Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.0.0 Administration Guide
    7.0.0
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Create or edit an ICAP profile

    Create or edit an ICAP profile

    Select Create New to open the New ICAP Profile window.

    To open the Edit ICAP Profile window, select an ICAP profile and then click Edit.

    Configure the following settings in the New ICAP Profile window or Edit ICAP Profile window and then click OK:

    Name

    Specify a name for the ICAP profile. After you create an ICAP profile, you cannot change the name.

    Request Processing

    Enable or disable request processing.

    When enabled, you can further configure the following options:

    • Server—Select an existing server from the list or create a new server.

    • Path—Path to the processing component on the server, such as /proprietary_code/content-filter/.

    • Method—Allowed HTTP methods that will be sent to ICAP server for further processing. Click the Add button to add more methods to the list. Click the Delete button on the right of a method to delete it from the list.

    • On failure—Action to take if the ICAP server cannot be contacted when processing an HTTP request.

      • Error—HTTP or FTP traffic reports an error and is blocked when the ICAP server is down.

      • Bypass—HTTP or FTP traffic can still pass through when the ICAP server is down.

    Response Processing

    Enable or disable response processing.

    When enabled, you can further configure the following options:

    • Server—Select an existing server from the list or create a new server.

    • Path—Path to the processing component on the server, such as /proprietary_code/content-filter/.

    • On failure—Action to take if the ICAP server cannot be contacted when processing an HTTP response.

      • Error—HTTP or FTP traffic reports an error and is blocked when the ICAP server is down.

      • Bypass—HTTP or FTP traffic can still pass through when the ICAP server is down.

    Streaming Media Bypass

    Specify whether to bypass offloading of streaming media to the ICAP server. When enabled, streaming media is not offloaded to the ICAP server.

    Preview

    Enable preview of data to the ICAP server.

    When enabled, you can further configure the Preview Data Length, which is the preview data length to be sent to the ICAP server.

    Allow 204 Response

    Specify whether to allow 204 response.

    When enabled, you can further configure the 204 Size Limit.

    Scan Size Limit 7.0.10

    Specify the ICAP server scan size limit for a single request within the range of 0-4096 (MB). The default is 0 MB, which means unlimited.

    Protocol

    Select the FTP protocol: FTP or SSH. You can select both.

    When a protocol is enabled, you can further configure the following options:

    • Server—Select an existing server from the list or create a new server.

    • On failure—Action to take if the FTP server cannot be contacted when processing an FTP request.

      • Error—FTP traffic reports an error and is blocked when the FTP server is down.

      • Bypass—FTP traffic can still pass through when the FTP server is down.

    • Path—Path to the processing component on the server, such as /proprietary_code/content-filter/.

    Headers

    View existing ICAP headers or create a new ICAP header using the Create New button.

    When creating a new ICAP header, specify the following options in the Create Header window:

    • Name—Name of the HTTP forwarded header.

    • Header Content—HTTP header content.

    • Base64 Encoding—Enable or disable base64 encoding of HTTP content.

    TCP connection pool for connections to ICAP server

    A TCP connection pool can maintain local-out TCP connections to the external ICAP server due to a backend update in the FortiProxy unit. TCP connections will not be terminated once data has been exchanged with the ICAP server, but instead are reused in the next ICAP session to maximize efficiency.

    Use case

    In this scenario, an ICAP profile is used as a UTM profile in an explicit web proxy policy, and a client visits web servers through this proxy policy.

    After the WAD is initialized, when a HTTP request is sent from the client to the server through the FortiProxy unit with an ICAP profile applied to the matched proxy policy, a TCP connection is established between the FortiProxy unit and the ICAP server to exchange data.

    When an ICAP session is finished, the TCP connection is kept in the WAD connection pool. When another ICAP session needs to be established, the WAD will check if there are any idle connections available in the connection pool. If an idle connection is available, it will be reused; otherwise, a new TCP connection is established for the ICAP session. This process can be checked in the WAD debug log.

    ICAP server response extension headers

    ICAP server responses can be configured to include X-Virus-ID, X-Infection-Found, and X-Violation-Found extension headers.

    config icap local-server
    edit 1
        config icap-service
            edit 1
                set extension-headers {X-Virus-id X-Infection-Found X-Violation-Found}
            next
        end
    next
end

    X-Virus-id

    Enable X-Virus-ID ICAP extension header.

    X-Infection-Found

    Enable X-Infection-Found ICAP extension header.

    X-Violation-Found

    Enable X-Violation-Found ICAP extension header.

    X-Scan-Progress-Interval header in the FortiProxy ICAP client

    You can specify that the X-Scan-Progress-Interval header is used in the FortiProxy ICAP client and specify the scan progress interval value:

    config icap profile
    edit <profile_name>
        set response {enable | disable}
        set response-server <name_of_ICAP_server>
        set response-path <HTTP_response_processing_service>
        set extension-feature scan-progress
        set scan-progress-interval <5-30 seconds (default = 10)>
    next
end

    Timeout configuration for the FortiProxy ICAP client

    You can configure the number of seconds that the ICAP client waits for a response from the ICAP server:

    config icap profile
    edit <profile_name>
        set timeout <30-3600 seconds (default = 30)>
    next
end
    Previous
    Next

    Create or edit an ICAP profile

    Create or edit an ICAP profile

    Select Create New to open the New ICAP Profile window.

