Description
This KB describes how to use ICAP response filtering.
Solution
The ICAP is a 'lightweight' HTTP-like protocol.
ICAP clients can pass HTTP-based (HTML) messages or content to ICAP servers for adaptation.
In this example, client request HTTP responses will be forwarded to the ICAP server from all hosts if it has an HTTP status code of '200', '301', or '302', and have content type: image/jpeg in their header.
Network.
Client IP : 172.31.133.213; ICAP server : 172.31.133.213 (Port : 1344) , Web server : 162.x.x.x. : 80 and FortiGate IP : 172.31.133.58.
This KB describes how to use ICAP response filtering.
Solution
The ICAP is a 'lightweight' HTTP-like protocol.
ICAP clients can pass HTTP-based (HTML) messages or content to ICAP servers for adaptation.
In this example, client request HTTP responses will be forwarded to the ICAP server from all hosts if it has an HTTP status code of '200', '301', or '302', and have content type: image/jpeg in their header.
Network.
Client IP : 172.31.133.213; ICAP server : 172.31.133.213 (Port : 1344) , Web server : 162.x.x.x. : 80 and FortiGate IP : 172.31.133.58.
CLI Configuration.
# Config icap server
edit "icap_server1"
set ip-address <ICAP_Server_IP>
end
# config icap profileNote:
edit "icap_profile2"
set request disable
set response enable
set response-server "icap_server1"
set respmod-default-action bypass
# config respmod-forward-rules
edit "rule2"
set host "all"
set action forward
set http-resp-status-code 200 301 302
# config header-group
edit 2
set header-name "content-type"
set header "image/jpeg"
next
end
next
end
next
end
If 'respmod-default-action' is set to forward, FortiGate will treat every HTTP response, and send ICAP requests to the ICAP server and If 'respmod-default-action' is set to bypass, FortiGate will only send ICAP requests if the HTTP response matches the defined rules, and the rule's action is set to forward.
Case 1: If content type is 'Image/png' then the FortiGate is bypassing the ICAP inspection.
Case 1: If content type is 'Image/png' then the FortiGate is bypassing the ICAP inspection.
Case 2: If content type is 'Image/jpg' and HTTP response code is '200' '301' or '302' then the FortiGate is sending the HTTP body for the ICAP inspection.
Since, the content type is 'Image/jpg'. When the Fortigate is receiving is HTTP response packet from the web server with status code '200', the HTTP packet is getting forwarded towards ICAP server for inspection.
ICAP server for inspection.
In above PCAP file, the FortiGate is not receiving any ICAP response packet from the ICAP server and is throwing error 'An ICAP error was encountered while handling the request'.ICAP packet going out from the FortiGate firewall.Use category 20 for ICAP log.# execute log filter category 20Browser output .
# execute log display
1: date=2020-04-21 time=12:42:15 logid="2000060000" type="utm" subtype="icap" eventtype="icap" level="warning" vd="root" eventtime=1587465735129231120 tz="+0200" msg="Request blocked due to ICAP server error" service="HTTP" srcip=172.31.133.213 dstip=162.x.x.x srcport=56232 dstport=80 srcintf="port3" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" policyid=1 sessionid=371403 proto=6 action="blocked" profile="default" url="http://www.anydomain.com /images/gap.jpg"In above output, The 'jpg' image content type response processed by the ICAP server.In about output, the 'png' image content type response bypassed by FortiGate from ICAP inspection.
Refer to this RFC3507 for more information.
