Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

ICAP Service Redirect

You can prevent data loss from your network by employing Internet Content Adaptation Protocol (ICAP) redirect services. SRX Series Firewalls support ICAP redirect functionality to redirect HTTP or HTTPS traffic to any third-party server. For more information, read this topic.

Data Loss Prevention (DLP) Using ICAP Service Redirect

You can prevent data loss from your network by employing Internet Content Adaptation Protocol (ICAP) redirect services. ICAP is a lightweight HTTP-based remote procedure call protocol. ICAP allows its clients to pass HTTP-based content (HTML) to the ICAP servers for performing services such as virus scanning, content translation, or content filtering and so on for the associated client requests.

Junos OS ICAP Support for SRX Series Device

SRX Series Firewalls support ICAP redirect functionality to redirect HTTP or HTTPS traffic to any third-party server. The SRX Series Firewall acts as an SSL proxy server and decrypts the pass-through traffic with the proper SSL profile under a security policy. SRX Series Firewall decrypts HTTPS traffic and redirects HTTP message to a third-party, on-premise server using an ICAP channel. After DLP processing, the traffic is redirected back to the SRX Series Firewall and action is taken according to the results from the ICAP server. If any sensitive data is detected per the policies, the SRX Series Firewall logs, redirects, or blocks the data traffic as configured in the profile.

The following sequences are involved in a typical ICAP redirect scenario:

  1. The user opens a connection to a Website on the internet.

  2. The request goes through the SRX Series Firewall that is acting as a proxy server.

  3. The SRX Series Firewall receives information from the end-host, encapsulates the message and forwards the encapsulated ICAP message to the third-party on-premise ICAP server.

  4. The ICAP server receives the ICAP request and analyzes it.

  5. If the request does not contain any confidential information, the ICAP server sends it back to the proxy server, and directs the proxy server to send the HTTP to the internet.

  6. If the request contains confidential information, you can choose to take action (block, permit, log) as per your requirement.

Note:

The HTTP throughput depends on the connections between the SRX Series Firewall and the ICAP channel.

Starting in Junos OS Release 19.3R1, ICAP redirect adds X-Client-IP, X-Server-IP, X-Authenticated-User, and X-Authenticated-Groups header extensions in an ICAP message to provide information about the source of the encapsulated HTTP message.

ICAP Profile

When you configure ICAP redirect service on SRX Series Firewalls, you must configure the ICAP server information. This profile is applied to a security policy as application services for the permitted traffic. The ICAP profile defines the settings that allow the ICAP server to process request messages, response messages, fallback options (in case of a timeout), connectivity issues, too many requests, or any other conditions.

Service Redirect for Layer 7 Dynamic Applications with Unified Policies

Starting from Junos OS Release 18.2R1, SRX Series Firewalls support ICAP service redirect feature when the device is configured with unified policies.

Unified policies are the security policies that enable you to use dynamic applications as match conditions as part of the existing 5-tuple or 6-tuple (5-tuple with user firewall) match conditions to detect application changes over time.

In a unified policy with dynamic applications as a match condition, you configure an ICAP redirect profile and SSL proxy profile and apply these profiles as application services in the security policy for the permitted traffic. When the traffic matches the policy, the ICAP redirect service profile that is configured as application services is applied. The ICAP server profile defines the behavior of redirection and server specifications. The ICAP server performs the policy scan and the traffic is redirected to the SRX Series Firewall, and the specified action is taken as per the ICAP redirect profile.

Note the following behavior while using ICAP redirect service with unified policy:

  • When ICAP redirect is configured in a unified policy and the data that needs to be redirected has arrived and the final policy is not determined, the request is ignored by the ICAP redirect service.

  • Because ICAP redirect is one of services located in the service chain, the data received by the ICAP redirect service might be different from the original data. The data sent by the ICAP redirect might affect downstream services.

Benefits of ICAP Redirect Service Support

  • Keeps the sensitive data from leaving the network.

  • Supports common on-premise server pool for redirection thereby improving management, security, and control of the content.

