icap-redirect
Syntax
icap-redirect { profile name { fallback-option { connectivity (block | log-permit | permit); default-action (block | log-permit | permit); timeout (block | log-permit | permit); } http { redirect-request redirect-request; redirect-response redirect-response; } server name { authorization { authorization-type authorization-type; credentials (ascii ascii | base64 base64); } host host; port port; reqmod-uri reqmod-uri; respmod-uri respmod-uri; routing-instance ri-name; sockets sockets; tls-profile tls-profile; } timeout timeout; } traceoptions { file <filename> <files files>< match match><size size> (world-readable | no-world-readable)>; flag name; no-remote-trace no-remote-trace; } }
Hierarchy Level
[edit services], [edit logical-systems logical-system-name services], [edit tenants tenants_name services]
Description
Configure the ICAP redirection service.
The SRX Series Firewall acts as an SSL proxy, decrypts HTTP or HTTPS traffic, and redirects the HTTP message to a third-party, on-premise DLP server through the Internet Content Adaptation Protocol (ICAP) channel. To enable ICAP redirection service, you must configure an ICAP redirect profile.
The ICAP server profile allows the ICAP server to process request messages, response messages, fallback options, and so on, to the permitted traffic. This profile is applied as an application service in the security policy.
Starting in Junos OS Release 20.1R1, you can enable ICAP redirect service at the tenant system level, and you can view/clear the ICAP redirect services status and statistics at the tenant systems level. The ICAP service redirect configuration for tenant system is implemented under profile and the ICAP redirect profile capacity is 64 globally. All tenant systems need to share this profile capacity. If 64 tenant systems used the maximum tenants profile capacity, the remaining tenant systems will not be not able to configure the ICAP redirect profile. Tenant systems can reserve the required or the maximum ICAP redirect profile capacity in their security-profiles using the following CLI commands respectively:
edit system security-profile security-profile-name icap-redirect-profile reserved quota
edit system security-profile security-profile-name icap-redirect-profile maximum quota
In addition, we’ve introduced the X-Client-IP
, X-Server-IP
, X-Authenticated-User
, and X-Authenticated-Groups
header extensions in an ICAP message
to provide information about the source of the encapsulated HTTP message.
Options
The statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 18.1 R1.
Support at the [edit logical-system logical-system-name services]
hierarchy level introduced in Junos OS Release 18.3R1.
Support at the [edit tenants tenants_name services]
hierarchy
level introduced in Junos OS Release 20.1R1.