Fortinet white logo
Fortinet white logo

CLI Reference

config icap profile

config icap profile

Configure ICAP profiles.

config icap profile
    Description: Configure ICAP profiles.
    edit <name>
        set replacemsg-group {string}
        set comment {var-string}
        set request [disable|enable]
        set response [disable|enable]
        set file-transfer {option1}, {option2}, ...
        set streaming-content-bypass [disable|enable]
        set ocr_only [disable|enable]
        set 204-size-limit {integer}
        set 204-response [disable|enable]
        set preview [disable|enable]
        set preview-data-length {integer}
        set request-server {string}
        set response-server {string}
        set file-transfer-server {string}
        set request-failure [error|bypass]
        set response-failure [error|bypass]
        set file-transfer-failure [error|bypass]
        set request-path {string}
        set response-path {string}
        set file-transfer-path {string}
        set methods {option1}, {option2}, ...
        set response-req-hdr [disable|enable]
        set respmod-default-action [forward|bypass]
        set icap-block-log [disable|enable]
        set chunk-encap [disable|enable]
        set extension-feature {option1}, {option2}, ...
        set scan-progress-interval {integer}
        set timeout {integer}
        set scan-size-limit {integer}
        set scan-oversize-log [disable|enable]
        config icap-headers
            Description: Configure ICAP forwarded request headers.
            edit <id>
                set name {string}
                set source [content|http-header|...]
                set content {string}
                set http-header {string}
                set sesson-info-type [client-ip|user|...]
                set base64-encoding [disable|enable]
            next
        end
        config respmod-forward-rules
            Description: ICAP response mode forward rules.
            edit <name>
                set host {string}
                config header-group
                    Description: HTTP header group.
                    edit <id>
                        set header-name {string}
                        set header {string}
                        set case-sensitivity [disable|enable]
                    next
                end
                set action [forward|bypass]
                set http-resp-status-code <code1>, <code2>, ...
            next
        end
    next
end

config icap profile

Parameter

Description

Type

Size

Default

replacemsg-group

Replacement message group.

string

Maximum length: 35

name

ICAP profile name.

string

Maximum length: 35

comment

Comment.

var-string

Maximum length: 255

request

Enable/disable whether an HTTP request is passed to an ICAP server.

option

-

disable

Option

Description

disable

Disable HTTP request passing to ICAP server.

enable

Enable HTTP request passing to ICAP server.

response

Enable/disable whether an HTTP response is passed to an ICAP server.

option

-

disable

Option

Description

disable

Disable HTTP response passing to ICAP server.

enable

Enable HTTP response passing to ICAP server.

file-transfer

Configure the file transfer protocols to pass transferred files to an ICAP server as REQMOD.

option

-

Option

Description

ssh

Forward file transfer with SSH protocol to ICAP server for further processing.

ftp

Forward file transfer with FTP protocol to ICAP server for further processing.

streaming-content-bypass

Enable/disable bypassing of ICAP server for streaming content.

option

-

disable

Option

Description

disable

Disable bypassing of ICAP server for streaming content.

enable

Enable bypassing of ICAP server for streaming content.

ocr_only

Enable/disable only passing OCR scan request to ICAP server.

option

-

disable

Option

Description

disable

Disable only passing OCR scan request to ICAP server.

enable

Enable only passing OCR scan request to ICAP server.

204-size-limit

Allow 204 size limit to be saved by ICAP client.

integer

Minimum value: 1 Maximum value: 10

1

204-response

Enable/disable allowance of 204 response from ICAP server.

option

-

disable

Option

Description

disable

Disable allowance of 204 response from ICAP server.

enable

Enable allowance of 204 response from ICAP server.

preview

Enable/disable preview of data to ICAP server.

option

-

disable

Option

Description

disable

Disable preview of data to ICAP server.

enable

Enable preview of data to ICAP server.

preview-data-length

Preview data length to be sent to ICAP server.

integer

Minimum value: 0 Maximum value: 4096

0

request-server

ICAP server to use for an HTTP request.

string

Maximum length: 63

response-server

ICAP server to use for an HTTP response.

string

Maximum length: 63

file-transfer-server

ICAP server to use for a file transfer.

string

Maximum length: 63

request-failure

Action to take if the ICAP server cannot be contacted when processing an HTTP request.

option

-

error

Option

Description

error

Error.

bypass

Bypass.

response-failure

Action to take if the ICAP server cannot be contacted when processing an HTTP response.

option

-

error

Option

Description

error

Error.

bypass

Bypass.

file-transfer-failure

Action to take if the ICAP server cannot be contacted when processing a file transfer.

