Fortinet white logo
Fortinet white logo

Administration Guide

ICAP adapter

ICAP adapter

FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. The ICAP client waits (i.e. holds the URL) for the verdict from the FortiSandbox.

To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.

Request and response

Note

The ICAP server only supports POST, GET and PUT methods. In REQMOD the ICAP server supports multipart/form-data and application/octet-stream formats. In RESPMOD, the Content-Length header should be included in the HTTP headers.

Note

If no verdict is available, the URL or files will be placed into the Job Queue for scanning. The URL/file scan flow will be applied.

For example, if a user submits a file containing a phishing URL, Quick Scan may return a CLEAN result since Quick Scan does not check embedded URLs. Subsequently, the file will be submitted to the Job Queue for a full scan. As a result, the final rating may differ from the CLEAN rating obtained in the Quick Scan.

When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.

Status Code

Meaning

200
  • Verdict is not a user selected blocking rating or is not available.

403
  • Verdict is user selected blocking rating.

  • If Quick Scan is enabled, the URL will be scanned in real time by Web Filter.

When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.

Status Code

Meaning

200

  • Verdict is not a user selected blocking rating or is not available.

403

  • Verdict is user selected blocking rating.

  • If Quick Scan is enabled, the file will be scanned by the defined scan type(s) (AV Scan, Static Analysis, or Cloud Query).

When ICAP client sends a preview request:

Status Code

Meaning

204

  • No modifications needed
To configure ICAP client:

The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the squid.conf file.

cache deny all

icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User

icap_preview_enable off

icap_persistent_connections off

icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off

adaptation_access svcBlocker1 allow all

icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off

adaptation_access svcLogger1 allow all

### add the following lines to support ssl ###

#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcBlocker2 allow all

#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcLogger2 allow all

The following are examples of how to use ICAPS client certificate authentication:

icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=0 tls-cafile=/usr/local/squid/etc/ssl_cert/ca-chain2.cert.pem tls-cert=/usr/local/squid/etc/ssl_cert/client218.cert.pem tls-key=/usr/local/squid/etc/ssl_cert/client218.key.pem  tls-flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=0  tls-cafile=/usr/local/squid/etc/ssl_cert/ca-chain2.cert.pem tls-cert=/usr/local/squid/etc/ssl_cert/client218.cert.pem tls-key=/usr/local/squid/etc/ssl_cert/client218.key.pem tls-flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
To configure FortiSandbox as an ICAP server:
  1. Go to Security Fabric > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Enable the ICAP adapter.
  4. Under Connection, configure the following settings, and then click Apply.
    PortThe port the ICAP server listens on. Default is 1344.
    Interface

    The interface the ICAP server listens on.

    For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).

    SSL support

    Enable to allow SSL traffic.

    SSL portThe port the ICAP server listens on for SSL traffic. Default is 11344.

    Certificate

    Select server certificate for ICAPS server from the drop-down list.

    To import certificates and keys go to System > Certificates, and click Upload Certificate button. You can select a blank from certificate drop-down.

    Return code 202 for a new file

    This response code is used when the server has accepted a file request but has not completed the processing.

    The 202 code added to the standard response code differentiates this case from the case where the file already has a clean verdict.

    Return code 202 for a new URL

    This response code is used when the server has accepted a URL request but has not completed the processing yet.The '202' code added to the standard response code differentiates this case from the case where the URL already has a clean verdict.

ICAP profiles

FortiSandbox supports multiple ICAP profiles for multiple proxy servers (ICAP clients) with different configuration requirements.

  • You can edit but not delete the Default profile that is built-in to FortiSandbox.
  • You can disable both Receive File and Receive URL for default profile, so that clients that do not match any user defined profile will not get any service.
  • Configuring a new profile will override the settings defined in the Default profile for matched proxy server by IP.
  • If a client does not match a user-defined profile the Default profile is applied.

To create an ICAP profile:
  1. Go to Security Fabric > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Under ICAP Profiles, click Create New. The Create New pane opens.
  4. Configure the profile and click OK.

    Profile NameEnter a name for the profile.
    Client IP AddressEnter the client IP address. Separate multiple IPs with a comma.
    Methods
    Receive URL

    Enable to allow the ICAP server to receive URLs.

    • URLs with selected risk and above will be blocked:

      Set the minimum level of risk for the URLs/Files to be blocked by ICAP (Low Risk, Medium Risk, and High Risk).

    • Hold URL until these steps finish:

      • Quick Scan: Hold only during quick scan.

        The URL will be checked against the FDN Web Filtering service. If its category is either malicious or unethical, a suspicious rating will be returned to the client side.

        User-defined Allow/Block list, Customized Rating, or Overridden Verdict rules are not checked.

      • Full Scan: Hold during entire scan process.

        Verdict timeout: The timeout in seconds ICAP will wait for final verdict from FortiSandbox. Time starts when file is submitted. If verdict times out, it sends ICAP 204 to client.

    Receive File

    Enable to allow the ICAP server to receive files

    • Files with selected risk and above will be blocked:

      Set the minimum level of risk for the URLs/Files to be blocked by ICAP (Low Risk, Medium Risk, and High Risk).

    • Hold file until these steps finish:

      • Quick Scan: Hold only during quick scan.

        Enable at least one of the following options: AV Scan, Static Analysis or Cloud Query.

        For Static Analysis, the following items are not checked in the file:

      • Full Scan: Hold during entire scan process.

        Verdict timeout: The timeout in seconds ICAP will wait for final verdict from FortiSandbox. Time starts when file is submitted. If verdict times out, it sends ICAP 204 to client.

