Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Configure the ICAP redirection service.

The SRX Series device acts as an SSL proxy, decrypts HTTP or HTTPS traffic, and redirects the HTTP message to a third-party, on-premise DLP server through the Internet Content Adaptation Protocol (ICAP) channel. To enable ICAP redirection service, you must configure an ICAP redirect profile.

The ICAP server profile allows the ICAP server to process request messages, response messages, fallback options, and so on, to the permitted traffic. This profile is applied as an application service in the security policy.

Starting in Junos OS Release 20.1R1, you can enable ICAP redirect service at the tenant system level, and you can view/clear the ICAP redirect services status and statistics at the tenant systems level. The ICAP service redirect configuration for tenant system is implemented under profile and the ICAP redirect profile capacity is 64 globally. All tenant systems need to share this profile capacity. If 64 tenant systems used the maximum tenants profile capacity, the remaining tenant systems will not be not able to configure the ICAP redirect profile. Tenant systems can reserve the required or the maximum ICAP redirect profile capacity in their security-profiles using the following CLI commands respectively:

  • edit system security-profile security-profile-name icap-redirect-profile reserved quota

  • edit system security-profile security-profile-name icap-redirect-profile maximum quota

In addition, we’ve introduced the X-Client-IP, X-Server-IP, X-Authenticated-User, and X-Authenticated-Groups header extensions in an ICAP message to provide information about the source of the encapsulated HTTP message.


The statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 18.1 R1.

Support at the [edit logical-system logical-system-name services] hierarchy level introduced in Junos OS Release 18.3R1.

Support at the [edit tenants tenants_name services] hierarchy level introduced in Junos OS Release 20.1R1.