Offloading using ICAP
If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to an ICAP server in the ICAP profile added to the policy. Responses from the ICAP server are returned to the FortiGate unit which forwards them to an HTTP client or server.
You can offload HTTP responses or HTTP requests (or both) to the same or different ICAP servers.
If the FortiGate unit supports HTTPS inspection, HTTPS traffic intercepted by a policy that includes an ICAP profile is also offloaded to the ICAP server in the same way as HTTP traffic.
When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.
Configuring ICAP
You will need to configure an ICAP server and an ICAP profile.
ICAP servers
- Go to Security Profiles > ICAP Servers and click on Create New.
- Enter a Name for the server.
- Enter the server’s IP Address. Depending on whether you’ve set the IP version to 4 or 6 will determine the format that the content of this field will be set into. In the GUI it looks like the same field with a different format but in the CLI it is actually 2 different fields named “ip-address” and ip6-address.
- Set the Port; 1344 is default TCP port used for the ICAP traffic. The range can be from 1 to 65535.
Maximum Connections
This value refers to the maximum number of concurrent connections that can be made to the ICAP server. The default setting is 100. This setting can only be configured in the CLI.
The syntax is:
config icap server edit <icap_server_name> set max-connections <integer> end
Profiles
- Go to Security Profiles > ICAP and click on Create New.
- Enter a Name for the server.
- Enable settings as required.
- Enable Request Processing allows the ICAP server to process request messages. If enabled this setting will also require:
- Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
- Path – This is the path on the server to the processing content. For instance if the Windows share name was
“Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/” l On Failure – There are 2 options: Error or Bypass.
- Enable Response Processing allows the ICAP server to process response messages. If enabled this setting will also require:
- Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
- Path – This is the path on the server to the processing compent. For instance if the Windows share name was
“Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/” l On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.
- Enable Streaming Media Bypass allows streaming media to ignore offloading to the ICAP server.
- Select Apply.