ICAP – Fortinet FortiGate

ICAP

ICAP is the acronym for Internet Content Adaptation Protocol The purpose of the feature is to off load work that would normally take place on the firewall to a separate server specifically set up for the specialized processing of the incoming traffic. This takes some of the resource strain off of the FortiGate firewall leaving it to concentrate its resources on things that only it can do.

Off-loading value-added services from Web servers to ICAP servers allows those same web servers to be scaled according to raw HTTP throughput versus having to handle these extra tasks.

ICAP servers are focused on a specific function, for example:

  • Ad insertion
  • Virus scanning
  • Content translation
  • HTTP header or URL manipulation
  • Language translation
  • The Protocol
  • Offloading using ICAP
  • Configuration Settings
  • Example ICAP sequence
  • Example Scenerio

The Protocol

The protocol is a lightweight member of the TCP/IP suite of protocols. It is an Application layer protocol and its specifications are set out in RFC 3507. The default TCP that is assigned to it is 1344. Its purpose is to support HTTP content adaptation by providing simple object-based content vectoring for HTTP services. ICAP is usually used to implement virus scanning and content filters in transparent HTTP proxy caches. Content Adaptation refers to performing the particular value added service, or content manipulation, for an associated client request/response.

Essentially it allows an ICAP client, in this case the FortiGate firewall, to pass HTTP messages to an ICAP server like a remote procedure call for the purposes of some sort of transformation or other processing adaptation. Once the ICAP server has finished processing the the content, the modified content is sent back to the client.

The messages going back and forth between the client and server are typically HTTP requests or HTTP responses. While ICAP is a request/response protocol similar in semantics and usage

Page 155

to HTTP/1.1 it is not HTTP nor does it run over HTTP, as such it cannot be treated as if it were HTTP. For instance ICAP messages can not be forwarded by HTTP surrogates.

Offloading using ICAP

If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to an ICAP server in the ICAP profile added to the policy. Responses from the ICAP server are returned to the FortiGate unit which forwards them to an HTTP client or server.

You can offload HTTP responses or HTTP requests (or both) to the same or different ICAP servers.

If the FortiGate unit supports HTTPS inspection, HTTPS traffic intercepted by a policy that includes an ICAP profile is also offloaded to the ICAP server in the same way as HTTP traffic.

When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.

Configuration Settings

There are 2 sections where ICAP is configured:

Servers

The available settings to be configured regarding the profile are

IP Type (in the GUI) or  IP address version ( in the CLI)

The options for this field in the GUI are 2 radio buttons labelled “IPv4” and “IPv4”. In the CLI the approach is slightly different. There is a field “ip-version” that can be set to “4” or “6”.

IP address

depending on whether you’ve set the IP version to 4 or 6 will determine the format that the content of this field will be set into. In the GUI it looks like the same field with a different format but in the CLI it is actually 2 different fields named “ip-address” and ip6-address.

Maximum Connections

This value refers to the maximum number of concurrent connections that can be made to the ICAP server. The default setting is 100. This setting can only be configured in the CLI.

The syntax is:

config icap server edit <icap_server_name> set max-connections <integer> end

Port

this is the TCP port used for the ICAP traffic. The range can be from 1 to 65535. The default value is 1344.

Profiles

Enable Request Processing

Enabling this setting allows the ICAP server to process request messages.

If enabled this setting will also require:

  • Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
  • Path – This is the path on the server to the processing compent. For instance if the Windows share name was “Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/”
  • On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.

Enable Response Processing

Enabling this setting allows the ICAP server to process response messages.

If enabled this setting will also require:

  • Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
  • Path – This is the path on the server to the processing compent. For instance if the Windows share name was “Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/”

On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.

Enable Streaming Media Bypass

Enabling this setting allows streaming media to ignore offloading to the ICAP server.

Example ICAP sequence

This example is for an ICAP server performing web URL filtering on HTTP requests

  1. A user opens a web browser and sends an HTTP request to connect to a web server.
  2. The FortiGate unit intercepts the HTTP request and forwards it to an ICAP server.
  3. The ICAP server receives the request and determines if the request is for URL that should be blocked or allowed.
    • If the URL should be blocked the ICAP server sends a response to the FortiGate unit. The FortiGate unit returns this response to the user’s web browser. This response could be a message informing the user that their request was blocked.
    • If the URL should be allowed the ICAP server sends a request to the FortiGate unit. The FortiGate unit forwards the request to the web server that the user originally attempted to connect to.
    • When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.

Example Scenerio

Information relavent to the following example:

  • The ICAP server is designed to do proprietary content filtering specific to the organization so it will have to receive the messages and sent back appropriate responses.
  • The content filter is a required security precaution so it if the message cannot be processed it is not allowed through.
  • Resources on both the Fortigate and the ICAP server are considerable so the maximum connections setting will set at a double the default value to analyse the impact on performance.
  • The ICAP server’s IP address is 172.16.100. 55.
  • The path to the processing component is “/proprietary_code/content-filter/”.
  • Streaming media is not something that the filter considers, but is allowed through the policy so processing it would be a waste of resources.
  • The ICAP profile is to be added to an existing firewall policy.
  • It is assumed that the display of the policies has already been configured to show the column “ID”.
  1. Enter the following to configure the ICAP server:

Go to Security Profiles > ICAP > Server.

Use the following values:

Name content-filtration-server4
IP Type 4
IP Address 172.16.100.55
Port 1344

Use the CLI to set the max-connections value.

config icap server edit content-filtration-server4 set max-connections 200 end

  1. Enter the following to configure the ICAP profile to then apply to a security policy:

Use the following values:

Name Prop-Content-Filtration
Enable Request Processing enable
Server content-filtration-server4
Path /proprietary_code/content-filter/
On Failure Error
Enable Response Processing enable
Server content-filtration-server4
Path /proprietary_code/content-filter/
On Failure Error

Enable Streaming Media Bypass enable

  1. Apply the ICAP profile to policy:

The purposes of this particular ICAP profile is to filter the content of the traffic coming through the firewall via policy ID#17

  1. Go to Policy > Policy >
  2. Open the existing policy ID# 17 for editing.
  3. Go to the section Security Profiles.
  4. Select the button next to ICAP so that it indicates that it’s status is ON.
  5. Select the field with the profile name and use the drop down menu to select Prop-Content-Filtration.
  6. Select OK.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.