You create and configure ICAP rules at the security-policy icap-rules level. For more details on the command structure, see Configuring Rules Using UPL.
To create an ICAP rule, use the following command:
Admin@nodename# create security-policy icap-rules <position> upl-rule
ICAP rule parameters:
Parameter |
Description |
---|---|
PASS OK |
ICAP rule action:
|
enabled |
Enable/disable a rule:
|
name |
ICAP rule name. Example: name("ICAP rule example"). |
desc |
A description of the rule. Example: desc("ICAP rule example set via CLI"). |
profile |
ICAP servers to which UserGate will redirect requests. Format: profile("Example ICAP server"). For more information about how to configure ICAP servers using the CLI, see Configuring ICAP Servers. |
src.zone |
Traffic source zone. To specify a source zone, such as Trusted: src.zone = Trusted. For more details about how to configure zones using CLI, see the Zones section. |
src.ip |
Add source IP address or domain lists. To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. |
src.geoip |
Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! The maximum number of GeoIPs that can be specified is limited to 15. |
user |
Users and user groups for which the ICAP rule applies (local or LDAP). To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section). Examples of adding users to a rule: user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1") |
dst.ip |
Add lists of destination IP addresses or domains. To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. |
dst.geoip |
To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! The maximum number of GeoIPs that can be specified is limited to 15. |
response.header.Content-Type |
Lists of content types to which the rules will be applied. To specify a list: response.header.Content-Type = lib.mime(). Provide the name for the content type list in parentheses. For more details about how to create and configure lists using CLI, see Configuring Content Types. |
category |
List of categories or URL filtering categories for which the rule will be applied. You need to have the appropriate license for URL filtering. To specify a URL category list: category = lib.category(). Specify the URL category list name in parentheses. For more details about how to create and configure URL categories using CLI, see Configuring URL Categories. To specify a URL category: category = "URL category name". |
url |
The URL lists to which the rule will be applied. To specify a URL list: url = lib.url(). Specify a URL list name in parentheses. For more details about creating and configuring URL lists, see Configuring URL Lists. |
http.method |
Method used in HTTP requests. To specify an HTTP method, for example: http.method = GET. |
service |
Service type: HTTP, SMTP, or POP3. To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). |
To edit an ICAP rule, use the following command:
Admin@nodename# set security-policy icap-rules <position> upl-rule
To view parameters for all ICAP rules that were created, use the following command:
Admin@nodename# show security-policy icap-rules
To view parameters of a specific ICAP rule, use the following command:
Admin@nodename# show security-policy icap-rules <position>
Example of creating an ICAP inspection rule:
Admin@nodename# create security-policy icap-rules 1 upl-rule PASS \ ...src.zone = Trusted \ ...http.method = (GET, POST) \ ...profile("ICAP server1") \ ...name("Test ICAP rule") \ ...desc("Test ICAP rule description") \ ...enabled(true) ... Admin@nodename# show security-policy icap-rules 1 % ----------------- 1 ----------------- PASS \ src.zone = Trusted \ http.method = (GET, POST) \ desc("Test ICAP rule description") \ profile("ICAP server1") \ enabled(true) \ id("80a7dca6-96f7-42c8-baad-8716be8d3b93") \ name("Test ICAP rule")
To remove an ICAP rule, use the following command:
Admin@nodename# delete security-policy icap-rules <position>