Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate-6000 Handbook

    Home FortiGate-6000 5.6.11 FortiGate-6000 Handbook
    5.6.11
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.10
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.10
    6.4.8
    6.4.6
    6.4.2
    6.2.16
    6.2.16
    6.2.15
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.10
    6.0.9
    6.0.8
    6.0.6
    6.0.4
    5.6.14
    5.6.12
    5.6.11
    5.6.7
    5.4.10

    ICAP support

    ICAP support

    You can configure your FortiGate-6000 to use Internet Content Adaptation Protocol (ICAP) to offload processing that would normally take place on the FortiGate-6000 to a separate server specifically set up for the required specialized processing.

    ICAP servers are focused on a specific function, for example:

    • Ad insertion
    • Virus scanning
    • Content translation
    • HTTP header or URL manipulation
    • Language translation
    • Content filtering

    FortiGate-6000 supports ICAP without any special configuration. This includes using ICAP to offload decrypted SSL traffic to an ICAP server. FortiOS decrypts the content stream before forwarding it to the ICAP server.

    For more information about FortiOS support for ICAP, see ICAP support.

    Example ICAP configuration

    ICAP is available for VDOMs operating in proxy mode. You can enable proxy mode from the Global GUI by going to System > VDOM, editing the VDOM for which to configure ICAP, and setting Inspection Mode to Proxy.

    Then go to the VDOM, and go to System > Feature Visibility and enable ICAP.

    From the CLI you can edit the VDOM, enable proxy inspection mode and enable ICAP. You can only enable ICAP from config system settings if proxy mode is already enabled.

    config vdom

    edit VDOM-2

    config system settings

    set inspection-mode proxy

    end

    config system settings

    set gui-icap enable

    end

    From the GUI you can add an ICAP profile by going to Security Profiles > ICAP and selecting Create New to create a new ICAP profile.

    From the CLI you can use the following command to create an ICAP profile:

    config icap profile

    edit "default"

    next

    edit "icap-test-profile"

    set request enable

    set response enable

    set request-server "icap-test"

    set response-server "icap-test"

    set request-failure bypass

    set response-failure bypass

    set request-path "echo"

    set response-path "echo"

    end

    From the GUI you can add an ICAP serve by going to Security Profiles > ICAP Servers and selecting Create New to created a new ICAP server.

    From the CLI you can use the following command to create an ICAP server:

    config icap server

    edit "icap-test"

    set ip-address 10.98.0.88

    set max-connections 1000

    end

    Then create a firewall policy for the traffic to be sent to the ICAP server and include the ICAP profile.

    config firewall policy

    edit 4

    set name "any-any"

    set uuid f4b612d0-2300-51e8-f15f-507d96056a96

    set srcintf "1-C1/5" "1-C1/6"

    set dstintf "1-C1/6" "1-C1/5"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set logtraffic all

    set av-profile "default"

    set icap-profile "icap-test-profile"

    set profile-protocol-options "default"

    set ssl-ssh-profile "deep-inspection"

    end

    Previous
    Next

    ICAP support

    ICAP support

    You can configure your FortiGate-6000 to use Internet Content Adaptation Protocol (ICAP) to offload processing that would normally take place on the FortiGate-6000 to a separate server specifically set up for the required specialized processing.

    ICAP servers are focused on a specific function, for example:

    • Ad insertion
    • Virus scanning
    • Content translation
    • HTTP header or URL manipulation
    • Language translation
    • Content filtering

    FortiGate-6000 supports ICAP without any special configuration. This includes using ICAP to offload decrypted SSL traffic to an ICAP server. FortiOS decrypts the content stream before forwarding it to the ICAP server.

    For more information about FortiOS support for ICAP, see ICAP support.

    Example ICAP configuration

    ICAP is available for VDOMs operating in proxy mode. You can enable proxy mode from the Global GUI by going to System > VDOM, editing the VDOM for which to configure ICAP, and setting Inspection Mode to Proxy.

    Then go to the VDOM, and go to System > Feature Visibility and enable ICAP.

    From the CLI you can edit the VDOM, enable proxy inspection mode and enable ICAP. You can only enable ICAP from config system settings if proxy mode is already enabled.

    config vdom

    edit VDOM-2

    config system settings

    set inspection-mode proxy

    end

    config system settings

    set gui-icap enable

    end

    From the GUI you can add an ICAP profile by going to Security Profiles > ICAP and selecting Create New to create a new ICAP profile.

    From the CLI you can use the following command to create an ICAP profile:

    config icap profile

    edit "default"

    next

    edit "icap-test-profile"

    set request enable

    set response enable

    set request-server "icap-test"

    set response-server "icap-test"

    set request-failure bypass

    set response-failure bypass

    set request-path "echo"

    set response-path "echo"

    end

    From the GUI you can add an ICAP serve by going to Security Profiles > ICAP Servers and selecting Create New to created a new ICAP server.

    From the CLI you can use the following command to create an ICAP server:

    config icap server

    edit "icap-test"

    set ip-address 10.98.0.88

    set max-connections 1000

    end

    Then create a firewall policy for the traffic to be sent to the ICAP server and include the ICAP profile.

    config firewall policy

    edit 4

    set name "any-any"

    set uuid f4b612d0-2300-51e8-f15f-507d96056a96

    set srcintf "1-C1/5" "1-C1/6"

    set dstintf "1-C1/6" "1-C1/5"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set logtraffic all

    set av-profile "default"

    set icap-profile "icap-test-profile"

    set profile-protocol-options "default"

    set ssl-ssh-profile "deep-inspection"

    end

    Previous
    Next