Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create an ICAP Redirect Profile

The SRX Series Firewall acts as an SSL proxy, decrypts HTTP or HTTPS traffic, and redirects the HTTP message to a third-party, on-premise DLP server through the Internet Content Adaptation Protocol (ICAP) channel. To enable ICAP redirection service, you must configure an ICAP redirect profile.

Create ICAP redirect profile to allow the ICAP server to process request messages, response messages, fallback options, and so on, for the permitted traffic. This profile is applied as an application service in the security policy.

To create an ICAP redirect profile:

  1. Select SRX > Security Subscriptions > ICAP Redirect.
    The ICAP Redirect Profile page opens.
  2. Click the add (+) icon.
    The Create ICAP Redirect Profile page opens.
  3. Complete the configuration according to the guidelines in Table 1.
  4. Click OK.

    The ICAP Redirect Profile page opens with a confirmation message indicating that the ICAP redirect profile is created.

    After you create an ICAP redirect profile, you can use this profile as an application service in a security policy.

Table 1: Create ICAP Redirect Profile Settings

Setting

Guideline

Name

Enter a unique ICAP redirect profile name. The string must contain alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Timeout

Enter the server response timeout in milliseconds.

Range: 100 through 50000.

HTTP redirection option

Select one of the following:

  • None—No action is taken.

  • Response—Select to forward HTTP responses to an ICAP server while returning a response to the client system.

  • Request—Select to forward HTTP requests to an ICAP server before sending a request to a Web server.

ICAP Redirect Server

Do the following:

  1. Click +.

    The Create ICAP Redirect Server page opens.

  2. Enter the following details:

    1. Name—Enter an ICAP redirect server name.

      The string must contain alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

    2. Host—Select either Hostname or Host IP.

      • Hostname—Enter a hostname of the remote ICAP host.

      • Host IP—Enter an IP address of the remote ICAP host.

    3. Password—Enter authorization key (ASCII or Base64) for authentication to ICAP server.

    4. Port—Specifies the port in the server. This is the server listening post and the default port will be reached according to protocol defined.

      Enter the port number. The range is 1025 through 65534.

    5. No. of sessions—Specifies the number of sessions to be created.

      Enter the number of sessions. The range is 1 through 64.

    6. Request MOD service path—Enter the reqmod uri that can be configured for ICAP server only.

    7. Response MOD service path—Enter the respmod uri that can be configured for ICAP server only.

    8. Routing instance—Specifies the virtual router that is used for launching. Select a routing instance from the list.

    9. SSL initiation profile—Select an SSL initiation profile from the list.

  3. Click OK.

Fallback Option

Timeout action

Select a timeout action from the list:

  • None—No logs are logged or requests are permitted.

  • Permit—Permit the requests.

  • Log Permit—Log the error and permit the requests.

  • Block—Log the error and deny the requests.

Connectivity failure action

Select a connectivity failure action from the list that the request cannot be sent out due to connection issues:

  • None—No logs are logged or requests are permitted.

  • Permit—Permit the requests.

  • Log Permit—Log the error and permit the requests.

  • Block—Log the error and deny the requests.

Default failure action

Select a default failure action from the list to be taken when there are scenarios other than the above two mentioned ones.

  • None—No logs are logged or requests are permitted.

  • Permit—Permit the requests.

  • Log Permit—Log the error and permit the requests.

  • Block—Log the error and deny the requests.