/2    S+     0:00 grep c-icap



ICAP Server response codes


     {100, "Continue"},           /*Continue after ICAP Preview */

     {200, "OK"},

     {204, "Unmodified"},         /*No modifications needed */

     {206, "Partial Content"},    /*Partial content modification*/

     {400, "Bad request"},        /*Bad request */

     {403, "Forbidden"},

     {404, "Service not found"},  /*ICAP Service not found */

     {405, "Not allowed"},        /*Method not allowed for service (e.g., RESPMOD requested

For service that supports only REQMOD). */

     {408, "Request timeout"},    /*Request timeout.  ICAP server gave up waiting for a

Request from an ICAP client */

     {500, "Server error"},       /*Server error.  Error on the ICAP server, such as "out of



ICAP Performance statistics

Something I found on the web regarding c-icap performance statistics - did not have time to verify it by now but maybe someone can do and give feedback:


Who rated this post