ICAP Redirects for Logical Systems
ICAP is a lightweight protocol used to extend transparent proxy servers, thereby freeing up resources. For more information, see the following topics:
ICAP Redirect Support for Logical Systems
Starting in Junos OS Release 18.3R1, SRX Series Firewalls support the Internet Content Adaptation Protocol (ICAP) service redirect when the device is configured for logical systems.
ICAP redirect profile is only allowed to attach on the policy which belongs to the same logical system. This profile is applied to a security policy as application services for the permitted traffic. The ICAP profile defines the settings that allow the ICAP server to process request messages, response messages, fallback options (in case of a timeout), connectivity issues, too many requests, or any other conditions.
Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity. SSL relies on certificates and private-public key exchange pairs for this level of security. SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server, but neither the server nor the client can detect its presence.
ICAP redirect services has the dependency on SSL proxy to build secure connections. Because the SSL proxy is not supported on user logical systems in Junos OS Release 18.3R1, ICAP redirect works with clear text connections or with shared certificates in Junos OS Release 18.3R1.
The following sequences are involved in a typical ICAP redirect scenario:
The user opens a connection to a Website on the internet.
-
The request goes through the SRX Series Firewall that is acting as a proxy server.
-
The SRX Series Firewall receives information from the end-host, encapsulates the message and forwards the encapsulated ICAP message to the third-party on-premise ICAP server.
The ICAP server receives the ICAP request and analyzes it.
If the request does not contain any confidential information, the ICAP server sends it back to the proxy server, and directs the proxy server to send the HTTP to the internet.
If the request contains confidential information, you can choose to take action (block, permit and log) as per your requirement.
Limitations of SSL Proxy with Logical Systems
Following are the limitations for using ICAP redirect service for user logical systems:
SSL Proxy is supported only on primary logical system in Junos OS Release 18.3R1.
SSL profile configured to provide a secure connection to the ICAP server is not supported on user logical systems in Junos OS Release 18.3R1.
See Also
Example: Configuring ICAP Redirect Service on SRX Series Firewalls
This example shows how to define an ICAP redirect profile for an SRX Series Firewall.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall with Junos OS Release 18.3R1 or later. This configuration example is tested for Junos OS Release 18.3R1.
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you configure an ICAP redirect profile in logical systems and apply these profiles as application services in the security policy for the permitted traffic.
Table 1 lists the details of the parameters used in this example.
Parameters |
Names |
Description |
---|---|---|
Profile |
icap-pf1 |
The ICAP server profile allows the ICAP server to process request messages, response messages, fallback options and so on, for the permitted traffic. This profile is applied as an application service in the security policy. |
Server name |
icap-svr1 icap-svr2 |
The machine name of the remote ICAP host. Client’s request is redirected to this ICAP server. |
Server IP address |
192.0.2.2/24 192.0.2.179/24 |
The IP address of the remote ICAP host. Client’s request is redirected to this ICAP server. |
Logical system name |
LSYS1 |
Displays the logical system name which belongs to the same profile. |
Security policy |
sp1 |
In a security policy, apply the SSL proxy profile and ICAP redirect profile. to the permitted traffic. |
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
set logical-systems LSYS1 services icap-redirect profile icap-pf1 server icap-svr1 host 192.0.2.2/24 set logical-systems LSYS1 services icap-redirect profile icap-pf1 server icap-svr1 reqmod-uri echo set logical-systems LSYS1 services icap-redirect profile icap-pf1 server icap-svr1 respmod-uri echo set logical-systems LSYS1 services icap-redirect profile icap-pf1 server icap-svr1 sockets 64 set logical-systems LSYS1 services icap-redirect profile icap-pf1 server icap-svr2 host 192.0.2.179/24 set logical-systems LSYS1 services icap-redirect profile icap-pf1 server icap-svr2 reqmod-uri echo set logical-systems LSYS1 services icap-redirect profile icap-pf1 server icap-svr2 respmod-uri echo set logical-systems LSYS1 services icap-redirect profile icap-pf1 server icap-svr2 sockets 64 set logical-systems LSYS1 services icap-redirect profile icap-pf1 server icap-svr2 tls-profile dlp_ssl set logical-systems LSYS1 services icap-redirect profile icap-pf1 http redirect-request set logical-systems LSYS1 services icap-redirect profile icap-pf1 http redirect-response set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy sec_policy match source-address any set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy sec_policy match destination-address any set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy sec_policy match application any set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy sec_policy then permit application-services ssl-proxy profile-name ssl-inspect-profile set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy sec_policy then permit application-services icap-redirect icap-pf1 set logical-systems LSYS1 security policies default-policy permit-all set logical-systems LSYS1 security zones security-zone trust host-inbound-traffic system-services all set logical-systems LSYS1 security zones security-zone trust host-inbound-traffic protocols all set logical-systems LSYS1 security zones security-zone trust interfaces xe-5/0/0.0 set logical-systems LSYS1 security zones security-zone untrust host-inbound-traffic system-services all set logical-systems LSYS1 security zones security-zone untrust host-inbound-traffic protocols all set logical-systems LSYS1 security zones security-zone untrust interfaces xe-5/0/1.0 set logical-systems LSYS1 interfaces xe-5/0/0 unit 0 family inet address 192.0.2.1/8 set logical-systems LSYS1 interfaces xe-5/0/0 unit 0 family inet6 address 2001:db8::1/64 set logical-systems LSYS1 interfaces xe-5/0/1 unit 0 family inet address 198.51.100.1/8 set logical-systems LSYS1 interfaces xe-5/0/1 unit 0 family inet6 address 2001:db8::2/64
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure the ICAP redirect service:
Configure the ICAP redirect profile for the first server (icap-svr1).
