Internet Content Adaptation Protocol (ICAP) is an application layer protocol that is used to offload tasks from the firewall to separate, specialized servers. For more information see RFC 3507.
ICAP profiles can only be applied to policies that use proxy-based inspection. If you enable ICAP in a policy, HTTP and HTTPS (if HTTPS inspection is supported) traffic that is intercepted by the policy is transferred to the ICAP server specified by the selected ICAP profile. Responses from the ICAP server are returned to the FortiGate, and then forwarded to their destination.
By default, ICAP is not visible in the GUI. See Feature visibility for instructions on making it visible.
ICAP filter profiles cannot be used in NGFW policy-based mode. See Profile-based NGFW vs policy-based NGFW for more information.
To configure ICAP:
- Set up your ICAP server.
- On the FortiGate, add an ICAP server.
- Create an ICAP profile.
- Use the ICAP profile in a firewall policy that covers the traffic that needs to be offloaded to the ICAP server.