Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 4.4.2 Administration Guide
    4.4.2
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    ICAP adapter

    ICAP adapter

    FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. The ICAP client waits (i.e. holds the URL) for the verdict from the FortiSandbox.

    To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.

    Request and response

    Note

    The ICAP server only supports POST, GET and PUT methods. In REQMOD the ICAP server supports multipart/form-data and application/octet-stream formats. In RESPMOD, the Content-Length header should be included in the HTTP headers.

    Note

    If no verdict is available, the URL or files will be put into the Job Queue for a scan. URL scan flow will apply.

    When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.

    Status Code

    Meaning
    200

    • Verdict is not a user selected blocking rating or is not available.

    403

    • Verdict is user selected blocking rating.

    • If Realtime Web Filtering is enabled, the URL will be scanned in real time by Web Filter.

    When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.

    Status Code

    Meaning

    200

    • Verdict is not a user selected blocking rating or is not available.

    403

    • Verdict is user selected blocking rating.

    • If Realtime Scan is enabled, the file will be scanned by the defined scan type(s) (AV Scan, Static Scan, or Cloud Query).

    When ICAP client sends a preview request:

    Status Code

    Meaning

    204

    • No modifications needed.
    To configure ICAP client:

    The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the squid.conf file.

    cache deny all

    icap_enable on

    icap_send_client_ip on

    icap_send_client_username on

    icap_client_username_header X-Authenticated-User

    icap_preview_enable off

    icap_persistent_connections off

    icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off

    adaptation_access svcBlocker1 allow all

    icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off

    adaptation_access svcLogger1 allow all

    ### add the following lines to support ssl ###

    #icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER

    #adaptation_access svcBlocker2 allow all

    #icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER

    #adaptation_access svcLogger2 allow all

    The following are examples of how to use ICAPS client certificate authentication:

    icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=0 tls-cafile=/usr/local/squid/etc/ssl_cert/ca-chain2.cert.pem tls-cert=/usr/local/squid/etc/ssl_cert/client218.cert.pem tls-key=/usr/local/squid/etc/ssl_cert/client218.key.pem  tls-flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
    icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=0  tls-cafile=/usr/local/squid/etc/ssl_cert/ca-chain2.cert.pem tls-cert=/usr/local/squid/etc/ssl_cert/client218.cert.pem tls-key=/usr/local/squid/etc/ssl_cert/client218.key.pem tls-flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
    To configure FortiSandbox as an ICAP server:
    1. Go to Security Fabric > Adapter.
    2. Select the ICAP adapter and click Edit.
    3. Enable the ICAP adapter.
    4. Under Connection, configure the following settings, and then click Apply.
      PortThe port the ICAP server listens on. Default is 1344.
      Interface

      The interface the ICAP server listens on.

      For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).

      SSL support

      Enable to allow SSL traffic.

      SSL portThe port the ICAP server listens on for SSL traffic. Default is 11344.

      Certificate

      Select server certificate for ICAPS server from the drop-down list.

      To import certificates and keys go to System > Certificates, and click Upload Certificate button. You can select a blank from certificate drop-down.

      Return code 202 for a new file

      This response code is used when the server has accepted a file request but has not completed the processing.

      The 202 code added to the standard response code differentiates this case from the case where the file already has a clean verdict.

      Return code 202 for a new URL

      This response code is used when the server has accepted a URL request but has not completed the processing yet.The '202' code added to the standard response code differentiates this case from the case where the URL already has a clean verdict.

    ICAP profiles

    FortiSandbox supports multiple ICAP profiles for multiple proxy servers (ICAP clients) with different configuration requirements.

    • You can edit but not delete the Default profile that is built-in to FortiSandbox.
    • You can disable both Receive File and Receive URL for default profile, so that clients that do not match any user defined profile will not get any service.
    • Configuring a new profile will override the settings defined in the Default profile for matched proxy server by IP.
    • If a client does not match a user-defined profile the Default profile is applied.

    To create an ICAP profile:
    1. Go to Security Fabric > Adapter.
    2. Select the ICAP adapter and click Edit.
    3. Under ICAP Profiles, click Create New. The Create New pane opens.
    4. Configure the profile and click OK.

