Fortinet black logo

New Features

ICAP scanning with SCP and FTP

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:633255
Download PDF

ICAP scanning with SCP and FTP

A FortiGate can forward files transferred by SCP and FTP to an ICAP server for further scanning. Previously, only HTTP and HTTPS were supported for ICAP forwarding.

Example

The FortiGate used in this example is operating in transparent mode. The SSH client, 172.16.200.11, sends a file named today to the SSH server at 172.16.200.33 using SCP. Since SCP transfers are encrypted inside an SSH tunnel, for the FortiGate to scan the traffic, deep inspection must be enabled in the SSL SSH profile.

To configure ICAP scanning with SCP:
  1. Configure the ICAP server settings:

    config icap server
        edit "icap_server1"
            set ip-address 172.16.200.44
        next
    end
  2. Configure the ICAP profile for SSH:

    config icap profile
        edit "icap_profile1"
            set file-transfer ssh
            set file-transfer-server "icap_server1"
            set file-transfer-path "ssh_test"
        next
    end
    Note

    If the file transfer is over FTP, configure the profile as follows:

    config icap profile
        edit "icap_profile1"
            set file-transfer ftp
            set streaming-content-bypass enable
            set file-transfer-server "icap_server1"
            set file-transfer-path "ftp_test"
        next
    end
  3. Configure the SSL SSH profile:

    config firewall ssl-ssh-profile
        edit "protocols"
            config ssh
                set ports 22
                set status deep-inspection
            end
        next
    end
  4. Configure the firewall policy:

    config firewall policy
        edit 1
            set name "ICAP"
            set srcintf "lan"
            set dstintf "mgmt"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set icap-profile "icap_profile1"
        next
    end
To test the configuration:
  1. On a Linux client, copy a filed named today to the SSH server using SCP:
    scp today fosqa@172.16.200.33:/home/fosqa/ssh_depot/
  2. Capture a sniffer trace between the FortiGate and ICAP server, then verify the output from the ICAP protocol session.
    1. The client request and the file to be inspected:
      Icap_client REQMOD:
      172.016.200.200.13185-172.016.200.044.01344: REQMOD icap://172.16.200.44:1344/ssh_test ICAP/1.0
      Host: 172.16.200.44:1344
      X-Client-IP: 172.16.200.11
      X-Server-IP: 172.16.200.33
      X-Authenticated-User: TG9jYWw6Ly9hbm9ueW1vdXM=
      X-Authenticated-Groups: TG9jYWw6Ly9sb2NhbGhvc3Qvbm8gYXV0aGVudGljYXRpb24=
      User-Agent: FortiOS v7.2.0
      Encapsulated: req-hdr=0, req-body=116
      
      PUT /scp/today HTTP/1.1
      Host: 172.16.200.11
      Content-Type: application/octet-stream
      Transfer-Encoding: chunked
      
      1d
      Tue Sep 20 04:01:50 UTC 2022

      Where:

      • X-Client-IP = the client sending the file
      • X-Server-IP = the server receiving the file
      • Tue Sep 20 04:01:50 UTC 2022 = the content of the file, which is in clear text after the FortiGate performs deep inspection
    2. The ICAP server response that the file is cleared and allowed to pass without modifications:
      Icap-server reply:
      172.016.200.044.01344-172.016.200.200.13185: ICAP/1.0 200 OK
      ISTag: "GreasySpoon-1.0.7-b03"
      Host: 0.0.0.0:1344
      Encapsulated: req-hdr=0, req-body=136
      Connection: keep-alive
      
      PUT /scp/today HTTP/1.1
      Host: 172.16.200.11
      Content-Type: application/octet-stream
      Transfer-Encoding: chunked
      Content-Length: 29
      
      1d
      Tue Sep 20 04:01:50 UTC 2022
  3. On a Linux client, copy the file from the server locally using SCP:
    scp fosqa@172.16.200.33:/home/fosqa/ssh_depot/today2/
  4. Similar outputs are observed. The ICAP client request indicates that the file is copied from the SSH server:
    PUT /scp/today2 HTTP/1.1
    Host: 172.16.200.33
    

ICAP scanning with SCP and FTP

A FortiGate can forward files transferred by SCP and FTP to an ICAP server for further scanning. Previously, only HTTP and HTTPS were supported for ICAP forwarding.

