Fortinet black logo

Handbook

Example scenario

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:211320
Download PDF

Example scenario

Information relevant to the following example:

  • The ICAP server is designed to do proprietary content filtering specific to the organization so it will have to receive the messages and sent back appropriate responses.
  • The content filter is a required security precaution, so if the message cannot be processed it is not allowed through.
  • Resources on both the FortiGate and the ICAP server are considerable so the maximum connections setting will set at a double the default value to analyze the impact on performance.
  • The ICAP server’s IP address is 172.16.100. 55.
  • The path to the processing component is “/proprietary_code/content-filter/”.
  • Streaming media is not something that the filter considers, but is allowed through the policy so processing it would be a waste of resources.
  • The ICAP profile is to be added to an existing firewall policy.
  • It is assumed that the display of the policies has already been configured to show the column “ID”.
  1. Go to Security Profiles > ICAP Servers.
  2. Enter the following to configure the ICAP server:

    Use the following values:

    Name

    content-filtration-server4

    IP Type

    IPv4

    IP Address

    172.16.100.55

    Port

    1344

    Use the CLI to set the max-connections value.

    config icap server

    edit content-filtration-server4

    set max-connections 200

    end

  3. Enter the following to configure the ICAP profile to then apply to a security policy: Use the following values:

    Name

    Prop-Content-Filtration

    Enable Request Processing

    enable

    Server

    content-filtration-server4

    Path

    /proprietary_code/content-filter/

    On Failure

    Error

    Enable Response Processing

    enable

    Server

    content-filtration-server4

    Path

    /proprietary_code/content-filter/

    On Failure

    Error

    Enable Streaming Media Bypass

    enable

  4. Apply the ICAP profile to policy:

    The purposes of this particular ICAP profile is to filter the content of the traffic coming through the firewall via policy ID#17.

    1. Go to Policy & Objects > IPv4 Policy.
    2. Open the existing policy ID# 17 for editing.
    3. Go to the section Security Profiles.
    4. Select the button next to ICAP so that it indicates that it’s status is ON.
    5. Select the field with the profile name and use the drop down menu to select Prop-Content-Filtration.
    6. Select OK.

Example scenario

Information relevant to the following example:

  • The ICAP server is designed to do proprietary content filtering specific to the organization so it will have to receive the messages and sent back appropriate responses.
  • The content filter is a required security precaution, so if the message cannot be processed it is not allowed through.
  • Resources on both the FortiGate and the ICAP server are considerable so the maximum connections setting will set at a double the default value to analyze the impact on performance.
  • The ICAP server’s IP address is 172.16.100. 55.
  • The path to the processing component is “/proprietary_code/content-filter/”.
  • Streaming media is not something that the filter considers, but is allowed through the policy so processing it would be a waste of resources.
  • The ICAP profile is to be added to an existing firewall policy.
  • It is assumed that the display of the policies has already been configured to show the column “ID”.
  1. Go to Security Profiles > ICAP Servers.
  2. Enter the following to configure the ICAP server:

    Use the following values:

    Name

    content-filtration-server4

    IP Type

    IPv4

    IP Address

    172.16.100.55

    Port

    1344

    Use the CLI to set the max-connections value.

    config icap server

    edit content-filtration-server4

    set max-connections 200

    end

  3. Enter the following to configure the ICAP profile to then apply to a security policy: Use the following values:

    Name

    Prop-Content-Filtration

    Enable Request Processing

    enable

    Server

    content-filtration-server4

    Path

    /proprietary_code/content-filter/

    On Failure

    Error

    Enable Response Processing

    enable

    Server

    content-filtration-server4

    Path

    /proprietary_code/content-filter/

    On Failure

    Error

    Enable Streaming Media Bypass

    enable

  4. Apply the ICAP profile to policy:

    The purposes of this particular ICAP profile is to filter the content of the traffic coming through the firewall via policy ID#17.

    1. Go to Policy & Objects > IPv4 Policy.
    2. Open the existing policy ID# 17 for editing.
    3. Go to the section Security Profiles.
    4. Select the button next to ICAP so that it indicates that it’s status is ON.
    5. Select the field with the profile name and use the drop down menu to select Prop-Content-Filtration.
    6. Select OK.