      Profile NameEnter a name for the profile.
      Client IP AddressEnter the client IP address. Separate multiple IPs with a comma.
      Methods
      Receive URL

      Enable to allow the ICAP server to receive URLs.

      • URLs with selected risk and above will be blocked:

        Set the minimum level of risk for the URLs/Files to be blocked by ICAP (Low Risk, Medium Risk, and High Risk).

      • Hold URL until these steps finish:

        • Quick Scan: Hold only during quick scan.

        • Full Scan: Hold during entire scan process.

          Verdict timeout: The timeout in seconds ICAP will wait for final verdict from FortiSandbox. Time starts when file is submitted. If verdict times out, it sends ICAP 204 to client.

      Files/URLs with selected risk and above will be blocked

      Set a minimum level of risk for URLs/Files to be blocked by ICAP.

      Hold URL until these steps finish

      Enable to enable hold URL options (Quick Scan or Full Scan).

      Receive File

      Enable to allow the ICAP server to receive files

      • Files with selected risk and above will be blocked:

        Set the minimum level of risk for the URLs/Files to be blocked by ICAP (Low Risk, Medium Risk, and High Risk).

      • Hold file until these steps finish:

        • Quick Scan: Hold only during quick scan.

          Enable at least one of the following options: AV Scan, Static Scan or Cloud Query.

        • Full Scan: Hold during entire scan process/

          Verdict timeout: The timeout in seconds ICAP will wait for final verdict from FortiSandbox. Time starts when file is submitted. If verdict times out, it sends ICAP 204 to client.

      Verdict timeout

      The timeout in seconds ICAP will wait for final verdict from Sandbox. Timing from file submitted. If it times out, it sends ICAP 204 to client.

      Hold file until these steps finish

      Enable to enable hold URL options (Quick Scan or Full Scan).

      When Quick Scan is selected at least one options should be selected: AV Scan, Static Scan and Cloud Query.

      3 options for quick scan including AV Scan, Static Scan and Cloud Query. You should enable at least one option if Quick Scan is chosen.

    5. Click Apply on the ICAP Settings page.
    Previous
    Next

    ICAP adapter

    ICAP adapter

    FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. The ICAP client waits (i.e. holds the URL) for the verdict from the FortiSandbox.

    To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.

    Request and response

    Note

    The ICAP server only supports POST, GET and PUT methods. In REQMOD the ICAP server supports multipart/form-data and application/octet-stream formats. In RESPMOD, the Content-Length header should be included in the HTTP headers.

    Note

    If no verdict is available, the URL or files will be put into the Job Queue for a scan. URL scan flow will apply.

    When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.

    Status Code

    Meaning
    200

    • Verdict is not a user selected blocking rating or is not available.

    403

    • Verdict is user selected blocking rating.

    • If Realtime Web Filtering is enabled, the URL will be scanned in real time by Web Filter.

    When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.

    Status Code

    Meaning

    200

    • Verdict is not a user selected blocking rating or is not available.

    403

    • Verdict is user selected blocking rating.

    • If Realtime Scan is enabled, the file will be scanned by the defined scan type(s) (AV Scan, Static Scan, or Cloud Query).

    When ICAP client sends a preview request:

    Status Code

    Meaning

    204

    • No modifications needed.
    To configure ICAP client:

    The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the squid.conf file.

    cache deny all

    icap_enable on

    icap_send_client_ip on

    icap_send_client_username on

    icap_client_username_header X-Authenticated-User

    icap_preview_enable off

    icap_persistent_connections off

    icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off

    adaptation_access svcBlocker1 allow all

    icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off

    adaptation_access svcLogger1 allow all

    ### add the following lines to support ssl ###

    #icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER

    #adaptation_access svcBlocker2 allow all

    #icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER

    #adaptation_access svcLogger2 allow all

    The following are examples of how to use ICAPS client certificate authentication:

    icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=0 tls-cafile=/usr/local/squid/etc/ssl_cert/ca-chain2.cert.pem tls-cert=/usr/local/squid/etc/ssl_cert/client218.cert.pem tls-key=/usr/local/squid/etc/ssl_cert/client218.key.pem  tls-flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
    icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=0  tls-cafile=/usr/local/squid/etc/ssl_cert/ca-chain2.cert.pem tls-cert=/usr/local/squid/etc/ssl_cert/client218.cert.pem tls-key=/usr/local/squid/etc/ssl_cert/client218.key.pem tls-flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
    To configure FortiSandbox as an ICAP server:
    1. Go to Security Fabric > Adapter.
    2. Select the ICAP adapter and click Edit.
    3. Enable the ICAP adapter.
    4. Under Connection, configure the following settings, and then click Apply.
      PortThe port the ICAP server listens on. Default is 1344.
      Interface

