Example ICAP sequence
This example is for an ICAP server performing web URL filtering on HTTP requests
1. A user opens a web browser and sends an HTTP request to connect to a web server.
2. The FortiGate unit intercepts the HTTP request and forwards it to an ICAP server.
3. The ICAP server receives the request and determines if the request is for URL that should be blocked or allowed.
- If the URL should be blocked the ICAP server sends a response to the FortiGate unit. The FortiGate unit returns this response to the user’s web browser. This response could be a message informing the user that their request was blocked.
- If the URL should be allowed the ICAP server sends a request to the FortiGate unit. The FortiGate unit forwards the request to the web server that the user originally attempted to connect to.
- When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.
Information relavent to the following example:
- The ICAP server is designed to do proprietary content filtering specific to the organization so it will have to receive the messages and sent back appropriate responses.
- The content filter is a required security precaution so it if the message cannot be processed it is not allowed through.
- Resources on both the FortiGate and the ICAP server are considerable so the maximum connections setting will set at a double the default value to analyze the impact on performance.
- The ICAP server’s IP address is 172.16.100. 55.
- The path to the processing component is “/proprietary_code/content-filter/”.
- Streaming media is not something that the filter considers, but is allowed through the policy so processing it would be a waste of resources.
- The ICAP profile is to be added to an existing firewall policy.
- It is assumed that the display of the policies has already been configured to show the column “ID”.
1. Enter the following to configure the ICAP server:
Go to Security Profiles > ICAP Servers. Use the following values:
IP Type IPv4
IP Address 172.16.100.55
Use the CLI to set the max-connections value.
config icap server
edit content-filtration-server4 set max-connections 200
2. Enter the following to configure the ICAP profile to then apply to a security policy:
Use the following values:
Enable Request Processing enable
On Failure Error
Enable Response Pro- cessing enable
On Failure Error
Enable Streaming Media Bypass enable
3. Apply the ICAP profile to policy:
The purposes of this particular ICAP profile is to filter the content of the traffic coming through the firewall via policy ID#17.
a. Go to Policy & Objects > IPv4 Policy. b. Open the existing policy ID# 17 for editing. c. Go to the section Security Profiles.
d. Select the button next to ICAP so that it indicates that it’s status is ON.
e. Select the field with the profile name and use the drop down menu to select Prop–Content–Filtration.
f. Select OK.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!