option

-

error

Option

Description

error

Error.

bypass

Bypass.

request-path

Path component of the ICAP URI that identifies the HTTP request processing service.

string

Maximum length: 127

response-path

Path component of the ICAP URI that identifies the HTTP response processing service.

string

Maximum length: 127

file-transfer-path

Path component of the ICAP URI that identifies the file transfer processing service.

string

Maximum length: 127

methods

The allowed HTTP methods that will be sent to ICAP server for further processing.

option

-

delete get head options post put trace connect other

Option

Description

delete

Forward HTTP request or response with DELETE method to ICAP server for further processing.

get

Forward HTTP request or response with GET method to ICAP server for further processing.

head

Forward HTTP request or response with HEAD method to ICAP server for further processing.

options

Forward HTTP request or response with OPTIONS method to ICAP server for further processing.

post

Forward HTTP request or response with POST method to ICAP server for further processing.

put

Forward HTTP request or response with PUT method to ICAP server for further processing.

trace

Forward HTTP request or response with TRACE method to ICAP server for further processing.

connect

Forward HTTP request or response with CONNECT method to ICAP server for further processing.

other

Forward HTTP request or response with All other methods to ICAP server for further processing.

response-req-hdr

Enable/disable addition of req-hdr for ICAP response modification (respmod) processing.

option

-

enable

Option

Description

disable

Do not add req-hdr for response modification (respmod) processing.

enable

Add req-hdr for response modification (respmod) processing.

respmod-default-action

Default action to ICAP response modification (respmod) processing.

option

-

forward

Option

Description

forward

Forward response to ICAP server unless a rule specifies not to.

bypass

Don't forward request to ICAP server unless a rule specifies to forward the request.

icap-block-log

Enable/disable UTM log when infection found.

option

-

disable

Option

Description

disable

Disable UTM log when infection found.

enable

Enable UTM log when infection found.

chunk-encap

Enable/disable chunked encapsulation.

option

-

disable

Option

Description

disable

Do not encapsulate chunked data.

enable

Encapsulate chunked data into a new chunk.

extension-feature

Enable/disable ICAP extension features.

option

-

Option

Description

scan-progress

Support X-Scan-Progress-Interval ICAP header.

scan-progress-interval

Scan progress interval value.

integer

Minimum value: 5 Maximum value: 30

10

timeout

Time (in seconds) that ICAP client waits for the response from ICAP server.

integer

Minimum value: 30 Maximum value: 3600

30

scan-size-limit

ICAP server scan size limit for an single request.

integer

Minimum value: 0 Maximum value: 4096

0

scan-oversize-log

Enable/disable scan oversize log.

option

-

enable

Option

Description

disable

Disable scan oversize log.

enable

Enable scan oversize log.

config icap-headers

Parameter

Description

Type

Size

Default

id

HTTP forwarded header ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

name

HTTP forwarded header name.

string

Maximum length: 79

source

HTTP append header source.

option

-

content

Option

Description

content

Create ICAP header from content.

http-header

Create ICAP header from HTTP header.

session

Create ICAP header from session info.

content

HTTP header content.

string

Maximum length: 255

http-header

HTTP header-field name.

string

Maximum length: 79

sesson-info-type

Session info type.

option

-

client-ip

Option

Description

client-ip

Client ip address.

user

Authentication user name.

upn

Authentication user principal name.

domain

User domain name.

local-grp

Firewall group name.

remote-grp

Group name from authentication server.

proxy-name

Proxy realm name.

auth-user-uri

Authenticated user uri.

auth-group-uri

Authenticated group uri.

base64-encoding

Enable/disable use of base64 encoding of HTTP content.

option

-

disable

Option

Description

disable

Disable use of base64 encoding of HTTP content.

enable

Enable use of base64 encoding of HTTP content.

config respmod-forward-rules

Parameter

Description

Type

Size

Default

name

Address name.

string

Maximum length: 63

host

Address object for the host.

string

Maximum length: 79

action

Action to be taken for ICAP server.

option

-

forward

Option

Description

forward

Forward request to ICAP server when this rule is matched.

bypass

Don't forward request to ICAP server when this rule is matched.

http-resp-status-code <code>

HTTP response status code.

