Check Point Security Gateway

Prerequisites

This documentation is based on Check Point Security Gateway R81 and is the minimum configuration required to integrate Check Point and Nullafi Shield. For more information, please contact Check Point Support.

  • Check Point Security Gateway R81 and above
  • Nullafi Shield ICAP service is started and configured (with backing configuration and activity databases, and Web Management Console).
  • Command line access to Check Point Security Gateway - Expert Mode. Please refer to the Check Point documentation for details on how to access the command line.

Integration Steps

  • Access the command line in Expert mode
  • Review and agree to the ICAP user-disclaimer
[Expert@GW:0]# IcapDisclaimer.sh
  • Backup the default ICAP configuration file
[Expert@GW:0]# cp -v $FWDIR/conf/icap_client_blade_configuration.C{,_BKP}
  • Configure the ICAP Client parameters in the configuration file
[Expert@GW:0]# vi $FWDIR/conf/icap_client_blade_configuration.C
  • Save the configuration
[Expert@GW:0]# fw fetch localhost

Sample ICAP Client configuration file

The sample configuration provided below is for reference only and must be modified according to the network environment and ICAP funcitonality . The configuration will enable both REQMOD and RESPMOD with GET, PUT and POST methods for port 8080 and 8443 traffic. The variable src_ip_ranges has also been configured for network-level filtering. Please refer to the Check Point documentation for more information on the ICAP client configuration file. 

(
    :enabled ("true")
    :filter_http_method (
            : (
                :method ("GET")
            )
            : (
                :method ("PUT")
            )
            : (
                :method ("POST")
            )
    )
    :http_services (
            : (
                :port (8080)
            )
            : (
                :port (8443)
            )
    )
    :inspect_html_response ("false")
    :trickling_mode (2)
    :user_check_interaction_name ("Blocked Message - Access Control")
    :log_level (3)
    :icap_servers (
            : (
                :name ("shield_server_1")
                :ip ("10.0.0.10")                # Shield ICAP server - IP only
                :port (1344)
                :service ("echo")
                :proto ("icap")
                :modification_mode (“both”)      # "respmpd", "reqmod" or "both"
                :transp ("3rd_cpas")
                :failmode (open)
                :timeout (60)
                :max_conns (100)
                :user_check_action (1)
                :x_headers (
                    :x_client_ip ("true")
                    :x_server_ip ("true")
                    :x_authenticated_user (“true”)
                    :authentication_source ("Local")
                    :base64_username_encode ("false")
                )
            )

    )
    :rules_type ("include")
    :network_filter_rules_ip4 (
            : (
                :src_ip_ranges (
                    : (
                        :min_ip ("10.0.0.1")
                        :max_ip ("10.0.0.254")
                    )
                )
                :dst_ip_ranges (
                    : (
                        :min_ip (“any”)
                        :max_ip (“any”)
                    )
                )
            )

    )
)

Additional Configuration

To include X-Headers in ICAP requests, you must enable Identity Awareness in the Check Point Security Gateway UI, General Properties, Network Security tab:

image

To enable inspection of SSL-encrypted traffic, import the SSL certificate using the Check Point Security Gateway UI: HTTPS Inspection.

image