Technical Tip: ICAP response scanning profile to prevent WAN-inbound spikes on explicit proxy

mbanica · ‎11-26-2025

Description

This article describes how to configure an ICAP response scanning profile on FortiGate explicit proxy to reduce unexpected WAN-inbound utilization while preserving file download scanning

Scope

FortiGate v7.4.

Solution

Symptoms:

Enabling ICAP response scanning on explicit proxy causes WAN-inbound to surge while WAN-outbound remains normal.
Large spikes occur during multi-user downloads, CDN redirect chains, and when downloads are cancelled mid-transfer.
Partial content traffic (HTTP 206) and ranged/streamed responses are scanned.

Cause:

In response mode (RESPMOD), the proxy must obtain enough of the object to submit to the ICAP server and wait for a verdict.
Forwarding 3xx redirects, scanning partial/ranged content, and broad MIME matches increase upstream fetches.
Absence of preview and 204 early-allow increases the time upstream connections must remain open.

When this profile should be used:

ICAP is required for file downloads, but WAN-inbound increases significantly when response scanning is enabled.
Environments with many simultaneous downloads, frequent redirects before the final 200, download resumes, and media seeking.
The ICAP server is internal, and optimization of upstream lifetime is desired without disabling scanning.

Configuration goals:
1. Scan only final HTTP 200 responses that indicate real downloads.
2. Bypass 206 and range-based responses first.
3. Keep the default action as bypass; only explicit matches are scanned.
4. Enable ICAP preview with 204 early-allow.
5. Avoid over-broad MIME patterns such as 'application/vnd.*'.

User interface path:

Enable ICAP profile under System -> Feature Visibility -> Additional Features.
ICAP profile: Go to Security Profiles -> ICAP.
Explicit proxy: Go to Network -> Explicit Proxy.
Policy attachment: Go to Policy & Objects -> Proxy Policy.

Recommended ICAP profile (FortiOS v7.4.x):

Process the following CLI commands as a single block. Replace the ICAP server name and path as required by the environment.

config icap profile
edit "ICAP_Profile_Download_Optimized"
set request disable
set response enable
set response-server "ICAP_Server_VIP"
set response-path "ICAP_Response_Path"
set response-failure bypass
set methods get
set respmod-default-action bypass
set streaming-content-bypass enable
set preview enable
set 204-response enable
set 204-size-limit 10
set preview-data-length 1024
set icap-block-log enable
set chunk-encap enable
set extension-feature scan-progress
set scan-progress-interval 5
set timeout 60
config icap-headers
edit 1
set name "WorkflowHeader"
set content "X-Workflow"
next
end
config respmod-forward-rules
edit "100"
set host "all"
set action bypass
set http-resp-status-code 206
next
edit "101"
set host "all"
config header-group
edit 1
set header-name "Accept-Ranges"
set header "bytes"
set case-sensitivity disable
next
end
set action bypass
next
edit "102"
set host "all"
config header-group
edit 1
set header-name "Content-Range"
set header "bytes"
set case-sensitivity disable
next
end
set action bypass
next
edit "15"
set host "all"
config header-group
edit 1
set header-name "Content-Disposition"
set header "attachment"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "16"
set host "all"
config header-group
edit 1
set header-name "Content-Type"
set header "application/octet-stream"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "14"
set host "all"
config header-group
edit 1
set header-name "Content-Disposition"
set header ".+\\;filename=.+"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "1"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/octet-stream"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "10"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/zip"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "11"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/java-archive"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "12"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/x-dosexec"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "13"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/x-msdos-program"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "2"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/x-msdownload"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "3"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/vnd.microsoft.portable-executable"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "4"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "^application/vnd\\..+$"
set case-sensitivity disable
next
end
set action bypass
set http-resp-status-code 200
next
edit "5"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/msword"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "6"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/pdf"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "7"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/x-gzip"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "8"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/x-compressed"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
edit "9"
set host "all"
config header-group
edit 1
set header-name "content-type"
set header "application/x-tar"
set case-sensitivity disable
next
end
set action forward
set http-resp-status-code 200
next
end
next
end

Validation steps:

Confirm policy attachment:

show firewall proxy-policy | grep icap-profile

Confirm ICAP sessions:

diagnose sniffer packet any 'port 1344' 4 0 a

Inspect WAD counters during test downloads:

diagnose wad stats

diagnose wad worker list

Basic reachability test to the ICAP service:

execute telnet <ICAP_Server_VIP_or_IP> 1344

Verify if ICAP headers in the ICAP profile are being applied using this article: Technical Tip: How to check if ICAP headers in the ICAP profile are being applied.
For HTTPS downloads, enable deep inspection on the explicit proxy policy so response bodies are available to ICAP.

Rollback:

Switch the proxy policy back to the prior ICAP profile, or revert rule edits within the current profile.
No reboot is required.

Additional recommendations:

Enable and size the explicit web cache to reduce repeated upstream fetches of popular large files.
Consider targeted domain-based ICAP bypass for trusted, very large update ecosystems.

Related articles:

Technical Note : FortiOS and ICAP protocol support

Technical Tip: How to troubleshoot ICAP

Technical Tip: ICAP response scanning profile to prevent WAN-inbound spikes on explicit proxy

You are leaving our website