Fortinet black logo

Administration Guide

Configure ICAP adapter

Copy Link
Copy Doc ID 4f5a6250-a945-11ec-9fd1-fa163e15d75b:939729
Download PDF

Configure ICAP adapter

FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. The ICAP client waits (i.e. holds the URL) for the verdict from the FortiSandbox.

To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.

Request and response

When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.

  • If the verdict is not a user selected blocking rating or is not available, a 200 return code is sent back to client so the request can move on the client side.

  • If the verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.

  • If Realtime Web Filtering is enabled, the URL will be scanned in real time by Web Filter. If the rating is a defined block rating, a 403 return code along with a blocked page is sent back to the client.

  • If no verdict is available, the URL will be put into the Job Queue for a scan. URL scan flow will apply.

When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.

  • If a verdict is not a user selected blocking rating, a 200 return code is sent back to the client so the response can be delivered to the endpoint host.

  • If a verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.

  • If Realtime Scan is enabled, the file will be scanned by the defined scan type(s) (AV Scan, Static Scan, or Cloud Query). If the file is a known virus, a 403 return code along with a blocked page is sent back to the client.

  • If no verdict is available, these files will be put into the Job Queue for a scan. File scan flow will apply.

When ICAP client sends a preview request, FortiSandbox returns a 204 return code, which means it is not supported.

Note

The ICAP client only supports POST, GET and PUT methods.

To configure ICAP client:

The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the squid.conf file.

cache deny all

icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User

icap_preview_enable off

icap_persistent_connections off

icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off

adaptation_access svcBlocker1 allow all

icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off

adaptation_access svcLogger1 allow all

### add the following lines to support ssl ###

#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcBlocker2 allow all

#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcLogger2 allow all

To configure FortiSandbox as an ICAP server:
  1. Go to Security Fabric > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Enable the ICAP adapter.
  4. Under Connection, configure the following settings, and then click Apply.
    PortThe port the ICAP server listens on. Default is 1344.
    Interface

    The interface the ICAP server listens on.

    For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).

    SSL support

    Enable to allow SSL traffic.

    SSL portThe port the ICAP server listens on for SSL traffic. Default is 11344.

ICAP profiles

FortiSandbox supports multiple ICAP profiles for multiple proxy servers (ICAP clients) with different configuration requirements.

  • You can edit but not delete the Default profile that is built-in to FortiSandbox.
  • Configuring a new profile will override the settings defined in the Default profile for matched proxy server by IP.
  • If a client does not match a user-defined profile the Default profile is applied.

To create an ICAP profile:
  1. Go to Security Fabric > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Under ICAP Profiles, click Create New. The Create New pane opens.
  4. Configure the profile and click Apply.

    Profile NameEnter a name for the profile.
    Client IP AddressEnter the client IP address. Separate multiple IPs with a comma.
    Methods
    Receive URL

    Enable to allow the ICAP server to receive URLs, and then select the risk level to be blocked. Options are Low Risk, Medium Risk, and High Risk.

    Realtime Web Filtering

    Enable to allow real-time URL web filtering.

    Receive File

    Enable to allow the ICAP server to receive files, and then select the risk level to be blocked. Options are Low Risk, Medium Risk, and High Risk.

    Realtime Scan

    Enable to allow real-time file scanning, including AV Scan, Static Scan and Cloud Query. You can enable multiple options.

Configure ICAP adapter

FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. The ICAP client waits (i.e. holds the URL) for the verdict from the FortiSandbox.

To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.

Request and response

When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.

  • If the verdict is not a user selected blocking rating or is not available, a 200 return code is sent back to client so the request can move on the client side.

  • If the verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.

  • If Realtime Web Filtering is enabled, the URL will be scanned in real time by Web Filter. If the rating is a defined block rating, a 403 return code along with a blocked page is sent back to the client.

  • If no verdict is available, the URL will be put into the Job Queue for a scan. URL scan flow will apply.

When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.

  • If a verdict is not a user selected blocking rating, a 200 return code is sent back to the client so the response can be delivered to the endpoint host.

  • If a verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.

  • If Realtime Scan is enabled, the file will be scanned by the defined scan type(s) (AV Scan, Static Scan, or Cloud Query). If the file is a known virus, a 403 return code along with a blocked page is sent back to the client.

  • If no verdict is available, these files will be put into the Job Queue for a scan. File scan flow will apply.

When ICAP client sends a preview request, FortiSandbox returns a 204 return code, which means it is not supported.

Note

The ICAP client only supports POST, GET and PUT methods.

To configure ICAP client:

The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the squid.conf file.

cache deny all

icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User

icap_preview_enable off

icap_persistent_connections off

icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off

adaptation_access svcBlocker1 allow all

icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off

adaptation_access svcLogger1 allow all

### add the following lines to support ssl ###

#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcBlocker2 allow all

#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcLogger2 allow all

To configure FortiSandbox as an ICAP server:
  1. Go to Security Fabric > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Enable the ICAP adapter.
  4. Under Connection, configure the following settings, and then click Apply.
    PortThe port the ICAP server listens on. Default is 1344.
    Interface

    The interface the ICAP server listens on.

    For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).

    SSL support

    Enable to allow SSL traffic.

    SSL portThe port the ICAP server listens on for SSL traffic. Default is 11344.

ICAP profiles

FortiSandbox supports multiple ICAP profiles for multiple proxy servers (ICAP clients) with different configuration requirements.

  • You can edit but not delete the Default profile that is built-in to FortiSandbox.
  • Configuring a new profile will override the settings defined in the Default profile for matched proxy server by IP.
  • If a client does not match a user-defined profile the Default profile is applied.

To create an ICAP profile:
  1. Go to Security Fabric > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Under ICAP Profiles, click Create New. The Create New pane opens.
  4. Configure the profile and click Apply.

    Profile NameEnter a name for the profile.
    Client IP AddressEnter the client IP address. Separate multiple IPs with a comma.
    Methods
    Receive URL

    Enable to allow the ICAP server to receive URLs, and then select the risk level to be blocked. Options are Low Risk, Medium Risk, and High Risk.

    Realtime Web Filtering

    Enable to allow real-time URL web filtering.

    Receive File

    Enable to allow the ICAP server to receive files, and then select the risk level to be blocked. Options are Low Risk, Medium Risk, and High Risk.

    Realtime Scan

    Enable to allow real-time file scanning, including AV Scan, Static Scan and Cloud Query. You can enable multiple options.