Example ICAP sequence

Example ICAP sequence

This example is for an ICAP server performing web URL filtering on HTTP requests

1. A user opens a web browser and sends an HTTP request to connect to a web server.

2. The FortiGate unit intercepts the HTTP request and forwards it to an ICAP server.

3. The ICAP server receives the request and determines if the request is for URL that should be blocked or allowed.

• If the URL should be blocked the ICAP server sends a response to the FortiGate unit. The FortiGate unit returns this response to the user’s web browser. This response could be a message informing the user that their request was blocked.
• If the URL should be allowed the ICAP server sends a request to the FortiGate unit. The FortiGate unit forwards the request to the web server that the user originally attempted to connect to.
• When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.

Example Scenario

Information relavent to the following example:

• The ICAP server is designed to do proprietary content filtering specific to the organization so it will have to receive the messages and sent back appropriate responses.
• The content filter is a required security precaution so it if the message cannot be processed it is not allowed through.
• Resources on both the FortiGate and the ICAP server are considerable so the maximum connections setting will set at a double the default value to analyze the impact on performance.
• The ICAP server’s IP address is 172.16.100. 55.
• The path to the processing component is “/proprietary_code/content-filter/”.
• Streaming media is not something that the filter considers, but is allowed through the policy so processing it would be a waste of resources.
• The ICAP profile is to be added to an existing firewall policy.
• It is assumed that the display of the policies has already been configured to show the column “ID”.

1. Enter the following to configure the ICAP server:

Go to Security Profiles > ICAP Servers. Use the following values:

Name                                           content-filtration-server4

IP Type                                       IPv4

IP Address                                 172.16.100.55

Port                                             1344

Use the CLI to set the max-connections value.

config icap server

edit content-filtration-server4 set max-connections 200

end

2. Enter the following to configure the ICAP profile to then apply to a security policy:

Use the following values:

Name                                           Prop-Content-Filtration

Enable Request Processing    enable

Server                                         content-filtration-server4

Path                                             /proprietary_code/content-filter/

On Failure                                  Error

Enable Response Pro- cessing enable

Server                                         content-filtration-server4

Path                                             /proprietary_code/content-filter/

On Failure                                  Error

Enable Streaming Media Bypass enable

3. Apply the ICAP profile to policy:

The purposes of this particular ICAP profile is to filter the content of the traffic coming through the firewall via policy ID#17.

a. Go to Policy & Objects > IPv4 Policy. b. Open the existing policy ID# 17 for editing. c.  Go to the section Security Profiles.

d. Select the button next to ICAP so that it indicates that it’s status is ON.

e. Select the field with the profile name and use the drop down menu to select Prop–Content–Filtration.

f. Select OK.