Note:

The HTTP throughput depends on the connections between the SRX Series Firewall and SRX ICAP .

Example: Configuring ICAP Redirect Service on SRX Series Firewalls

This example shows how to define an ICAP redirect profile for an SRX Series Firewall.

Requirements

This example uses the following hardware and software components:

  • SRX Series Firewall with Junos OS Release 18.1R1 or later. This configuration example is tested for Junos OS Release 18.1R1.

    ICAP redirect profile for an SRX Series Firewall with unified policies example is tested for Junos OS Release 18.2R1.

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you configure an ICAP redirect profile and an SSL proxy profile and apply these profiles as application services in the security policy for the permitted traffic.

Figure 1 shows the topology used in this example.

Figure 1: ICAP Redirect TopologyICAP Redirect Topology

To enable the service redirect using ICAP, you must configure an SSL profile to secure the connection to the ICAP server. Next, you configure a security policy to process the traffic, and specify the action for the permitted traffic.

Table 1 lists the details of the parameters used in this example.

Table 1: ICAP Redirect Configuration Parameters

Parameters

Names

Description

Profile

icap-pf1

The ICAP server profile allows the ICAP server to process request messages, response messages, fallback options and so on, for the permitted traffic. This profile is applied as an application service in the security policy.

Server name

icap-svr1

icap-svr2

The machine name of the remote ICAP host. Client’s request is redirected to this ICAP server.

Server IP address

5.0.0.2

5.0.0.179

The IP address of the remote ICAP host. Client’s request is redirected to this ICAP server.

SSL proxy profile

ssl-inspect-profile

An SSL proxy profile defines SSL behavior for the SRX Series Firewall. The SSL proxy profile is applied to the security policy as an application service.

SSL profile

dlp_ssl

The SRX Series Firewall that is acting as an SSL proxy client, initiates and maintains SSL sessions with an SSL server. This configuration enables you to secure the connection to the ICAP server.

Security policy

sp1

In a security policy, apply the SSL proxy profile and ICAP redirect profile. to the permitted traffic.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the ICAP redirect service:

  1. Configure the SSL profile for a secured connection with the ICAP server.

  2. Configure the ICAP redirect profile for the first server (icap-svr1).

  3. Configure the ICAP redirect profile for the second server (icap-svr2).

  4. Configure the redirect request and the redirect response for the HTTP traffic.

  5. Configure a security policy to apply application services for the ICAP redirect to the permitted traffic.

  6. Configure interfaces and zones.

Results

From configuration mode, confirm your configuration by entering the show services ssl, show services icap-redirect, show security policies, show security zones, and show interfaces commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring ICAP Service Redirect for Unified Policy

Step-by-Step Procedure

You can follow the procedure below if you have configured a unified policy (supported from Junos OS Release 18.2R1).

The following example requires you to navigate to various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the ICAP redirect service:

  1. Configure the SSL profile for secured connection with the ICAP server.

  2. Configure the ICAP redirect profile for the first server (icap-svr1).

  3. Configure the ICAP redirect profile for the second server (icap-svr2).

  4. Configure the redirect request for HTTP traffic.

  5. Configure a security policy to apply application services for the ICAP redirect to the permitted traffic.

Verification

Verifying ICAP Redirect Configuration

Purpose

Verify that the ICAP redirect service is configured on the device.

Action

From operational mode, enter the show services icap-redirect status and show services icap-redirect statistic commands.

Meaning

The status Up indicates that the ICAP redirect service is enabled. The Message Redirected and the Message Received fields show the number of HTTP requests that have passed through the ICAP channel.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
19.3R1
Starting in Junos OS Release 19.3R1, ICAP redirect adds X-Client-IP, X-Server-IP, X-Authenticated-User, and X-Authenticated-Groups header extensions in an ICAP message to provide information about the source of the encapsulated HTTP message.
18.2R1
Starting from Junos OS Release 18.2R1, SRX Series Firewalls support ICAP service redirect feature when the device is configured with unified policies