ICAP adapter
FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. The ICAP client waits (i.e. holds the URL) for the verdict from the FortiSandbox.
To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.
Request and response
The ICAP server only supports POST, GET and PUT methods. In REQMOD the ICAP server supports multipart/form-data and application/octet-stream formats. In RESPMOD, the |
If no verdict is available, the URL or files will be placed into the Job Queue for scanning. The URL/file scan flow will be applied. For example, if a user submits a file containing a phishing URL, Quick Scan may return a CLEAN result since Quick Scan does not check embedded URLs. Subsequently, the file will be submitted to the Job Queue for a full scan. As a result, the final rating may differ from the CLEAN rating obtained in the Quick Scan. |
When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.
Status Code |
Meaning |
---|---|
200 |
|
403 |
|
When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.
Status Code |
Meaning |
---|---|
200 |
|
403 |
|
When ICAP client sends a preview request:
Status Code |
Meaning |
---|---|
204 |
|
To configure ICAP client:
The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the squid.conf
file.
cache deny all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable off
icap_persistent_connections off
icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off
adaptation_access svcBlocker1 allow all
icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off
adaptation_access svcLogger1 allow all
### add the following lines to support ssl ###
#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER
#adaptation_access svcBlocker2 allow all
#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER
#adaptation_access svcLogger2 allow all
The following are examples of how to use ICAPS client certificate authentication:
icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=0 tls-cafile=/usr/local/squid/etc/ssl_cert/ca-chain2.cert.pem tls-cert=/usr/local/squid/etc/ssl_cert/client218.cert.pem tls-key=/usr/local/squid/etc/ssl_cert/client218.key.pem tls-flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=0 tls-cafile=/usr/local/squid/etc/ssl_cert/ca-chain2.cert.pem tls-cert=/usr/local/squid/etc/ssl_cert/client218.cert.pem tls-key=/usr/local/squid/etc/ssl_cert/client218.key.pem tls-flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
To configure FortiSandbox as an ICAP server:
- Go to Security Fabric > Adapter.
- Select the ICAP adapter and click Edit.
- Enable the ICAP adapter.
- Under Connection, configure the following settings, and then click Apply.
Port The port the ICAP server listens on. Default is 1344. Interface The interface the ICAP server listens on.
For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).
SSL support Enable to allow SSL traffic.
SSL port The port the ICAP server listens on for SSL traffic. Default is 11344. Certificate
Select server certificate for ICAPS server from the drop-down list.
To import certificates and keys go to System > Certificates, and click Upload Certificate button. You can select a blank from certificate drop-down.
Return code 202 for a new file
This response code is used when the server has accepted a file request but has not completed the processing.
The 202 code added to the standard response code differentiates this case from the case where the file already has a clean verdict.
Return code 202 for a new URL
This response code is used when the server has accepted a URL request but has not completed the processing yet.The '202' code added to the standard response code differentiates this case from the case where the URL already has a clean verdict.
ICAP profiles
FortiSandbox supports multiple ICAP profiles for multiple proxy servers (ICAP clients) with different configuration requirements.
- You can edit but not delete the Default profile that is built-in to FortiSandbox.
- You can disable both Receive File and Receive URL for default profile, so that clients that do not match any user defined profile will not get any service.
- Configuring a new profile will override the settings defined in the Default profile for matched proxy server by IP.
- If a client does not match a user-defined profile the Default profile is applied.
To create an ICAP profile:
- Go to Security Fabric > Adapter.
- Select the ICAP adapter and click Edit.
- Under ICAP Profiles, click Create New. The Create New pane opens.
- Configure the profile and click OK.
Profile Name Enter a name for the profile. Client IP Address Enter the client IP address. Separate multiple IPs with a comma. Methods Receive URL Enable to allow the ICAP server to receive URLs.
- URLs with selected risk and above will be blocked:
Set the minimum level of risk for the URLs/Files to be blocked by ICAP (Low Risk, Medium Risk, and High Risk).
- Hold URL until these steps finish:
- Quick Scan: Hold only during quick scan.
The URL will be checked against the FDN Web Filtering service. If its category is either malicious or unethical, a suspicious rating will be returned to the client side.
User-defined Allow/Block list, Customized Rating, or Overridden Verdict rules are not checked.
- Full Scan: Hold during entire scan process.
Verdict timeout: The timeout in seconds ICAP will wait for final verdict from FortiSandbox. Time starts when file is submitted. If verdict times out, it sends ICAP 204 to client.
- Quick Scan: Hold only during quick scan.
Receive File Enable to allow the ICAP server to receive files
- Files with selected risk and above will be blocked:
Set the minimum level of risk for the URLs/Files to be blocked by ICAP (Low Risk, Medium Risk, and High Risk).
- Hold file until these steps finish:
- Quick Scan: Hold only during quick scan.
Enable at least one of the following options: AV Scan, Static Analysis or Cloud Query.
For Static Analysis, the following items are not checked in the file:
- Embedded QR code or URL inside file
- User-defined Allow/Block list, Customized Rating, or Overridden Verdict or YARA rules
- Full Scan: Hold during entire scan process.
Verdict timeout: The timeout in seconds ICAP will wait for final verdict from FortiSandbox. Time starts when file is submitted. If verdict times out, it sends ICAP 204 to client.
- Quick Scan: Hold only during quick scan.
- URLs with selected risk and above will be blocked:
- Click Apply on the ICAP Settings page.