Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Create and Manage ICAP Redirect Profiles

The SRX Series Firewall acts as an SSL proxy, decrypts HTTP or HTTPS traffic, and redirects the HTTP message to a third-party, on-premise DLP server through the Internet Content Adaptation Protocol (ICAP) channel. To enable ICAP redirection service, you must configure an ICAP redirect profile.

Create ICAP redirect profile to allow the ICAP server to process request messages, response messages, fallback options, and so on, for the permitted traffic. This profile is applied as an application service in the security policy.

Create ICAP Redirect Profiles

  1. Click SRX > Security Subscriptions > ICAP Redirect.
    The ICAP Redirect Profile page opens.
  2. Click the the plus icon (Blue plus symbol suggesting an action like adding or expanding content.).
    The Create ICAP Redirect Profile page opens.
  3. Complete the configuration according to the following guidelines:
    Table 1: Create ICAP Redirect Profile Settings

    Setting

    Guideline

    Name

    Enter a unique ICAP redirect profile name. The string must contain alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

    Timeout

    Enter the server response timeout in milliseconds.

    Range: 100 through 50000.

    HTTP redirection option

    Select one of the following:

    • None—No action is taken.

    • Response—Select to forward HTTP responses to an ICAP server while returning a response to the client system.

    • Request—Select to forward HTTP requests to an ICAP server before sending a request to a Web server.

    ICAP Redirect Server

    Do the following:

    1. Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.).

      The Create ICAP Redirect Server page opens.

    2. Enter the following details:

      1. Name—Enter an ICAP redirect server name.

        The string must contain alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

      2. Host—Select either Hostname or Host IP.

        • Hostname—Enter a hostname of the remote ICAP host.

        • Host IP—Enter an IP address of the remote ICAP host.

      3. Password—Enter authorization key (ASCII or Base64) for authentication to ICAP server.

      4. Port—Specifies the port in the server. This is the server listening post and the default port will be reached according to protocol defined.

        Enter the port number. The range is 1025 through 65534.

      5. No. of sessions—Specifies the number of sessions to be created.

        Enter the number of sessions. The range is 1 through 64.

      6. Request MOD service path—Enter the reqmod uri that can be configured for ICAP server only.

      7. Response MOD service path—Enter the respmod uri that can be configured for ICAP server only.

      8. Routing instance—Specifies the virtual router that is used for launching. Select a routing instance from the list.

      9. SSL initiation profile—Select an SSL initiation profile from the list.

    3. Click OK.

    Fallback Option

    Timeout action

    Select a timeout action from the list:

    • None—No logs are logged or requests are permitted.

    • Permit—Permit the requests.

    • Log Permit—Log the error and permit the requests.

    • Block—Log the error and deny the requests.

    Connectivity failure action

    Select a connectivity failure action from the list that the request cannot be sent out due to connection issues:

    • None—No logs are logged or requests are permitted.

    • Permit—Permit the requests.

    • Log Permit—Log the error and permit the requests.

    • Block—Log the error and deny the requests.

    Default failure action

    Select a default failure action from the list to be taken when there are scenarios other than the above two mentioned ones.

    • None—No logs are logged or requests are permitted.

    • Permit—Permit the requests.

    • Log Permit—Log the error and permit the requests.

    • Block—Log the error and deny the requests.
  4. Click OK.

    The ICAP Redirect Profile page opens with a confirmation message indicating that the ICAP redirect profile is created.

    After you create an ICAP redirect profile, you can use this profile as an application service in a security policy.

Manage ICAP Redirect Profiles

You can only edit or delete an ICAP redirect profile if it is not associated with a security policy or its rules.

  • Edit—Select the profile, and then click the pencil icon (Blue pencil icon indicating edit functionality.).

  • Delete—Select the profile, and then click the trash can icon (Blue trash can icon representing delete or remove function.).

See Also