Configure ICAP adapter
FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. The ICAP client waits (i.e. holds the URL) for the verdict from the FortiSandbox.
To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.
Request and response
When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.
-
If the verdict is not a user selected blocking rating or is not available, a 200 return code is sent back to client so the request can move on the client side.
-
If the verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.
-
If Realtime Web Filtering is enabled, the URL will be scanned in real time by Web Filter. If the rating is a defined block rating, a 403 return code along with a blocked page is sent back to the client.
-
If no verdict is available, the URL will be put into the Job Queue for a scan. URL scan flow will apply.
When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.
-
If a verdict is not a user selected blocking rating, a 200 return code is sent back to the client so the response can be delivered to the endpoint host.
-
If a verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.
-
If Realtime Scan is enabled, the file will be scanned by the defined scan type(s) (AV Scan, Static Scan, or Cloud Query). If the file is a known virus, a 403 return code along with a blocked page is sent back to the client.
-
If no verdict is available, these files will be put into the Job Queue for a scan. File scan flow will apply.
When ICAP client sends a preview request, FortiSandbox returns a 204 return code, which means it is not supported.
The ICAP client only supports POST, GET and PUT methods. |
To configure ICAP client:
The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the squid.conf
file.
cache deny all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable off
icap_persistent_connections off
icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off
adaptation_access svcBlocker1 allow all
icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off
adaptation_access svcLogger1 allow all
### add the following lines to support ssl ###
#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER
#adaptation_access svcBlocker2 allow all
#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER
#adaptation_access svcLogger2 allow all
To configure FortiSandbox as an ICAP server:
- Go to Security Fabric > Adapter.
- Select the ICAP adapter and click Edit.
- Enable the ICAP adapter.
- Under Connection, configure the following settings, and then click Apply.
Port The port the ICAP server listens on. Default is 1344. Interface The interface the ICAP server listens on.
For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).
SSL support Enable to allow SSL traffic.
SSL port The port the ICAP server listens on for SSL traffic. Default is 11344.
ICAP profiles
FortiSandbox supports multiple ICAP profiles for multiple proxy servers (ICAP clients) with different configuration requirements.
- You can edit but not delete the Default profile that is built-in to FortiSandbox.
- Configuring a new profile will override the settings defined in the Default profile for matched proxy server by IP.
- If a client does not match a user-defined profile the Default profile is applied.
To create an ICAP profile:
- Go to Security Fabric > Adapter.
- Select the ICAP adapter and click Edit.
- Under ICAP Profiles, click Create New. The Create New pane opens.
- Configure the profile and click Apply.