GigaSMART Internet Content Adaptation Protocol (ICAP)

GigaSMART ICAP Client app can integrate inline iSSL with the DLP ICAP server by deploying the ICAP Client app as an inline tool. ICAP app will be an inline tool in the GigaSMART engine. The decrypted traffic from the inline SSL will be sent to the ICAP client through the configured inline network. The decrypted traffic will then be sent to the ICAP server for inspection.

The following is a configuration example of the ICAP Client.

For details on the CLI commands used in the following examples, refer to the following commands in the reference section:

■

inline-network

■

ip interface

■

gsgroup

■

gsop

■

port

■

map

Step

Description

Command

Configure inline network.

(config) # port 1/1/x5..x6 type inline-network

(config) # port 1/1/x3..x4 type inline-network

(config) #

(config) # inline-network alias in1

(config inline-network alias in1) # pair net-a 1/1/x5 and net-b 1/1/x6

(config inline-network alias in1) # exit

(config) #

(config) # inline-network alias in2

(config inline-network alias in2) # pair net-a 1/1/x3 and net-b 1/1/x4

(config inline-network alias in2) # exit

(config) #

(config) # inline-network-group alias ing1

(config inline-network-group alias ing1) # network-list in2,in1

(config inline-network-group alias ing1) # exit

(config) #

(config) # inline-network alias in1 traffic-path to-inline-tool

(config) # inline-network alias in2 traffic-path to-inline-tool

(config) #

Configure the IP interface.

(config) # ip interface alias ip1

(config ip interface alias ip1) # attach 1/1/x9

(config ip interface alias ip1) # gsgroup add gsg3e1

(config ip interface alias ip1) # ip ad 1.1.1.1 /24

(config ip interface alias ip1) # gw 1.1.1.2

(config ip interface alias ip1) # mtu 1500

(config ip interface alias ip1) # exit

Configure the ICAP server.

(config) # apps icap server alias server1

(config apps icap server alias server1) # l3 address 1.1.1.2

(config apps icap server alias server1) # l4 port 1344

(config apps icap server alias server1) # service-url reqmod icap://1.1.1.2/reqmod

(config apps icap server alias server1) # service-url respmod icap://1.1.1.2/respmod

(config apps icap server alias server1) # service-url options icap://1.1.1.2/options

(config apps icap server alias server1) # exit

Configure the ICAP server group.

(config) # apps icap server-group alias server_group

(config apps icap server-group alias server_group) # server-list server1

(config apps icap server-group alias server_group) # exit

(config) #

Configure a GigaSMART group and associate it with a GigaSMART engine port.

(config) # gsgroup alias gsg3e1 port-list 1/3/e1

Configure the ICAP profile.

(config) # apps icap profile alias icap1
(config apps icap profile alias icap1) # http-request-buffer 10000 exceed bypass
(config apps icap profile alias icap1) # preview 4

(config apps icap profile alias icap1) # reqmod enable
(config apps icap profile alias icap1) # respmod disable
(config apps icap profile alias icap1) # server-group server_group
(config apps icap profile alias icap1) # src-l4port 10000 to 60000
(config apps icap profile alias icap1) # exit
(config) #

Configure Gsop.

(config) # gsop alias icap_1 icap icap1 port-list gsg3e1

Configure the map.

(config) # map alias map1
(config map alias map1) # from ing1
(config map alias map1) # to 1/1/x9
(config map alias map1) # use gsop icap_1
(config map alias map1) # rule add pass macdst 00:00:00:00:00:00 00:00:00:00:00:00 bidir
(config map alias map1) # type regular inlinePair
(config map alias map1) # exit
(config) #