When using FortiProxy as an ICAP Client, response and request processing modes can be configured independently on the ICAP profile.

However, in the GUI, the methods to be scanned can only be selected when request processing is enabled.

• Request (REQMOD) and Response (RESPMOD) enabled:

• Response (RESPMOD) enabled:

As an example, let's use the EICAR virus file for testing.

The download of the file will use the GET method, but if only POST and PUT are selected on the GUI for the request, both methods (request, response) will bypass the scan for GET methods.

Here are some captures in the ICAP Server:

• Request (REQMOD) and Response (RESPMOD) enabled: POST, PUT only.

ICAP client (FortiProxy) only forwarded the ICAP encapsulated POST method to the ICAP Server. In this case, the EICAR virus file was downloaded successfully.

• Response (RESPMOD) enabled, All methods: ICAP client (FortiProxy) forwarded ICAP encapsulated GET method to ICAP Server.

ICAP Server responds with 403 Forbidden and encapsulates the HTML response body to the client.

From the client's perspective, this is what it is visible in the browser.

The method selection will affect both request and response, even if not visible on the GUI, which is the case when request processing is disabled (as seen before):

config icap profile
    edit "NEW"
        set request disable
        set response enable
        set request-server "DLP"
        set response-server "DLP"
        set request-path "Security"
        set response-path "Security"
        set methods post put
        set icap-block-log enable
    next
end