Configuring ICAP Rules

You create and configure ICAP rules at the security-policy icap-rules level. For more details on the command structure, see Configuring Rules Using UPL.

To create an ICAP rule, use the following command:

Admin@nodename# create security-policy icap-rules <position> upl-rule

ICAP rule parameters:

Parameter

Description

PASS

OK

ICAP rule action:

  • PASS: Pass: do not send data to the ICAP server. By creating a rule with this action, the administrator can explicitly exclude certain types of traffic from being forwarded to ICAP servers.

  • OK: Redirect: redirect data to the ICAP server and wait for response from the ICAP server (this is the standard working mode for most ICAP servers).

  • OK ... ignore: Redirect and ignore: redirect data to the ICAP server and ignore the server's response (regardless of the response, the data goes to the user unmodified, but the ICAP server receives a full copy of user traffic). Specify ignore in the rule properties.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

ICAP rule name.

Example: name("ICAP rule example").

desc

A description of the rule.

Example: desc("ICAP rule example set via CLI").

profile

ICAP servers to which UserGate will redirect requests. Format: profile("Example ICAP server").

For more information about how to configure ICAP servers using the CLI, see Configuring ICAP Servers.

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

user

Users and user groups for which the ICAP rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

response.header.Content-Type

Lists of content types to which the rules will be applied.

To specify a list:

response.header.Content-Type = lib.mime(). Provide the name for the content type list in parentheses.

For more details about how to create and configure lists using CLI, see Configuring Content Types.

category

List of categories or URL filtering categories for which the rule will be applied. You need to have the appropriate license for URL filtering.

To specify a URL category list: category = lib.category(). Specify the URL category list name in parentheses.

For more details about how to create and configure URL categories using CLI, see Configuring URL Categories.

To specify a URL category: category = "URL category name".

url

The URL lists to which the rule will be applied.

To specify a URL list: url = lib.url(). Specify a URL list name in parentheses.

For more details about creating and configuring URL lists, see Configuring URL Lists.

http.method

Method used in HTTP requests.

To specify an HTTP method, for example: http.method = GET.

service

Service type: HTTP, SMTP, or POP3.

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

To edit an ICAP rule, use the following command:

Admin@nodename# set security-policy icap-rules <position> upl-rule

To view parameters for all ICAP rules that were created, use the following command:

Admin@nodename# show security-policy icap-rules

To view parameters of a specific ICAP rule, use the following command:

Admin@nodename# show security-policy icap-rules <position>

Example of creating an ICAP inspection rule:

Admin@nodename# create security-policy icap-rules 1 upl-rule PASS \ ...src.zone = Trusted \ ...http.method = (GET, POST) \ ...profile("ICAP server1") \ ...name("Test ICAP rule") \ ...desc("Test ICAP rule description") \ ...enabled(true) ... Admin@nodename# show security-policy icap-rules 1 % ----------------- 1 ----------------- PASS \ src.zone = Trusted \ http.method = (GET, POST) \ desc("Test ICAP rule description") \ profile("ICAP server1") \ enabled(true) \ id("80a7dca6-96f7-42c8-baad-8716be8d3b93") \ name("Test ICAP rule")

To remove an ICAP rule, use the following command:

Admin@nodename# delete security-policy icap-rules <position>