      The interface the ICAP server listens on.

      For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).

      SSL support

      Enable to allow SSL traffic.

      SSL portThe port the ICAP server listens on for SSL traffic. Default is 11344.

      Certificate

      Select server certificate for ICAPS server from the drop-down list.

      To import certificates and keys go to System > Certificates, and click Upload Certificate button. You can select a blank from certificate drop-down.

      Return code 202 for a new file

      This response code is used when the server has accepted a file request but has not completed the processing.

      The 202 code added to the standard response code differentiates this case from the case where the file already has a clean verdict.

      Return code 202 for a new URL

      This response code is used when the server has accepted a URL request but has not completed the processing yet.The '202' code added to the standard response code differentiates this case from the case where the URL already has a clean verdict.

    ICAP profiles

    FortiSandbox supports multiple ICAP profiles for multiple proxy servers (ICAP clients) with different configuration requirements.

    • You can edit but not delete the Default profile that is built-in to FortiSandbox.
    • You can disable both Receive File and Receive URL for default profile, so that clients that do not match any user defined profile will not get any service.
    • Configuring a new profile will override the settings defined in the Default profile for matched proxy server by IP.
    • If a client does not match a user-defined profile the Default profile is applied.

    To create an ICAP profile:
    1. Go to Security Fabric > Adapter.
    2. Select the ICAP adapter and click Edit.
    3. Under ICAP Profiles, click Create New. The Create New pane opens.
    4. Configure the profile and click OK.

      Profile NameEnter a name for the profile.
      Client IP AddressEnter the client IP address. Separate multiple IPs with a comma.
      Methods
      Receive URL

      Enable to allow the ICAP server to receive URLs.

      • URLs with selected risk and above will be blocked:

        Set the minimum level of risk for the URLs/Files to be blocked by ICAP (Low Risk, Medium Risk, and High Risk).

      • Hold URL until these steps finish:

        • Quick Scan: Hold only during quick scan.

        • Full Scan: Hold during entire scan process.

          Verdict timeout: The timeout in seconds ICAP will wait for final verdict from FortiSandbox. Time starts when file is submitted. If verdict times out, it sends ICAP 204 to client.

      Files/URLs with selected risk and above will be blocked

      Set a minimum level of risk for URLs/Files to be blocked by ICAP.

      Hold URL until these steps finish

      Enable to enable hold URL options (Quick Scan or Full Scan).

      Receive File

      Enable to allow the ICAP server to receive files

      • Files with selected risk and above will be blocked:

        Set the minimum level of risk for the URLs/Files to be blocked by ICAP (Low Risk, Medium Risk, and High Risk).

      • Hold file until these steps finish:

        • Quick Scan: Hold only during quick scan.

          Enable at least one of the following options: AV Scan, Static Scan or Cloud Query.

        • Full Scan: Hold during entire scan process/

          Verdict timeout: The timeout in seconds ICAP will wait for final verdict from FortiSandbox. Time starts when file is submitted. If verdict times out, it sends ICAP 204 to client.

      Verdict timeout

      The timeout in seconds ICAP will wait for final verdict from Sandbox. Timing from file submitted. If it times out, it sends ICAP 204 to client.

      Hold file until these steps finish

      Enable to enable hold URL options (Quick Scan or Full Scan).

      When Quick Scan is selected at least one options should be selected: AV Scan, Static Scan and Cloud Query.

      3 options for quick scan including AV Scan, Static Scan and Cloud Query. You should enable at least one option if Quick Scan is chosen.

    5. Click Apply on the ICAP Settings page.
    Previous
    Next