Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Configure ICAP Client

FortiSandbox can work as an ICAP server with any ProxySG that supports ICAP.

When ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available. If the verdict is not a user selected blocking rating or is not available , a 200 return code is sent back to client so the request can move on on the client side. If the verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client. If no verdict is available, the URL will be put into the Job Queue for a scan. URL scan flow will apply.

When the ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts file from it and checks if verdicts are available. If verdicts are not a user selected blocking rating, a 200 return code is sent back to client so the response can be delivered to the endpoint host. If a verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client. If the user enables Realtime AV Scan, the file will be scanned by the AV Scanner. If the file is a known virus, a 403 return code along with a blocked page is sent back to the client. If no verdict is available, these files will be put into the Job Queue for a scan. File scan flow will apply.

When ICAP client sends a preview request, FortiSandbox returns a 204 return code, which means it is not supported.

The following is an example ICAP configurations for a SQUID 4.x proxy server, which should be added to the end of squid.conf file:

cache deny all

icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User

icap_preview_enable off

icap_persistent_connections off

icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off

adaptation_access svcBlocker1 allow all

icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off

adaptation_access svcLogger1 allow all

### add the following lines to support ssl ###

#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcBlocker2 allow all

#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcLogger2 allow all

Configure ICAP Client

FortiSandbox can work as an ICAP server with any ProxySG that supports ICAP.

When ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available. If the verdict is not a user selected blocking rating or is not available , a 200 return code is sent back to client so the request can move on on the client side. If the verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client. If no verdict is available, the URL will be put into the Job Queue for a scan. URL scan flow will apply.

When the ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts file from it and checks if verdicts are available. If verdicts are not a user selected blocking rating, a 200 return code is sent back to client so the response can be delivered to the endpoint host. If a verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client. If the user enables Realtime AV Scan, the file will be scanned by the AV Scanner. If the file is a known virus, a 403 return code along with a blocked page is sent back to the client. If no verdict is available, these files will be put into the Job Queue for a scan. File scan flow will apply.

When ICAP client sends a preview request, FortiSandbox returns a 204 return code, which means it is not supported.

The following is an example ICAP configurations for a SQUID 4.x proxy server, which should be added to the end of squid.conf file:

cache deny all

icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User

icap_preview_enable off

icap_persistent_connections off

icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off

adaptation_access svcBlocker1 allow all

icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off

adaptation_access svcLogger1 allow all

### add the following lines to support ssl ###

#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcBlocker2 allow all

#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcLogger2 allow all