  5. Click Apply on the ICAP Settings page.

ICAP adapter

ICAP adapter

FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. The ICAP client waits (i.e. holds the URL) for the verdict from the FortiSandbox.

To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.

Request and response

Note

The ICAP server only supports POST, GET and PUT methods. In REQMOD the ICAP server supports multipart/form-data and application/octet-stream formats. In RESPMOD, the Content-Length header should be included in the HTTP headers.

Note

If no verdict is available, the URL or files will be placed into the Job Queue for scanning. The URL/file scan flow will be applied.

For example, if a user submits a file containing a phishing URL, Quick Scan may return a CLEAN result since Quick Scan does not check embedded URLs. Subsequently, the file will be submitted to the Job Queue for a full scan. As a result, the final rating may differ from the CLEAN rating obtained in the Quick Scan.

When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.

Status Code

Meaning

200
  • Verdict is not a user selected blocking rating or is not available.

403
  • Verdict is user selected blocking rating.

  • If Quick Scan is enabled, the URL will be scanned in real time by Web Filter.

When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.

Status Code

Meaning

200

  • Verdict is not a user selected blocking rating or is not available.

403

  • Verdict is user selected blocking rating.

  • If Quick Scan is enabled, the file will be scanned by the defined scan type(s) (AV Scan, Static Analysis, or Cloud Query).

When ICAP client sends a preview request:

Status Code

Meaning

204

  • No modifications needed
To configure ICAP client:

The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the squid.conf file.

cache deny all

icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User

icap_preview_enable off

icap_persistent_connections off

icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off

adaptation_access svcBlocker1 allow all

icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off

adaptation_access svcLogger1 allow all

### add the following lines to support ssl ###

#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcBlocker2 allow all

#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER

#adaptation_access svcLogger2 allow all

The following are examples of how to use ICAPS client certificate authentication:

icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=0 tls-cafile=/usr/local/squid/etc/ssl_cert/ca-chain2.cert.pem tls-cert=/usr/local/squid/etc/ssl_cert/client218.cert.pem tls-key=/usr/local/squid/etc/ssl_cert/client218.key.pem  tls-flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=0  tls-cafile=/usr/local/squid/etc/ssl_cert/ca-chain2.cert.pem tls-cert=/usr/local/squid/etc/ssl_cert/client218.cert.pem tls-key=/usr/local/squid/etc/ssl_cert/client218.key.pem tls-flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
To configure FortiSandbox as an ICAP server:
  1. Go to Security Fabric > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Enable the ICAP adapter.
  4. Under Connection, configure the following settings, and then click Apply.
    PortThe port the ICAP server listens on. Default is 1344.
    Interface

    The interface the ICAP server listens on.

    For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).

    SSL support

    Enable to allow SSL traffic.

    SSL portThe port the ICAP server listens on for SSL traffic. Default is 11344.

    Certificate

    Select server certificate for ICAPS server from the drop-down list.

    To import certificates and keys go to System > Certificates, and click Upload Certificate button. You can select a blank from certificate drop-down.

    Return code 202 for a new file

    This response code is used when the server has accepted a file request but has not completed the processing.

    The 202 code added to the standard response code differentiates this case from the case where the file already has a clean verdict.

    Return code 202 for a new URL

    This response code is used when the server has accepted a URL request but has not completed the processing yet.The '202' code added to the standard response code differentiates this case from the case where the URL already has a clean verdict.

ICAP profiles

FortiSandbox supports multiple ICAP profiles for multiple proxy servers (ICAP clients) with different configuration requirements.

  • You can edit but not delete the Default profile that is built-in to FortiSandbox.
  • You can disable both Receive File and Receive URL for default profile, so that clients that do not match any user defined profile will not get any service.
  • Configuring a new profile will override the settings defined in the Default profile for matched proxy server by IP.
  • If a client does not match a user-defined profile the Default profile is applied.

To create an ICAP profile:
  1. Go to Security Fabric > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Under ICAP Profiles, click Create New. The Create New pane opens.
  4. Configure the profile and click OK.

    Profile NameEnter a name for the profile.
    Client IP AddressEnter the client IP address. Separate multiple IPs with a comma.
    Methods
    Receive URL

    Enable to allow the ICAP server to receive URLs.

    • URLs with selected risk and above will be blocked:

      Set the minimum level of risk for the URLs/Files to be blocked by ICAP (Low Risk, Medium Risk, and High Risk).

    • Hold URL until these steps finish:

      • Quick Scan: Hold only during quick scan.

        The URL will be checked against the FDN Web Filtering service. If its category is either malicious or unethical, a suspicious rating will be returned to the client side.

        User-defined Allow/Block list, Customized Rating, or Overridden Verdict rules are not checked.

      • Full Scan: Hold during entire scan process.

        Verdict timeout: The timeout in seconds ICAP will wait for final verdict from FortiSandbox. Time starts when file is submitted. If verdict times out, it sends ICAP 204 to client.

    Receive File

    Enable to allow the ICAP server to receive files

    • Files with selected risk and above will be blocked:

      Set the minimum level of risk for the URLs/Files to be blocked by ICAP (Low Risk, Medium Risk, and High Risk).

    • Hold file until these steps finish:

      • Quick Scan: Hold only during quick scan.

        Enable at least one of the following options: AV Scan, Static Analysis or Cloud Query.

        For Static Analysis, the following items are not checked in the file:

      • Full Scan: Hold during entire scan process.

        Verdict timeout: The timeout in seconds ICAP will wait for final verdict from FortiSandbox. Time starts when file is submitted. If verdict times out, it sends ICAP 204 to client.

  5. Click Apply on the ICAP Settings page.