Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.4 Administration Guide
    7.6.4
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Selective forwarding to ICAP server

    Selective forwarding to ICAP server

    The ICAP profile can allow the selective forwarding of only image files, such as JPEG, JPG, and PNG, to an ICAP (Internet Content Adaptation Protocol) server for OCR (optical character recognition) scanning. When enabled, FortiGate forwards only image files that are relevant for OCR scanning to the ICAP server. This selective forwarding applies only to image files in HTTP responses; it does not apply to image files in HTTP requests. By reducing processing time and optimizing resource usage, this feature enhances overall system efficiency.

    config icap profile
    edit <name>
        set ocr-only {enable | disable}
    next
end

    Command

    Description

    ocr-only {enable | disable}

    Enable/disable only passing OCR scan requests of images files to ICAP server (default = disabled).

    When enabled, also enable response to allow FortiGate to forward images to the ICAP server.
    Note

    You cannot enable the ocr-only and streaming-content-bypass options in an ICAP profile at the same time. When ocr-only is enabled, the streaming-content-bypass option is removed from the CLI.

    The ocr-only feature applies only to HTTP. FTP and SCP are not supported. In addition, this feature applies only to HTTP downloads. HTTP uploads are not supported.

    Example

    In this example, FortiGate acts as the ICAP client, and FortiProxy acts as the ICAP server. An ICAP profile is configured on FortiGate with ocr-only enabled. An ICAP server is configured on FortiProxy with the icap-service configured to use an image-analyzer ICAP profile.

    When a client HTTP response includes an image that is of interest to OCR, FortiGate forwards only the image file to the ICAP server for OCR scanning, and the scan results determine whether the image is passed or blocked.

    When OCR scanning passes the image in the HTTP response, the image is displayed to the client, for example:

    When OCR scanning blocks the image in the HTTP response, an alert message is displayed instead of the image:

    Only configurations relevant to selective forwarding are described.

    To enable selective forwarding on the ICAP client:

    1. On FortiGate, enable ocr-only in the ICAP profile:

      In this example, ocr-only and response are enabled. Responses are enabled to allow FortiGate to forward images files to the ICAP server.

      config icap profile
    edit "ocr"
        set request enable
        set response enable
        set ocr-only enable
        set request-server "icap_server1"
        set response-server "icap_server1"
    next
end
    To enable image scanning on the ICAP server:

    1. On FortiProxy acting as an ICAP server, create an image-analyzer ICAP profile:

      In this example, an image-analyzer profile named default is created.

      config image-analyzer profile
    edit "default"
        set comment "Analyze image content"
        set alcohol-status allow
        set drugs-status allow
        set extremism-status allow
        set gambling-status allow
        set gore-status allow
        set porn-status allow
        set swim_underwear-status allow
        set weapons-status allow
        set log-option all
        set blocked-img-cache enable
        set rating-err-action block
        set optical-character-recognition enable
        set ocr-activation-threshold 100
    next
end

    2. On FortiProxy, configure the ICAP service to use the image-analyzer profile:

      The icap-service is configured to use the image-analyzer profile named default.

      config icap local-server
    edit 1
        set interface "port1"
        set incoming-ip 10.211.255.147
        set srcaddr "all"
        config icap-service
            edit 1
                set name "profile"
                set dlp-profile "default"
                set image-analyzer-profile "default"
            next
        end
    next
end
    Previous
    Next

    Selective forwarding to ICAP server

    Selective forwarding to ICAP server

    The ICAP profile can allow the selective forwarding of only image files, such as JPEG, JPG, and PNG, to an ICAP (Internet Content Adaptation Protocol) server for OCR (optical character recognition) scanning. When enabled, FortiGate forwards only image files that are relevant for OCR scanning to the ICAP server. This selective forwarding applies only to image files in HTTP responses; it does not apply to image files in HTTP requests. By reducing processing time and optimizing resource usage, this feature enhances overall system efficiency.

    config icap profile
    edit <name>
        set ocr-only {enable | disable}
    next
end

    Command

    Description

    ocr-only {enable | disable}

    Enable/disable only passing OCR scan requests of images files to ICAP server (default = disabled).

    When enabled, also enable response to allow FortiGate to forward images to the ICAP server.
    Note

    You cannot enable the ocr-only and streaming-content-bypass options in an ICAP profile at the same time. When ocr-only is enabled, the streaming-content-bypass option is removed from the CLI.

    The ocr-only feature applies only to HTTP. FTP and SCP are not supported. In addition, this feature applies only to HTTP downloads. HTTP uploads are not supported.

    Example

    In this example, FortiGate acts as the ICAP client, and FortiProxy acts as the ICAP server. An ICAP profile is configured on FortiGate with ocr-only enabled. An ICAP server is configured on FortiProxy with the icap-service configured to use an image-analyzer ICAP profile.

    When a client HTTP response includes an image that is of interest to OCR, FortiGate forwards only the image file to the ICAP server for OCR scanning, and the scan results determine whether the image is passed or blocked.

    When OCR scanning passes the image in the HTTP response, the image is displayed to the client, for example:

    When OCR scanning blocks the image in the HTTP response, an alert message is displayed instead of the image:

    Only configurations relevant to selective forwarding are described.

    To enable selective forwarding on the ICAP client:

    1. On FortiGate, enable ocr-only in the ICAP profile:

      In this example, ocr-only and response are enabled. Responses are enabled to allow FortiGate to forward images files to the ICAP server.

      config icap profile
    edit "ocr"
        set request enable
        set response enable
        set ocr-only enable
        set request-server "icap_server1"
        set response-server "icap_server1"
    next
end
    To enable image scanning on the ICAP server:

    1. On FortiProxy acting as an ICAP server, create an image-analyzer ICAP profile:

      In this example, an image-analyzer profile named default is created.

      config image-analyzer profile
    edit "default"
        set comment "Analyze image content"
        set alcohol-status allow
        set drugs-status allow
        set extremism-status allow
        set gambling-status allow
        set gore-status allow
        set porn-status allow
        set swim_underwear-status allow
        set weapons-status allow
        set log-option all
        set blocked-img-cache enable
        set rating-err-action block
        set optical-character-recognition enable
        set ocr-activation-threshold 100
    next
end

    2. On FortiProxy, configure the ICAP service to use the image-analyzer profile:

      The icap-service is configured to use the image-analyzer profile named default.

      config icap local-server
    edit 1
        set interface "port1"
        set incoming-ip 10.211.255.147
        set srcaddr "all"
        config icap-service
            edit 1
                set name "profile"
                set dlp-profile "default"
                set image-analyzer-profile "default"
            next
        end
    next
end
    Previous
    Next