12.10.9. Configuring ICAP rules

You create and configure ICAP rules at the security-policy icap-rules level. For more details on the command structure, see Configuring Rules Using UPL.

You need to specify the following:

Parameter	Description
PASS OK	ICAP rule action: PASS: do not send data to the ICAP server. By creating a rule with this action, the administrator can explicitly exclude certain types of traffic from being forwarded to ICAP servers. OK: send data to the ICAP server and wait for the server's response (a standard mode for most ICAP servers). OK ... ignore: redirect data to the ICAP server and ignore the server's response (regardless of the response, the data goes to the user unmodified, but the ICAP server receives a full copy of user traffic). Specify ignore in the rule properties.
enabled	Enable/disable a rule: enabled(yes) or enabled(true). enabled(no) or enabled(false).
name	ICAP rule name. Example: name("ICAP rule example").
desc	A description of the rule. Example: desc("ICAP rule example set via CLI").
profile	ICAP servers to which UserGate will redirect requests. Format: profile("Example ICAP server"). For more information about how to configure ICAP servers using the CLI, see Configuring ICAP servers.
src.zone	Traffic source zone. To specify a source zone, such as Trusted: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones.
src.ip	Add source IP address or domain lists. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists.
src.geoip	Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.
user	Users and user groups for which the ICAP rule applies (local or LDAP). To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see Configuring LDAP connectors). The following line describes how to add a local user (local_user) and group (Local Group), a user (example.local\AD_user), and an LDAP group (AD group): user = (local_user, "CN=Local Group, DC=LOCAL", "example.loc\\AD_user", "CN=AD group, OU=Example, DC= example, DC=loc") The Active Directory domain example.loc has been already configured. When adding LDAP users and groups, you can specify a list of paths on the server, starting from which the system will search for users and groups.
dst.ip	Add lists of destination IP addresses or domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists.
dst.geoip	Destination GeoIP. Specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.
response.header.Content-Type	Lists of content types to which the rules will be applied. To specify a list: response.header.Content-Type = lib.mime(). Provide the name for the content type list in parentheses. For more details about how to create and configure lists using CLI, see Configuring content types.
category	List of categories or URL filtering categories for which the rule will be applied. You need to have the appropriate license for URL filtering. To specify a URL category list: category = lib.category(). Specify the URL category list name in parentheses. For more details about how to create and configure URL categories using CLI, see Configuring URL categories. To specify a URL category: category = "URL category name".
url	The URL lists to which the rule will be applied. To specify a URL list: url = lib.url(). Specify a URL list name in parentheses. For more details about creating and configuring URL lists, see Configuring URL lists.
http.method	Method used in HTTP requests. Example: http.method = GET.
service	Service type: HTTP, SMTP, or POP3. To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).