Offloading using ICAP
If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to an ICAP server in the ICAP profile added to the policy. Responses from the ICAP server are returned to the FortiGate unit which forwards them to an HTTP client or server.
You can offload HTTP responses or HTTP requests (or both) to the same or different ICAP servers.
If the FortiGate unit supports HTTPS inspection, HTTPS traffic intercepted by a policy that includes an ICAP profile is also offloaded to the ICAP server in the same way as HTTP traffic.
When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.
Configuration Settings
There are two sections where ICAP is configured:
Servers
Go to Security Profiles > ICAP Servers.
The available settings to be configured regarding the server are
- Name
- IP Type (in the GUI) or IP address version ( in the CLI) The options for this field in the GUI are 2 radio buttons labelled “IPv4” and “IPv4”. In the CLI the approach is slightly different. There is a field “ip-version” that can be set to “4” or “6”.
- IP Address Depending on whether you’ve set the IP version to 4 or 6 will determine the format that the content of this field will be set into. In the GUI it looks like the same field with a different format but in the CLI it is actually 2 different fields named “ip-address” and ip6-address.
- Port 1344 is default TCP port used for the ICAP traffic. The range can be from 1 to 65535.
Maximum Connections
This value refers to the maximum number of concurrent connections that can be made to the ICAP server. The default setting is 100. This setting can only be configured in the CLI.
The syntax is:
config icap server
edit <icap_server_name>
set max-connections <integer>
end
Profiles
Name
Just like any other profile each of the ICAP profiles needs to be assigned a name.
Enable Request Processing
Enabling this setting allows the ICAP server to process request messages. If enabled this setting will also require:
- Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
- Path – This is the path on the server to the processing compent. For instance if the Windows share name was “Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/”
- On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.
Enable Response Processing
Enabling this setting allows the ICAP server to process response messages. If enabled this setting will also require:
- Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
- Path – This is the path on the server to the processing compent. For instance if the Windows share name was “Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/”
- On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.
Enable Streaming Media Bypass
Enabling this setting allows streaming media to ignore offloading to the ICAP server.