Working with External ICAP Servers

NGFW allows sending of HTTP/HTTPS and email traffic (SMTP, POP3) to external ICAP servers --- e.g., to check it for malware or have DLP systems examine the data sent by users. In that case, NGFW will work as an ICAP client.

NGFW can be configured flexibly for working with ICAP servers: for example, the administrator can specify rules for the selective forwarding of traffic to the ICAP servers or configure the use of ICAP server farms.

To configure NGFW for using external ICAP servers, follow these steps:

Name

Description

Step 1. Create an ICAP server.

In the Security policies ➜ ICAP servers section, click Add and create one or more ICAP servers.

Step 2. (Optional) Create a balancing rule for ICAP servers.

If you need load balancing within an ICAP server farm, go to the Network policies ➜ Load balancing section and create an ICAP load balancer. Use the ICAP servers created at the previous step.

Step 3. Create an ICAP rule.

In the Security policies ➜ ICAP rules, create a rule that will set the conditions for forwarding traffic to ICAP servers or server farms.

Important! ICAP rules are applied top to bottom in the rule list. Only the first rule for which all conditions are matched is triggered.

To add an ICAP server, go to the Security policies ➜ ICAP servers section, click Add, and fill in these fields:

Name

Description

Name

The name of the ICAP server.

Description

A description of the ICAP server.

Server address

The IP address of the ICAP server.

Port

The TCP port used by the ICAP server; the default is 1344.

Max message size

The maximum message size in kilobytes (kB) that can be transmitted to the ICAP server. By default: 0 (the request body will not be transmitted to the ICAP server).

Check ICAP server every

Sets the time interval in seconds with which NGFW sends OPTIONS requests to the ICAP server to verify that the server is available.

Bypass if errors

If this is enabled, NGFW will not send data to the ICAP server when the server is unavailable (does not respond to OPTIONS requests).

Reqmod path

  • Enabled: enables the Reqmod mode.

  • Reqmod directory path on ICAP server: specify the path as instructed in the documentation for your ICAP server. The path can have one of the following formats:

  • /path (ICAP server directory path)

  • icap://icap-server:port/path (full URI for the reqmod mode).

Respmod path

  • Enabled: enables the Respmod mode.

  • Respmod directory path on ICAP server: specify the path as instructed in the documentation for your ICAP server. The path can have one of the following formats:

  • /path (ICAP server directory path)

  • icap://icap-server:port/path (full URI for the respmod mode).

Send username

  • Enabled: enables sending the username to the ICAP server.

  • Encode to base64: encode the username as base64. This can be required if usernames contain characters from national alphabets.

  • Header name: the header name that will be used to send the username to the ICAP server. The default is X-Authenticated-User.

Send IP

  • Enabled: enables sending the user's IP address to the ICAP server.

  • Header name: the header name that will be used to send user's IP address to the ICAP server. The default is X-Client-Ip.

Send MAC address

  • Enabled: enables sending the user's MAC address to the ICAP server.

  • Header name: the header name that will be used to send user's MAC address to the ICAP server. The default is X-Client-Mac.

To create a balancing rule for ICAP servers, go to the Network policies ➜ Load balancing section, select Add ➜ Add ICAP load balancer, and fill in these fields:

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

ICAP servers

The list of ICAP servers created at the previous step between which the load will be distributed.

To create an ICAP rule, go to the Security policies ➜ ICAP rules section, click Add, and fill in the relevant fields.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.
Note The "Negate" checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Action

The options are as follows:

  • Bypass: do not send the data to the ICAP server. By creating a rule with this action, the administrator can explicitly exclude certain types of traffic from being forwarded to ICAP servers.

  • Redirect: redirect the data to the ICAP server and wait for a response. This is the standard mode for most ICAP servers.

  • Redirect and ignore: send the data to the ICAP server and ignore the eventual response. In this case, regardless of the ICAP server's response, the data reaches the user unmodified, but the ICAP server receives a full copy of the user traffic.

ICAP servers

The ICAP server or load balancer where NGFW will send the requests.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Users

The list of users and user groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured.

Destination address

The IP addresses, Geo-IP, or URL (host) lists of the traffic destination.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Content types

The content type lists. Video, audio, images, executables, and other types of content can be controlled. Administrators can also create custom content type groups. For more details on working with content types, see the Content Types chapter.

Categories

UserGate URL Filtering category lists.

URL

URL lists.

HTTP method

The method used in HTTP requests, usually POST or GET.

Service

The available options are:

  • HTTP: web traffic.

  • SMTP: email traffic. The email messages will be transmitted to the ICAP server as the corresponding MIME type.

  • POP3: email traffic. The email messages will be transmitted to the ICAP server as the corresponding MIME type.

Important! Before using SMTP and POP3 in ICAP rules, a mail security rule should be created for these services. For more details on protecting email traffic, see the Mail Security section.