HTTP response status code.

integer

Minimum value: 100 Maximum value: 599

config header-group

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

header-name

HTTP header.

string

Maximum length: 79

header

HTTP header regular expression.

string

Maximum length: 255

case-sensitivity

Enable/disable case sensitivity when matching header.

option

-

disable

Option

Description

disable

Ignore case when matching header.

enable

Do not ignore case when matching header.

config icap profile

config icap profile

Configure ICAP profiles.

config icap profile
    Description: Configure ICAP profiles.
    edit <name>
        set replacemsg-group {string}
        set comment {var-string}
        set request [disable|enable]
        set response [disable|enable]
        set file-transfer {option1}, {option2}, ...
        set streaming-content-bypass [disable|enable]
        set ocr_only [disable|enable]
        set 204-size-limit {integer}
        set 204-response [disable|enable]
        set preview [disable|enable]
        set preview-data-length {integer}
        set request-server {string}
        set response-server {string}
        set file-transfer-server {string}
        set request-failure [error|bypass]
        set response-failure [error|bypass]
        set file-transfer-failure [error|bypass]
        set request-path {string}
        set response-path {string}
        set file-transfer-path {string}
        set methods {option1}, {option2}, ...
        set response-req-hdr [disable|enable]
        set respmod-default-action [forward|bypass]
        set icap-block-log [disable|enable]
        set chunk-encap [disable|enable]
        set extension-feature {option1}, {option2}, ...
        set scan-progress-interval {integer}
        set timeout {integer}
        set scan-size-limit {integer}
        set scan-oversize-log [disable|enable]
        config icap-headers
            Description: Configure ICAP forwarded request headers.
            edit <id>
                set name {string}
                set source [content|http-header|...]
                set content {string}
                set http-header {string}
                set sesson-info-type [client-ip|user|...]
                set base64-encoding [disable|enable]
            next
        end
        config respmod-forward-rules
            Description: ICAP response mode forward rules.
            edit <name>
                set host {string}
                config header-group
                    Description: HTTP header group.
                    edit <id>
                        set header-name {string}
                        set header {string}
                        set case-sensitivity [disable|enable]
                    next
                end
                set action [forward|bypass]
                set http-resp-status-code <code1>, <code2>, ...
            next
        end
    next
end

config icap profile

Parameter

Description

Type

Size

Default

replacemsg-group

Replacement message group.

string

Maximum length: 35

name

ICAP profile name.

string

Maximum length: 35

comment

Comment.

var-string

Maximum length: 255

request

Enable/disable whether an HTTP request is passed to an ICAP server.

option

-

disable

Option

Description

disable

Disable HTTP request passing to ICAP server.

enable

Enable HTTP request passing to ICAP server.

response

Enable/disable whether an HTTP response is passed to an ICAP server.

option

-

disable

Option

Description

disable

Disable HTTP response passing to ICAP server.

enable

Enable HTTP response passing to ICAP server.

file-transfer

Configure the file transfer protocols to pass transferred files to an ICAP server as REQMOD.

option

-

Option

Description

ssh

Forward file transfer with SSH protocol to ICAP server for further processing.

ftp

Forward file transfer with FTP protocol to ICAP server for further processing.

streaming-content-bypass

Enable/disable bypassing of ICAP server for streaming content.

option

-

disable

Option

Description

disable

Disable bypassing of ICAP server for streaming content.

enable

Enable bypassing of ICAP server for streaming content.

ocr_only

Enable/disable only passing OCR scan request to ICAP server.

option

-

disable

Option

Description

disable

Disable only passing OCR scan request to ICAP server.

enable

Enable only passing OCR scan request to ICAP server.

204-size-limit

Allow 204 size limit to be saved by ICAP client.

integer

Minimum value: 1 Maximum value: 10

1

204-response

Enable/disable allowance of 204 response from ICAP server.

option

-

disable

Option

Description

disable

Disable allowance of 204 response from ICAP server.

enable

Enable allowance of 204 response from ICAP server.

preview

Enable/disable preview of data to ICAP server.

option

-

disable

Option

Description

disable

Disable preview of data to ICAP server.

enable

Enable preview of data to ICAP server.

preview-data-length

Preview data length to be sent to ICAP server.

integer

Minimum value: 0 Maximum value: 4096

0

request-server

ICAP server to use for an HTTP request.

string

Maximum length: 63

response-server

ICAP server to use for an HTTP response.

string

Maximum length: 63

file-transfer-server

ICAP server to use for a file transfer.

string

Maximum length: 63

request-failure

Action to take if the ICAP server cannot be contacted when processing an HTTP request.

option

-

error

Option

Description

error

Error.

bypass

Bypass.

response-failure

Action to take if the ICAP server cannot be contacted when processing an HTTP response.

option

-

error

Option

Description

error

Error.

bypass

Bypass.

file-transfer-failure

Action to take if the ICAP server cannot be contacted when processing a file transfer.