[edit logical-systems LSYS1 services] user@host# set icap-redirect profile icap-pf1 server icap-svr1 host 192.0.2.2/24 user@host# set icap-redirect profile icap-pf1 server icap-svr1 reqmod-uri echo user@host# set icap-redirect profile icap-pf1 server icap-svr1 respmod-uri echo user@host# set icap-redirect profile icap-pf1 server icap-svr1 sockets 64
Configure the ICAP redirect profile for the second server (icap-svr2).
[edit logical-systems LSYS1 services] user@host# set icap-redirect profile icap-pf1 server icap-svr2 host 192.0.2.179/24 user@host# set icap-redirect profile icap-pf1 server icap-svr2 reqmod-uri echo user@host# set icap-redirect profile icap-pf1 server icap-svr2 respmod-uri echo user@host# set icap-redirect profile icap-pf1 server icap-svr2 sockets 64 user@host# set icap-redirect profile icap-pf1 server icap-svr2 tls-profile dlp_ssl
Configure the redirect request and the redirect response for the HTTP traffic.
[edit logical-systems LSYS1 services] user@host# set icap-redirect profile icap-pf1 http redirect-request user@host# set icap-redirect profile icap-pf1 http redirect-response
Configure a security policy to apply application services for the ICAP redirect to the permitted traffic.
[edit logical-systems LSYS1 security] user@host# set policies from-zone trust to-zone untrust policy sec_policy match source-address any user@host# set policies from-zone trust to-zone untrust policy sec_policy match destination-address any user@host# set policies from-zone trust to-zone untrust policy sec_policy match application any user@host# set policies from-zone trust to-zone untrust policy sec_policy then permit application-services ssl-proxy profile-name ssl-inspect-profile user@host# set policies from-zone trust to-zone untrust policy sec_policy then permit application-services icap-redirect icap-pf1 user@host# set policies default-policy permit-all
Configure zones.
[edit logical-systems LSYS1 security] user@host# set zones security-zone trust host-inbound-traffic system-services all user@host# set zones security-zone trust host-inbound-traffic protocols all user@host# set zones security-zone trust interfaces xe-5/0/0.0 user@host# set zones security-zone untrust host-inbound-traffic system-services all user@host# set zones security-zone untrust host-inbound-traffic protocols all user@host# set zones security-zone untrust interfaces xe-5/0/1.0
Configure interfaces.
[edit logical-systems LSYS1] user@host# set interfaces xe-5/0/0 unit 0 family inet address 192.0.2.1/8 user@host# set interfaces xe-5/0/0 unit 0 family inet6 address 2001:db8::1/64 user@host# set interfaces xe-5/0/1 unit 0 family inet address 198.51.100.1/8 user@host# set interfaces xe-5/0/1 unit 0 family inet6 address 2001:db8::2/64
Results
From configuration mode, confirm your configuration
by entering the show logical-systems LSYS1 services icap-redirect
, show logical-systems LSYS1 security policies
, show
logical-systems LSYS1 security zones
, and show logical-systems
LSYS1 interfaces
commands. If the output does not display the
intended configuration, repeat the configuration instructions in this
example to correct it.
user@host# show logical-systems LSYS1 services icap-redirect profile icap-pf1 { server icap-svr1 { host 192.0.2.2/24; reqmod-uri echo; respmod-uri echo; sockets 64; } server icap-svr2 { host 192.0.2.179/24; reqmod-uri echo; respmod-uri echo; sockets 64; tls-profile dlp_ssl; } http { redirect-request; redirect-response; } }
from-zone trust to-zone untrust { policy sec_policy { match { source-address any; destination-address any; application any; } then { permit { application-services { ssl-proxy { profile-name ssl-inspect-profile; } icap-redirect icap-pf1; } } } } } default-policy { permit-all; }
If you are done configuring the device, enter commit
from configuration mode.
Verification
Verifying ICAP Redirect Configuration
Purpose
Verify that the ICAP redirect service is configured on the device.
Action
From operational mode, enter the show services
icap-redirect status logical-system
and show services icap-redirect
statistic logical-system
commands.
user@host> show services icap-redirect status logical-system LSYS1 ICAP Status : spu-1 Profile: icap-pf1 Server: icap-svr1 : UP ICAP Status : spu-2 Profile: icap-pf1 Server: icap-svr1 : UP ICAP Status : spu-3 Profile: icap-pf1 Server: icap-svr1 : UP user@host> show services icap-redirect statistic logical-system LSYS1 ICAP Redirect statistic: Message Redirected : 12 Message REQMOD Redirected : 6 Message RESPMOD Redirected : 6 Message Received : 12 Message REQMOD Received : 6 Message RESPMOD Received : 6 Fallback: permit log-permit reject Timeout 0 0 0 Connectivity 0 0 0 Default 0 0 0
Meaning
The status Up
indicates that the ICAP redirect
service is enabled. The Message Redirected
and the Message Received
fields show the number of HTTP requests that
have passed through the ICAP channel.