Fortinet white logo
Fortinet white logo

Administration Guide

Configure ICAP adapter

Configure ICAP adapter

FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.

Request and response

When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.

  • If the verdict is not a user selected blocking rating or is not available, a 200 return code is sent back to client so the request can move on the client side.

  • If the verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.

  • If no verdict is available, the URL will be put into the Job Queue for a scan. URL scan flow will apply.

When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.

  • If a verdict is not a user selected blocking rating, a 200 return code is sent back to the client so the response can be delivered to the endpoint host.

  • If a verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.

  • If the user enables Realtime AV Scan, the file will be scanned by the AV Scanner. If the file is a known virus, a 403 return code along with a blocked page is sent back to the client.

  • If no verdict is available, these files will be put into the Job Queue for a scan. File scan flow will apply.

When ICAP client sends a preview request, FortiSandbox returns a 204 return code, which means it is not supported.

Note

The ICAP client only supports PUT, POST and GET methods.

To configure ICAP client:

The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the squid.conf file.

cache deny all

icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User

icap_preview_enable off

icap_persistent_connections off

icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off

adaptation_access svcBlocker1 allow all

icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off

adaptation_access svcLogger1 allow all

### add the following lines to support ssl ###

#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcBlocker2 allow all

#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcLogger2 allow all

To configure FortiSandbox as an ICAP server:
  1. In the FortiSandbox GUI, go to Security Fabric > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Enable the ICAP adapter.
  4. Under Connection, configure the following settings, and then click Apply.
    Port The port the ICAP server listens on. Default is 1344.
    Interface

    The interface the ICAP server listens on.

    For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).

    SSL support

    Enable to allow SSL traffic.

    SSL port The port the ICAP server listens on for SSL traffic. Default is 11344.
    Receive URL

    Enable to allow the ICAP server to receive URLs, and then select the risk level to be blocked. Options are Low Risk, Medium Risk, and High Risk.

    Receive File

    Enable to allow the ICAP server to receive files, and then select the risk level to be blocked. Options are Low Risk, Medium Risk, and High Risk.

    Realtime AV Scan Enable to allow real-time file scanning.

Configure ICAP adapter

Configure ICAP adapter

FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.

Request and response

When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.

  • If the verdict is not a user selected blocking rating or is not available, a 200 return code is sent back to client so the request can move on the client side.

  • If the verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.

  • If no verdict is available, the URL will be put into the Job Queue for a scan. URL scan flow will apply.

When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.

  • If a verdict is not a user selected blocking rating, a 200 return code is sent back to the client so the response can be delivered to the endpoint host.

  • If a verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.

  • If the user enables Realtime AV Scan, the file will be scanned by the AV Scanner. If the file is a known virus, a 403 return code along with a blocked page is sent back to the client.

  • If no verdict is available, these files will be put into the Job Queue for a scan. File scan flow will apply.

When ICAP client sends a preview request, FortiSandbox returns a 204 return code, which means it is not supported.

Note

The ICAP client only supports PUT, POST and GET methods.

To configure ICAP client:

The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the squid.conf file.

cache deny all

icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User

icap_preview_enable off

icap_persistent_connections off

icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off

adaptation_access svcBlocker1 allow all

icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off

adaptation_access svcLogger1 allow all

### add the following lines to support ssl ###

#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcBlocker2 allow all

#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcLogger2 allow all

To configure FortiSandbox as an ICAP server:
  1. In the FortiSandbox GUI, go to Security Fabric > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Enable the ICAP adapter.
  4. Under Connection, configure the following settings, and then click Apply.
    Port The port the ICAP server listens on. Default is 1344.
    Interface

    The interface the ICAP server listens on.

    For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).

    SSL support

    Enable to allow SSL traffic.

    SSL port The port the ICAP server listens on for SSL traffic. Default is 11344.
    Receive URL

    Enable to allow the ICAP server to receive URLs, and then select the risk level to be blocked. Options are Low Risk, Medium Risk, and High Risk.

    Receive File

    Enable to allow the ICAP server to receive files, and then select the risk level to be blocked. Options are Low Risk, Medium Risk, and High Risk.

    Realtime AV Scan Enable to allow real-time file scanning.