Example

The FortiGate used in this example is operating in transparent mode. The SSH client, 172.16.200.11, sends a file named today to the SSH server at 172.16.200.33 using SCP. Since SCP transfers are encrypted inside an SSH tunnel, for the FortiGate to scan the traffic, deep inspection must be enabled in the SSL SSH profile.

To configure ICAP scanning with SCP:
  1. Configure the ICAP server settings:

    config icap server
        edit "icap_server1"
            set ip-address 172.16.200.44
        next
    end
  2. Configure the ICAP profile for SSH:

    config icap profile
        edit "icap_profile1"
            set file-transfer ssh
            set file-transfer-server "icap_server1"
            set file-transfer-path "ssh_test"
        next
    end
    Note

    If the file transfer is over FTP, configure the profile as follows:

    config icap profile
        edit "icap_profile1"
            set file-transfer ftp
            set streaming-content-bypass enable
            set file-transfer-server "icap_server1"
            set file-transfer-path "ftp_test"
        next
    end
  3. Configure the SSL SSH profile:

    config firewall ssl-ssh-profile
        edit "protocols"
            config ssh
                set ports 22
                set status deep-inspection
            end
        next
    end
  4. Configure the firewall policy:

    config firewall policy
        edit 1
            set name "ICAP"
            set srcintf "lan"
            set dstintf "mgmt"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set icap-profile "icap_profile1"
        next
    end
To test the configuration:
  1. On a Linux client, copy a filed named today to the SSH server using SCP:
    scp today fosqa@172.16.200.33:/home/fosqa/ssh_depot/
  2. Capture a sniffer trace between the FortiGate and ICAP server, then verify the output from the ICAP protocol session.
    1. The client request and the file to be inspected:
      Icap_client REQMOD:
      172.016.200.200.13185-172.016.200.044.01344: REQMOD icap://172.16.200.44:1344/ssh_test ICAP/1.0
      Host: 172.16.200.44:1344
      X-Client-IP: 172.16.200.11
      X-Server-IP: 172.16.200.33
      X-Authenticated-User: TG9jYWw6Ly9hbm9ueW1vdXM=
      X-Authenticated-Groups: TG9jYWw6Ly9sb2NhbGhvc3Qvbm8gYXV0aGVudGljYXRpb24=
      User-Agent: FortiOS v7.2.0
      Encapsulated: req-hdr=0, req-body=116
      
      PUT /scp/today HTTP/1.1
      Host: 172.16.200.11
      Content-Type: application/octet-stream
      Transfer-Encoding: chunked
      
      1d
      Tue Sep 20 04:01:50 UTC 2022

      Where:

      • X-Client-IP = the client sending the file
      • X-Server-IP = the server receiving the file
      • Tue Sep 20 04:01:50 UTC 2022 = the content of the file, which is in clear text after the FortiGate performs deep inspection
    2. The ICAP server response that the file is cleared and allowed to pass without modifications:
      Icap-server reply:
      172.016.200.044.01344-172.016.200.200.13185: ICAP/1.0 200 OK
      ISTag: "GreasySpoon-1.0.7-b03"
      Host: 0.0.0.0:1344
      Encapsulated: req-hdr=0, req-body=136
      Connection: keep-alive
      
      PUT /scp/today HTTP/1.1
      Host: 172.16.200.11
      Content-Type: application/octet-stream
      Transfer-Encoding: chunked
      Content-Length: 29
      
      1d
      Tue Sep 20 04:01:50 UTC 2022
  3. On a Linux client, copy the file from the server locally using SCP:
    scp fosqa@172.16.200.33:/home/fosqa/ssh_depot/today2/
  4. Similar outputs are observed. The ICAP client request indicates that the file is copied from the SSH server:
    PUT /scp/today2 HTTP/1.1
    Host: 172.16.200.33