Example ICAP sequence
This example is for an ICAP server performing web URL filtering on HTTP requests
- A user opens a web browser and sends an HTTP request to connect to a web server.
- The FortiGate unit intercepts the HTTP request and forwards it to an ICAP server.
- The ICAP server receives the request and determines if the request is for URL that should be blocked or allowed. l If the URL should be blocked the ICAP server sends a response to the FortiGate unit. The FortiGate unit returns this response to the user’s web browser. This response could be a message informing the user that their request was blocked.
- If the URL should be allowed the ICAP server sends a request to the FortiGate unit. The FortiGate unit forwards the request to the web server that the user originally attempted to connect to.
- When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.
Example ICAP scenario
Information relavent to the following example:
- The ICAP server is designed to do proprietary content filtering specific to the organization so it will have to receive the messages and sent back appropriate responses.
- The content filter is a required security precaution so it if the message cannot be processed it is not allowed through.
- Resources on both the FortiGate and the ICAP server are considerable so the maximum connections setting will set at a double the default value to analyze the impact on performance.
- The ICAP server’s IP address is 172.16.100. 55. l The path to the processing component is “/proprietary_code/content-filter/”.
- Streaming media is not something that the filter considers, but is allowed through the policy so processing it would be a waste of resources.
- The ICAP profile is to be added to an existing firewall policy. l It is assumed that the display of the policies has already been configured to show the column “ID”.
- Enter the following to configure the ICAP server:
Go to Security Profiles > ICAP Servers.
Use the following values:
| Name | content-filtration-server4 |
| IP Type | IPv4 |
| IP Address | 172.16.100.55 |
| Port | 1344 |
Use the CLI to set the max-connections value.
config icap server edit content-filtration-server4 set max-connections 200 end
- Enter the following to configure the ICAP profile to then apply to a security policy:
Use the following values:
| Name | Prop-Content-Filtration |
| Enable Request Processing | enable |
| Server | content-filtration-server4 |
| Path | /proprietary_code/content-filter/ |
| On Failure | Error |
| Enable Response Processing | enable |
| Server | content-filtration-server4 |
| Path | /proprietary_code/content-filter/ |
| On Failure | Error |
| Enable Streaming Media Bypass | enable |
- Apply the ICAP profile to policy:
The purposes of this particular ICAP profile is to filter the content of the traffic coming through the firewall via policy ID#17.
ICAP support Example ICAP scenario a. Go to Policy & Objects > IPv4 Policy.
- Open the existing policy ID# 17 for editing.
- Go to the section Security Profiles.
- Select the button next to ICAP so that it indicates that it’s status is ON.
- Select the field with the profile name and use the drop down menu to select Prop-Content-Filtration. Select OK.