Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Werner
Employee Alumnus
Employee Alumnus

ICAP Server on Sandblast Appliance (TEX)

ICAP Server

The official ICAP Server SK mentions requirements, release notes and general information regarding the new ICAP server functionality.

 

Check Point support for Internet Content Adaptation Protocol (ICAP) server

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

ICAP Server is included since JHF 272.

 

Start:                       # icap_server start

Stop:                       # icap_server stop

Reconfiguration:       # icap_server reconf

 

 

Note:

  • ICAP does not choose emulation images based on any of your TP profiles; so there is no need to configure a TP policy for ICAP but you need one to get emulation images on your SandBlast appliance
    • GUI configuration will be added to R80.20 (currently in controlled EA)
  • Choosing to emulate on all images will result in an attempt to emulate the files on all known images, even if some of them aren’t available.
  • “Recommended Images” means two images (Win7/Office2013, WinXP/Office2003-7)

 

Configuration

Configuration files

 

Filename

Location

Purpose

c-icap.conf

$FWDIR/c-icap/etc/

ICAP Server process configuration file

e.g. for changing ICAP server port

c-icap.magic

$FWDIR/c-icap/etc/

Filetypes supported by ICAP

virus_scan.conf

$FWDIR/c-icap/etc/

e.g. for adding filetypes from c-icap.magic, maximum file size

libsb_mod.conf

$FWDIR/c-icap/etc/

e.g. for adding filetypes from c-icap.magic

Tpapi.py

$FWDIR/c-icap/scripts/

Script used to send ICAP received files to TE API

Block message

$FWDIR/c-icap/share/c_icap/templates/virus_scan/en

 

-rwxr-x--- 1 admin bin  392 Mar 30 09:02 VIRUS_FOUND

Block messages displayed when malware is found. If you change them don´t forget to run ICAP daemon reconf command

 

VIRUS_FOUND is used as template for a block message; this message can be localized

 

Configure emulation images

 All or recommended images

 

Choose emulation on all images or only on recommended images:

 

  1. Open for editing: $FWDIR/c-icap/etc/libsb_mod.conf
  2. Change the field sb_mod.AllImages to off (for recommended) or on (for all)

 Configure specific emulation images

         

     Not officially supported but there is a way of selecting only specific images to emulate on:

 

  • Edit $FWDIR/c-icap/etc/libsb_mod.conf
  • Change the field AllImages to on
  • Edit $FWDIR/c-icap/scripts/TPAPI.py

 

  • Add "#" in front of images you do not want to emulate on:

 

image_to_name = {

   #  'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',

    '7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',

    '8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',

    '5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',

   # '3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',

   #  '6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',

}

 

te_images = [

   #  {'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},

    {'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},

    {'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},

    {'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},

  #  {'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},

  #  {'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},

]

 

Adding Windows 10 image for ICAP emulation

 

Even though you activate the Win10 image in the GUI it will not be used by the ICAP emulation because the images for image are solely selected based on a configuration file. To add the Win10 image follow this procedure:

 

  • Edit $FWDIR/c-icap/etc/libsb_mod.conf
  • Change the field AllImages to  on

 

Edit $FWDIR/c-icap/scripts/TPAPI.py and add the following yellow lines:

 

image_to_name = {

    'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',

    '7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',

    '8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',

    '5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',

    '3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',

    '6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',

    '10B4A9C6-E414-425C-AE8B-FE4DD7B25244': 'Win10 64b,Office 2016, Adobe DC'

}

 

te_images = [

    {'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},

    {'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},

    {'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},

    {'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},

    {'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},

    {'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},

    {'id': '10B4A9C6-E414-425C-AE8B-FE4DD7B25244', 'revision': 1}

]

Attaching an ICAP Client

 

Configure the ICAP client to communicate with the ICAP server’s “sandblast” service.

             For example: icap://<ip address>:1344/sandblast

 

 

Logging

General logging

 

Logging (besides benign/malicious findings) is currently limited to the following log files – so no ICAP daemon logs in the GUI/SmartLog:

 

$FWDIR/log/c-icap/server.log

$FWDIR/log/c-icap/access.log

 

To extend the by default limited access log follow these steps:

 

  • vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
  • Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log”
  • Add this line before the above finding:
    • LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
  • Change the AccessLog line to:
    • AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

 

So the section in c-icap.conf should now look like this:

 

LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"

AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

Enable logging of benign files

 

Enable/Disable logs on benign files:

 

  1. Open for editing: $FWDIR/c-icap/etc/libsb_mod.conf
  2. Change the field sb_mod.LogBenign to on

 

Debug logging

 

To enable debug logging:

 

  1. Open for editing: $FWDIR/c-icap/etc/c-icap.conf
    • Change DebugLevel value to: 7
  2. Restart the c-icap service.

 

Note ! Enabling debug logs can affect performance.

 

ICAP daemon troubleshooting

Start manually and get errors on startup

 

To get ICAP server daemon error messages on the terminal when starting launch daemon with:

 

   # $FWDIR/c-icap/bin/c-icap -N -D -d 10 -f $FWDIR/c-icap/etc/c-icap.conf

 

Verify ICAP daemon is running

 

[Expert@sandblast]# netstat -na | grep 1344

 

Result should show:

tcp        0      0 0.0.0.0:1344                0.0.0.0:*                   LISTEN

 

[Expert@sandblast]# ps ax | grep c-icap

 

Result should show:

16443 ?        Ss     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

16448 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

16453 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

16460 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf

19319 pts/2    S+     0:00 grep c-icap

 

 

ICAP Server response codes

 

     {100, "Continue"},           /*Continue after ICAP Preview */

     {200, "OK"},

     {204, "Unmodified"},         /*No modifications needed */

     {206, "Partial Content"},    /*Partial content modification*/

     {400, "Bad request"},        /*Bad request */

     {403, "Forbidden"},

     {404, "Service not found"},  /*ICAP Service not found */

     {405, "Not allowed"},        /*Method not allowed for service (e.g., RESPMOD requested

For service that supports only REQMOD). */

     {408, "Request timeout"},    /*Request timeout.  ICAP server gave up waiting for a

Request from an ICAP client */

     {500, "Server error"},       /*Server error.  Error on the ICAP server, such as "out of

disk

 

ICAP Performance statistics

Something I found on the web regarding c-icap performance statistics - did not have time to verify it by now but maybe someone can do and give feedback:

https://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP#Performance_and_tuning 

(1)
Who rated this post