Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Handbook

Download PDF
Copy Link

ICAP support

You can configure your FortiGate-7000 to use Internet Content Adaptation Protocol (ICAP) to offload processing that would normally take place on the FortiGate-7000 to a separate server specifically set up for the required specialized processing.

ICAP servers are focused on a specific function, for example:

  • Ad insertion
  • Virus scanning
  • Content translation
  • HTTP header or URL manipulation
  • Language translation
  • Content filtering

FortiGate-7000 supports ICAP without any special configuration. This includes using ICAP to offload decrypted SSL traffic to an ICAP server. FortiOS decrypts the content stream before forwarding it to the ICAP server.

For more information about FortiOS support for ICAP, see ICAP support.

Example ICAP configuration

ICAP is available for VDOMs operating in proxy mode. You can enable proxy mode from the Global GUI by going to System > VDOM, editing the VDOM for which to configure ICAP, and setting Inspection Mode to Proxy.

Then go to the VDOM, and go to System > Feature Visibility and enable ICAP.

From the CLI you can edit the VDOM, enable proxy inspection mode and enable ICAP. You can only enable ICAP from config system settings if proxy mode is already enabled.

config vdom

edit VDOM-2

config system settings

set inspection-mode proxy

end

config system settings

set gui-icap enable

end

From the GUI you can add an ICAP profile by going to Security Profiles > ICAP and selecting Create New to create a new ICAP profile.

From the CLI you can use the following command to create an ICAP profile:

config icap profile

edit "default"

next

edit "icap-test-profile"

set request enable

set response enable

set request-server "icap-test"

set response-server "icap-test"

set request-failure bypass

set response-failure bypass

set request-path "echo"

set response-path "echo"

end

From the GUI you can add an ICAP serve by going to Security Profiles > ICAP Servers and selecting Create New to created a new ICAP server.

From the CLI you can use the following command to create an ICAP server:

config icap server

edit "icap-test"

set ip-address 10.98.0.88

set max-connections 1000

end

Then create a firewall policy for the traffic to be sent to the ICAP server and include the ICAP profile.

config firewall policy

edit 4

set name "any-any"

set uuid f4b612d0-2300-51e8-f15f-507d96056a96

set srcintf "1-C1/5" "1-C1/6"

set dstintf "1-C1/6" "1-C1/5"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set logtraffic all

set av-profile "default"

set icap-profile "icap-test-profile"

set profile-protocol-options "default"

set ssl-ssh-profile "deep-inspection"

end

ICAP support

You can configure your FortiGate-7000 to use Internet Content Adaptation Protocol (ICAP) to offload processing that would normally take place on the FortiGate-7000 to a separate server specifically set up for the required specialized processing.

ICAP servers are focused on a specific function, for example:

  • Ad insertion
  • Virus scanning
  • Content translation
  • HTTP header or URL manipulation
  • Language translation
  • Content filtering

FortiGate-7000 supports ICAP without any special configuration. This includes using ICAP to offload decrypted SSL traffic to an ICAP server. FortiOS decrypts the content stream before forwarding it to the ICAP server.

For more information about FortiOS support for ICAP, see ICAP support.

Example ICAP configuration

ICAP is available for VDOMs operating in proxy mode. You can enable proxy mode from the Global GUI by going to System > VDOM, editing the VDOM for which to configure ICAP, and setting Inspection Mode to Proxy.

Then go to the VDOM, and go to System > Feature Visibility and enable ICAP.

From the CLI you can edit the VDOM, enable proxy inspection mode and enable ICAP. You can only enable ICAP from config system settings if proxy mode is already enabled.

config vdom

edit VDOM-2

config system settings

set inspection-mode proxy

end

config system settings

set gui-icap enable

end

From the GUI you can add an ICAP profile by going to Security Profiles > ICAP and selecting Create New to create a new ICAP profile.

From the CLI you can use the following command to create an ICAP profile:

config icap profile

edit "default"

next

edit "icap-test-profile"

set request enable

set response enable

set request-server "icap-test"

set response-server "icap-test"

set request-failure bypass

set response-failure bypass

set request-path "echo"

set response-path "echo"

end

From the GUI you can add an ICAP serve by going to Security Profiles > ICAP Servers and selecting Create New to created a new ICAP server.

From the CLI you can use the following command to create an ICAP server:

config icap server

edit "icap-test"

set ip-address 10.98.0.88

set max-connections 1000

end

Then create a firewall policy for the traffic to be sent to the ICAP server and include the ICAP profile.

config firewall policy

edit 4

set name "any-any"

set uuid f4b612d0-2300-51e8-f15f-507d96056a96

set srcintf "1-C1/5" "1-C1/6"

set dstintf "1-C1/6" "1-C1/5"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set logtraffic all

set av-profile "default"

set icap-profile "icap-test-profile"

set profile-protocol-options "default"

set ssl-ssh-profile "deep-inspection"

end