FortiSandbox can work as an ICAP server with proxy secure gateway devices (ProxySG) that supports ICAP. The ProxySG will serve as an ICAP client to FortiSandbox. To configure an ICAP adapter, first you will use the CLI to configure the client, and then you will use FortiSandbox GUI to configure the server.
When an ICAP client sends a HTTP request to FortiSandbox, FortiSandbox extracts the URL and checks if a verdict is available.
If the verdict is not a user selected blocking rating or is not available, a 200 return code is sent back to client so the request can move on the client side.
If the verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.
If no verdict is available, the URL will be put into the Job Queue for a scan. URL scan flow will apply.
When an ICAP client sends a HTTP response to FortiSandbox, FortiSandbox extracts the file from it and checks if verdicts are available.
If a verdict is not a user selected blocking rating, a 200 return code is sent back to the client so the response can be delivered to the endpoint host.
If a verdict is user selected blocking rating, a 403 return code along with a block page is sent back to the client.
If the user enables Realtime AV Scan, the file will be scanned by the AV Scanner. If the file is a known virus, a 403 return code along with a blocked page is sent back to the client.
If no verdict is available, these files will be put into the Job Queue for a scan. File scan flow will apply.
When ICAP client sends a preview request, FortiSandbox returns a 204 return code, which means it is not supported.
The ICAP client only supports POST and GET methods. PUT method is not supported.
The following configuration is for a SQUID 4.x to reach the FortiSandbox. You should add this configuration to the end of the
cache deny all
icap_service svcBlocker1 reqmod_precache icap://fortisandbox_ip:port_number/reqmod bypass=0 ipv6=off
adaptation_access svcBlocker1 allow all
icap_service svcLogger1 respmod_precache icap://fortisandbox_ip:port_number/respmod routing=on ipv6=off
adaptation_access svcLogger1 allow all
### add the following lines to support ssl ###
#icap_service svcBlocker2 reqmod_precache icaps://sandbox_ip:ssl_port_number/reqmod bypass=1 tls-flags=DONT_VERIFY_PEER
#adaptation_access svcBlocker2 allow all
#icap_service svcLogger2 respmod_precache icaps://sandbox_ip:ssl_port_number/respmod bypass=1 tls-flags=DONT_VERIFY_PEER
#adaptation_access svcLogger2 allow all
- In the FortiSandbox GUI, go to Security Fabric > Adapter.
- Select the ICAP adapter and click Edit.
- Enable the ICAP adapter.
- Under Connection, configure the following settings, and then click Apply.
Port The port the ICAP server listens on. Default is 1344. Interface
The interface the ICAP server listens on.
For a cluster, we recommend specifying the interface corresponding to the cluster IP interface (for example, port1 HA).
Enable to allow SSL traffic.
SSL port The port the ICAP server listens on for SSL traffic. Default is 11344. Receive URL
Enable to allow the ICAP server to receive URLs, and then select the risk level to be blocked. Options are Low Risk, Medium Risk, and High Risk.
Enable to allow the ICAP server to receive files, and then select the risk level to be blocked. Options are Low Risk, Medium Risk, and High Risk.
Realtime AV Scan Enable to allow real-time file scanning.