Example Scenario
Information relavent to the following example:
- The ICAP server is designed to do proprietary content filtering specific to the organization so it will have to receive the messages and sent back appropriate responses.
- The content filter is a required security precaution so it if the message cannot be processed it is not allowed through.
- Resources on both the Fortigate and the ICAP server are considerable so the maximum connections setting will set at a double the default value to analyse the impact on performance.
- The ICAP server’s IP address is 172.16.100. 55.
- The path to the processing component is “/proprietary_code/content-filter/”.
- Streaming media is not something that the filter considers, but is allowed through the policy so processing it would be a waste of resources.
- The ICAP profile is to be added to an existing firewall policy.
- It is assumed that the display of the policies has already been configured to show the column “ID”.
- Enter the following to configure the ICAP server:
Go to Security Profiles > Advanced > ICAP Server.
Use the following values:
Name | content-filtration-server4 |
IP Type | IPv4 |
IP Address | 172.16.100.55 |
Port | 1344 |
Use the CLI to set the max-connections value.
config icap server
edit content-filtration-server4
set max-connections 200
end
- Enter the following to configure the ICAP profile to then apply to a security policy:
Use the following values:
Name | Prop-Content-Filtration |
Enable Request Processing | enable |
Server | content-filtration-server4 |
Path | /proprietary_code/content-filter/ |
On Failure | Error |
Enable Response Processing | enable |
Server | content-filtration-server4 |
Path | /proprietary_code/content-filter/ |
On Failure | Error |
Enable Streaming Media Bypass | enable |
- Apply the ICAP profile to policy:
The purposes of this particular ICAP profile is to filter the content of the traffic coming through the firewall via policy ID#17.
- Go to Policy & Objects > Policy > IPv4.
- Open the existing policy ID# 17 for editing.
- Go to the section Security Profiles.
- Select the button next to ICAP so that it indicates that it’s status is ON.
- Select the field with the profile name and use the drop down menu to select Prop-Content-Filtration.
- Select OK.