ICAP response filtering

ICAP HTTP responses can be forwarded or bypassed based on the HTTP header value and status code.

When configuring the ICAP profile, if response is enabled, the respmod-default-action option can be configured:

  • If respmod-default-action is set to forward, FortiGate will treat every HTTP response, and send ICAP requests to the ICAP server.
  • If respmod-default-action is set to bypass, FortiGate will only send ICAP requests if the HTTP response matches the defined rules, and the rule's action is set to forward.

When configuring a response rule:

  • The http-resp-status-code option is configured to specific HTTP response codes. If the HTTP response has any one of the configured values, then the rule takes effect.
  • Multiple header value matching groups can be configured. If the header value matches one of the groups, then the rule takes effect.
  • If both status codes and header values are specified in a rule, the response must match at least one of each.

The UTM ICAP log category is used for logging actions when FortiGate encounters errors with the ICAP server, such as no service, unreachable, error response code, or timeout. If an error occurs, a traffic log and an associated UTM ICAP log will be created.


The FortiGate acts as a gateway for the client PC and connects to a reachable ICAP server. The ICAP server can be in NAT, transparent, or proxy mode.

In this example, client request HTTP responses will be forwarded to the ICAP server from all hosts if they have an HTTP status code of 200, 301, or 302, and have content‑type: image/jpeg in the their header.

To configure an ICAP profile with HTTP response rules:
config icap profile
    edit "icap_profile2"
        set request disable
        set response enable 
        set streaming-content-bypass disable
        set preview disable
        set response-server "icap_server1"
        set response-failure error
        set response-path ''
        set methods delete get head options post put trace other
        set response-req-hdr disable                    
        set respmod-default-action bypass 
        config respmod-forward-rules
            edit "rule2"
                set host "all"
                set action forward
                set http-resp-status-code 200 301 302 
                config header-group 
                    edit 2
                        set header-name "content-type"
                        set header "image/jpeg"
To view the logs if an error occurs:
  1. View the traffic log:
    # execute log filter category 0
    # execute log display
    1 logs found.
    1 logs returned.
     1: date=2019-10-25 time=17:43:47 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1572050627037314464 tz="-0700" srcip= srcport=47968 srcintf="port1" srcintfrole="undefined" dstip= dstport=80 dstintf="port2" dstintfrole="undefined" poluuid="a4d5324e-f6c3-51e9-ce2d-f360994fb547" sessionid=43549 proto=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Reserved" srccountry="Reserved" trandisp="snat" transip= transport=47968 duration=1 sentbyte=485 rcvdbyte=398 sentpkt=6 rcvdpkt=5 appcat="unscanned" wanin=478 wanout=165 lanin=165 lanout=165 utmaction="block" counticap=1 crscore=5 craction=262144 crlevel="low" utmref=65532-0
  2. View the UTM ICAP log:
    # execute log filter category 20
    # execute log display
    1 logs found.
    1 logs returned.
     1: date=2019-10-25 time=17:43:46 logid="20