ICAP support
You can configure your FortiGate-7000 to use Internet Content Adaptation Protocol (ICAP) to offload processing that would normally take place on the FortiGate-7000 to a separate server specifically set up for the required specialized processing.
ICAP servers are focused on a specific function, for example:
- Ad insertion
- Virus scanning
- Content translation
- HTTP header or URL manipulation
- Language translation
- Content filtering
FortiGate-7000 supports ICAP without any special configuration. This includes using ICAP to offload decrypted SSL traffic to an ICAP server. FortiOS decrypts the content stream before forwarding it to the ICAP server.
For more information about FortiOS support for ICAP, see ICAP support.
Example ICAP configuration
ICAP is available for VDOMs operating in proxy mode. You can enable proxy mode from the Global GUI by going to System > VDOM, editing the VDOM for which to configure ICAP, and setting Inspection Mode to Proxy.
Then go to the VDOM, and go to System > Feature Visibility and enable ICAP.
From the CLI you can edit the VDOM, enable proxy inspection mode and enable ICAP. You can only enable ICAP from config system settings
if proxy mode is already enabled.
config vdom
edit VDOM-2
config system settings
set inspection-mode proxy
end
config system settings
set gui-icap enable
end
From the GUI you can add an ICAP profile by going to Security Profiles > ICAP and selecting Create New to create a new ICAP profile.
From the CLI you can use the following command to create an ICAP profile:
config icap profile
edit "default"
next
edit "icap-test-profile"
set request enable
set response enable
set request-server "icap-test"
set response-server "icap-test"
set request-failure bypass
set response-failure bypass
set request-path "echo"
set response-path "echo"
end
From the GUI you can add an ICAP serve by going to Security Profiles > ICAP Servers and selecting Create New to created a new ICAP server.
From the CLI you can use the following command to create an ICAP server:
config icap server
edit "icap-test"
set ip-address 10.98.0.88
set max-connections 1000
end
Then create a firewall policy for the traffic to be sent to the ICAP server and include the ICAP profile.
config firewall policy
edit 4
set name "any-any"
set uuid f4b612d0-2300-51e8-f15f-507d96056a96
set srcintf "1-C1/5" "1-C1/6"
set dstintf "1-C1/6" "1-C1/5"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set av-profile "default"
set icap-profile "icap-test-profile"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
end