option

-

error

Option

Description

error

Error.

bypass

Bypass.

request-path

Path component of the ICAP URI that identifies the HTTP request processing service.

string

Maximum length: 127

response-path

Path component of the ICAP URI that identifies the HTTP response processing service.

string

Maximum length: 127

file-transfer-path

Path component of the ICAP URI that identifies the file transfer processing service.

string

Maximum length: 127

methods

The allowed HTTP methods that will be sent to ICAP server for further processing.

option

-

delete get head options post put trace connect other

Option

Description

delete

Forward HTTP request or response with DELETE method to ICAP server for further processing.

get

Forward HTTP request or response with GET method to ICAP server for further processing.

head

Forward HTTP request or response with HEAD method to ICAP server for further processing.

options

Forward HTTP request or response with OPTIONS method to ICAP server for further processing.

post

Forward HTTP request or response with POST method to ICAP server for further processing.

put

Forward HTTP request or response with PUT method to ICAP server for further processing.

trace

Forward HTTP request or response with TRACE method to ICAP server for further processing.

connect

Forward HTTP request or response with CONNECT method to ICAP server for further processing.

other

Forward HTTP request or response with All other methods to ICAP server for further processing.

response-req-hdr

Enable/disable addition of req-hdr for ICAP response modification (respmod) processing.

option

-

enable

Option

Description

disable

Do not add req-hdr for response modification (respmod) processing.

enable

Add req-hdr for response modification (respmod) processing.

respmod-default-action

Default action to ICAP response modification (respmod) processing.

option

-

forward

Option

Description

forward

Forward response to ICAP server unless a rule specifies not to.

bypass

Don't forward request to ICAP server unless a rule specifies to forward the request.

icap-block-log

Enable/disable UTM log when infection found.

option

-

disable

Option

Description

disable

Disable UTM log when infection found.

enable

Enable UTM log when infection found.

chunk-encap

Enable/disable chunked encapsulation.

option

-

disable

Option

Description

disable

Do not encapsulate chunked data.

enable

Encapsulate chunked data into a new chunk.

extension-feature

Enable/disable ICAP extension features.

option

-

Option

Description

scan-progress

Support X-Scan-Progress-Interval ICAP header.

scan-progress-interval

Scan progress interval value.

integer

Minimum value: 5 Maximum value: 30

10

timeout

Time (in seconds) that ICAP client waits for the response from ICAP server.

integer

Minimum value: 30 Maximum value: 3600

30

scan-size-limit

ICAP server scan size limit for an single request.

integer

Minimum value: 0 Maximum value: 4096

0

scan-oversize-log

Enable/disable scan oversize log.

option

-

enable

Option

Description

disable

Disable scan oversize log.

enable

Enable scan oversize log.

config icap-headers

Parameter

Description

Type

Size

Default

id

HTTP forwarded header ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

name

HTTP forwarded header name.

string

Maximum length: 79

source

HTTP append header source.

option

-

content

Option

Description

content

Create ICAP header from content.

http-header

Create ICAP header from HTTP header.

session

Create ICAP header from session info.

content

HTTP header content.

string

Maximum length: 255

http-header

HTTP header-field name.

string

Maximum length: 79

sesson-info-type

Session info type.

option

-

client-ip

Option

Description

client-ip

Client ip address.

user

Authentication user name.

upn

Authentication user principal name.

domain

User domain name.

local-grp

Firewall group name.

remote-grp

Group name from authentication server.

proxy-name

Proxy realm name.

auth-user-uri

Authenticated user uri.

auth-group-uri

Authenticated group uri.

base64-encoding

Enable/disable use of base64 encoding of HTTP content.

option

-

disable

Option

Description

disable

Disable use of base64 encoding of HTTP content.

enable

Enable use of base64 encoding of HTTP content.

config respmod-forward-rules

Parameter

Description

Type

Size

Default

name

Address name.

string

Maximum length: 63

host

Address object for the host.

string

Maximum length: 79

action

Action to be taken for ICAP server.

option

-

forward

Option

Description

forward

Forward request to ICAP server when this rule is matched.

bypass

Don't forward request to ICAP server when this rule is matched.

http-resp-status-code <code>

HTTP response status code.

HTTP response status code.

integer

Minimum value: 100 Maximum value: 599

config header-group

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

header-name

HTTP header.

string

Maximum length: 79

header

HTTP header regular expression.

string

Maximum length: 255

case-sensitivity

Enable/disable case sensitivity when matching header.

option

-

disable

Option

Description

disable

Ignore case when matching header.

enable

Do not ignore case when matching header.