ICAP scanning with FTP
Transferred files can be forwarded to the ICAP server for further processing using FTP.
To configure ICAP scanning with FTP in the GUI:
- Configure an ICAP remote server.
- Create an ICAP profile that references the server.
Select FTP in Protocol.
Select the server you created in step 1 in Server.
- Enable and configure explicit FTP Proxy.
- Create an explicit FTP proxy policy that uses the ICAP profile.
Select FTP under Type for an explicit FTP proxy policy.
Select ACCEPT for Action to enable the Security Profiles options. You can then enable ICAP and select the ICAP profile you configured in step 2 from the dropdown list.
To configure ICAP scanning with FTP in the CLI:
-
Configure an ICAP remote server:
config icap remote-server edit "icap1" set ip-address 172.18.20.43 next endSee config icap remote-server in the CLI guide for more details.
-
Create an ICAP profile that references the server:
config icap profile edit "icapFTP" set file-transfer ftp set file-transfer-server "icap1" set file-transfer-failure error set file-transfer-path "ftpicap" next endSee config icap profile in the CLI guide for more details.
- Enable and configure explicit FTP Proxy:
config ftp-proxy explicit set status [enable|disable] set incoming-port {user} set incoming-ip {ipv4-address-any} set outgoing-ip {ipv4-address-any} set sec-default-action [accept|deny] set server-data-mode [client|passive] set ssl [enable|disable] set ssl-cert {string} set ssl-dh-bits [768|1024|...] set ssl-algorithm [high|medium|...] endSee config ftp-proxy explicit in the CLI guide for more details.
-
Create an explicit FTP proxy policy that uses the ICAP profile:
config firewall policy edit 1 set type explicit-ftp set name "test" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set ssl-ssh-profile "certificate-inspection" set utm-status enable set icap-profile "icapFTP" next endSee config firewall policy in the CLI guide for more details.