    To open the Edit ICAP Profile window, select an ICAP profile and then click Edit.

    Configure the following settings in the New ICAP Profile window or Edit ICAP Profile window and then click OK:

    Name

    Specify a name for the ICAP profile. After you create an ICAP profile, you cannot change the name.

    Request Processing

    Enable or disable request processing.

    When enabled, you can further configure the following options:

    • Server—Select an existing server from the list or create a new server.

    • Path—Path to the processing component on the server, such as /proprietary_code/content-filter/.

    • Method—Allowed HTTP methods that will be sent to ICAP server for further processing. Click the Add button to add more methods to the list. Click the Delete button on the right of a method to delete it from the list.

    • On failure—Action to take if the ICAP server cannot be contacted when processing an HTTP request.

      • Error—HTTP or FTP traffic reports an error and is blocked when the ICAP server is down.

      • Bypass—HTTP or FTP traffic can still pass through when the ICAP server is down.

    Response Processing

    Enable or disable response processing.

    When enabled, you can further configure the following options:

    • Server—Select an existing server from the list or create a new server.

    • Path—Path to the processing component on the server, such as /proprietary_code/content-filter/.

    • On failure—Action to take if the ICAP server cannot be contacted when processing an HTTP response.

      • Error—HTTP or FTP traffic reports an error and is blocked when the ICAP server is down.

      • Bypass—HTTP or FTP traffic can still pass through when the ICAP server is down.

    Streaming Media Bypass

    Specify whether to bypass offloading of streaming media to the ICAP server. When enabled, streaming media is not offloaded to the ICAP server.

    Preview

    Enable preview of data to the ICAP server.

    When enabled, you can further configure the Preview Data Length, which is the preview data length to be sent to the ICAP server.

    Allow 204 Response

    Specify whether to allow 204 response.

    When enabled, you can further configure the 204 Size Limit.

    Scan Size Limit 7.0.10

    Specify the ICAP server scan size limit for a single request within the range of 0-4096 (MB). The default is 0 MB, which means unlimited.

    Protocol

    Select the FTP protocol: FTP or SSH. You can select both.

    When a protocol is enabled, you can further configure the following options:

    • Server—Select an existing server from the list or create a new server.

    • On failure—Action to take if the FTP server cannot be contacted when processing an FTP request.

      • Error—FTP traffic reports an error and is blocked when the FTP server is down.

      • Bypass—FTP traffic can still pass through when the FTP server is down.

    • Path—Path to the processing component on the server, such as /proprietary_code/content-filter/.

    Headers

    View existing ICAP headers or create a new ICAP header using the Create New button.

    When creating a new ICAP header, specify the following options in the Create Header window:

    • Name—Name of the HTTP forwarded header.

    • Header Content—HTTP header content.

    • Base64 Encoding—Enable or disable base64 encoding of HTTP content.

    TCP connection pool for connections to ICAP server

    A TCP connection pool can maintain local-out TCP connections to the external ICAP server due to a backend update in the FortiProxy unit. TCP connections will not be terminated once data has been exchanged with the ICAP server, but instead are reused in the next ICAP session to maximize efficiency.

    Use case

    In this scenario, an ICAP profile is used as a UTM profile in an explicit web proxy policy, and a client visits web servers through this proxy policy.

    After the WAD is initialized, when a HTTP request is sent from the client to the server through the FortiProxy unit with an ICAP profile applied to the matched proxy policy, a TCP connection is established between the FortiProxy unit and the ICAP server to exchange data.

    When an ICAP session is finished, the TCP connection is kept in the WAD connection pool. When another ICAP session needs to be established, the WAD will check if there are any idle connections available in the connection pool. If an idle connection is available, it will be reused; otherwise, a new TCP connection is established for the ICAP session. This process can be checked in the WAD debug log.

    ICAP server response extension headers

    ICAP server responses can be configured to include X-Virus-ID, X-Infection-Found, and X-Violation-Found extension headers.

    config icap local-server
    edit 1
        config icap-service
            edit 1
                set extension-headers {X-Virus-id X-Infection-Found X-Violation-Found}
            next
        end
    next
end

    X-Virus-id

    Enable X-Virus-ID ICAP extension header.

    X-Infection-Found

    Enable X-Infection-Found ICAP extension header.

    X-Violation-Found

    Enable X-Violation-Found ICAP extension header.

    X-Scan-Progress-Interval header in the FortiProxy ICAP client

    You can specify that the X-Scan-Progress-Interval header is used in the FortiProxy ICAP client and specify the scan progress interval value:

    config icap profile
    edit <profile_name>
        set response {enable | disable}
        set response-server <name_of_ICAP_server>
        set response-path <HTTP_response_processing_service>
        set extension-feature scan-progress
        set scan-progress-interval <5-30 seconds (default = 10)>
    next
end

    Timeout configuration for the FortiProxy ICAP client

    You can configure the number of seconds that the ICAP client waits for a response from the ICAP server:

    config icap profile
    edit <profile_name>
        set timeout <30-3600 seconds (default = 30)>
    next
end
    Previous
    Next