Who rated this post

Thomas_Werner · ‎2018-03-28

ICAP Server

The official ICAP Server SK mentions requirements, release notes and general information regarding the new ICAP server functionality.

Check Point support for Internet Content Adaptation Protocol (ICAP) server

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

ICAP Server is included since JHF 272.

Start: # icap_server start

Stop: # icap_server stop

Reconfiguration: # icap_server reconf

Note:

ICAP does not choose emulation images based on any of your TP profiles; so there is no need to configure a TP policy for ICAP but you need one to get emulation images on your SandBlast appliance
- GUI configuration will be added to R80.20 (currently in controlled EA)
Choosing to emulate on all images will result in an attempt to emulate the files on all known images, even if some of them aren’t available.
“Recommended Images” means two images (Win7/Office2013, WinXP/Office2003-7)

Configuration

Configuration files

Filename	Location	Purpose
c-icap.conf	$FWDIR/c-icap/etc/	ICAP Server process configuration file e.g. for changing ICAP server port
c-icap.magic	$FWDIR/c-icap/etc/	Filetypes supported by ICAP
virus_scan.conf	$FWDIR/c-icap/etc/	e.g. for adding filetypes from c-icap.magic, maximum file size
libsb_mod.conf	$FWDIR/c-icap/etc/	e.g. for adding filetypes from c-icap.magic
Tpapi.py	$FWDIR/c-icap/scripts/	Script used to send ICAP received files to TE API
Block message	$FWDIR/c-icap/share/c_icap/templates/virus_scan/en -rwxr-x--- 1 admin bin 392 Mar 30 09:02 VIRUS_FOUND	Block messages displayed when malware is found. If you change them don´t forget to run ICAP daemon reconf command VIRUS_FOUND is used as template for a block message; this message can be localized

Configure emulation images

All or recommended images

Choose emulation on all images or only on recommended images:

Open for editing: $FWDIR/c-icap/etc/libsb_mod.conf
Change the field sb_mod.AllImages to off (for recommended) or on (for all)

Configure specific emulation images

Not officially supported but there is a way of selecting only specific images to emulate on:

Edit $FWDIR/c-icap/etc/libsb_mod.conf
Change the field AllImages to on
Edit $FWDIR/c-icap/scripts/TPAPI.py

Add "#" in front of images you do not want to emulate on:

image_to_name = {

# 'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',

'7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',

'8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',

'5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',

# '3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',

# '6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',

}

te_images = [

# {'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},

{'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},

{'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},

{'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},

# {'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},

# {'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},

]

Adding Windows 10 image for ICAP emulation

Even though you activate the Win10 image in the GUI it will not be used by the ICAP emulation because the images for image are solely selected based on a configuration file. To add the Win10 image follow this procedure:

Edit $FWDIR/c-icap/etc/libsb_mod.conf
Change the field AllImages to on

Edit $FWDIR/c-icap/scripts/TPAPI.py and add the following yellow lines:

image_to_name = {

'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',

'7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',

'8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',

'5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',

'3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',

'6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',

'10B4A9C6-E414-425C-AE8B-FE4DD7B25244': 'Win10 64b,Office 2016, Adobe DC'

}

te_images = [

{'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},

{'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},

{'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},

{'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},

{'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},

{'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},

{'id': '10B4A9C6-E414-425C-AE8B-FE4DD7B25244', 'revision': 1}

]

Attaching an ICAP Client

Configure the ICAP client to communicate with the ICAP server’s “sandblast” service.

For example: icap://<ip address>:1344/sandblast

Logging

General logging

Logging (besides benign/malicious findings) is currently limited to the following log files – so no ICAP daemon logs in the GUI/SmartLog:

$FWDIR/log/c-icap/server.log

$FWDIR/log/c-icap/access.log

To extend the by default limited access log follow these steps:

vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log”
Add this line before the above finding:
- LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
Change the AccessLog line to:
- AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

So the section in c-icap.conf should now look like this:

LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"

AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

Enable logging of benign files

Enable/Disable logs on benign files:

Open for editing: $FWDIR/c-icap/etc/libsb_mod.conf
Change the field sb_mod.LogBenign to on

Debug logging

To enable debug logging:

Open for editing: $FWDIR/c-icap/etc/c-icap.conf
- Change DebugLevel value to: 7
Restart the c-icap service.

Note ! Enabling debug logs can affect performance.

ICAP daemon troubleshooting

Start manually and get errors on startup

To get ICAP server daemon error messages on the terminal when starting launch daemon with:

# $FWDIR/c-icap/bin/c-icap -N -D -d 10 -f $FWDIR/c-icap/etc/c-icap.conf

Verify ICAP daemon is running

[Expert@sandblast]# netstat -na | grep 1344

Result should show:

tcp 0 0 0.0.0.0:1344 0.0.0.0:* LISTEN

[Expert@sandblast]# ps ax | grep c-icap

Result should show:

16443 ? Ss 0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

16448 ? Sl 0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

16453 ? Sl 0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

16460 ? Sl 0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

19319 pts/2 S+ 0:00 grep c-icap

ICAP Server response codes

{100, "Continue"}, /*Continue after ICAP Preview */

{200, "OK"},

{204, "Unmodified"}, /*No modifications needed */

{206, "Partial Content"}, /*Partial content modification*/

{400, "Bad request"}, /*Bad request */

{403, "Forbidden"},

{404, "Service not found"}, /*ICAP Service not found */

{405, "Not allowed"}, /*Method not allowed for service (e.g., RESPMOD requested

For service that supports only REQMOD). */

{408, "Request timeout"}, /*Request timeout. ICAP server gave up waiting for a

Request from an ICAP client */

{500, "Server error"}, /*Server error. Error on the ICAP server, such as "out of

disk

ICAP Performance statistics

Something I found on the web regarding c-icap performance statistics - did not have time to verify it by now but maybe someone can do and give feedback:

https://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP#Performance_and_tuning

Who rated this post

ICAP Server on Sandblast Appliance (TEX)