Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: FortiSandbox ICAP Connectivity Issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSandbox ICAP Connectivity Issue
Dear community,
I'm trying to integrate an F5 WAF with FortiSandbox using ICAP on port 1344. The goal is to have the F5 WAF send PDF files to FortiSandbox for analysis.
I have configured both the F5 WAF and FortiSandbox accordingly, but ICAP connectivity is not working. I also attempted to telnet to the FortiSandbox IP (ICAP server) on port 1344, but the connection was refused (even though ping works fine).
My questions are:
- Are there any methods to test ICAP connectivity and troubleshoot the issue to determine whether the problem is on the F5 or FortiSandbox side?
- Is a FortiSandbox license required for integration with the F5 WAF?
Thank you in advance
Labels:
- Labels:
-
FortiSandbox
1009
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Salhi
Check this document.
https://docs.fortinet.com/document/fortisandbox/5.0.1/administration-guide/939729
Hope it helps.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AEK
Thank you for your reply.
I already checked the Fortinet documentation but couldn't find the necessary information.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
:package: Prerequisites
On F5 (TMOS 17.x or later):
Advanced WAF module licensed
File Protection profile enabled
SSL interception if HTTPS is involved
On FortiSandbox:
FortiSandbox 4.0+ (with ICAP enabled)
Updated AV + sandbox engine
Network connectivity between F5 and FortiSandbox
:wrench: Step-by-Step Setup
:desktop_computer:️ On FortiSandbox
1. Enable ICAP
Login to FortiSandbox Web UI
Go to:
System > Settings > File ScanningEnable ICAP Server
Configure:
Port: 1344 (default)
Service Name: /icap/avscan (default or custom)
Allowed clients: Add F5 WAF IP
🟢 Note the service name (e.g. /icap/avscan) — you will use this on F5.
2. Test ICAP is Working
From another system:
bash
CopyEdit
curl -i -X OPTIONS icap://<fortisandbox-ip>:1344/icap/avscan
You should see:
makefile
CopyEdit
ICAP/1.0 200 OK Methods: RESPMOD
:globe_with_meridians: On F5 WAF
1. Create ICAP Server Profile
Navigate to:
Security > ICAP Services > ICAP ServersClick Create
Fill in:
Name: FortiSandbox_ICAP
Host: <FortiSandbox-IP>
Port: 1344
URI Path: /icap/avscan
Preview Length: 0
Timeout: 5 or 10 seconds
Save and Test Connection.
2. Create ICAP Service
Go to:
Security > ICAP Services > ICAP ServicesClick Create
Fill in:
Name: FortiScan_Service
Request Adaptation: No
Response Adaptation: Yes
ICAP Server: FortiSandbox_ICAP
Service URI: /icap/avscan
:locked: 3. Attach to Security Policy
Go to:
Security > Application Security > Security PoliciesChoose your policy
Navigate to File Protection
Enable:
File types to scan (e.g. .doc, .pdf, .exe)
ICAP Service: FortiScan_Service
Save and Apply Policy
🧪 4. Test with EICAR or Sample Malware
Upload EICAR test file through your app:
F5 will forward it to FortiSandbox
If malicious, F5 will block or return a modified response
FortiSandbox logs verdict in its UI
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
🧠 Best Practices
Task Recommendation
Enable SSL interception Needed if clients send over HTTPS
Set timeout on ICAP Avoid delay if sandbox is slow
Log FortiSandbox verdicts In FortiSandbox or via Syslog/SIEM
Monitor F5 logs For blocked uploads and ICAP errors
Keep AV/sandbox engine updated On FortiSandbox
:hammer_and_wrench: Optional: Advanced Tuning
Customize FortiSandbox to log, quarantine, or submit unknown files
Use F5 iRules to bypass ICAP for internal or trusted uploads
Use FortiSandbox APIs to fetch detailed reports for detected threats
:white_heavy_check_mark: Summary
Component Key Setting
FortiSandbox ICAP Enabled, URI /icap/avscan
F5 ICAP Server Host + Port + URI /icap/avscan
F5 Policy Enable File Protection
ICAP Mode Response Mode Only (for uploads)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
iRule Example: Bypass ICAP for Trusted IPs or URIs
when HTTP_REQUEST {
set skip_icap 0
# Bypass ICAP for internal IPs
if {[IP::client_addr] starts_with "10."} {
set skip_icap 1
}
# Bypass ICAP for specific trusted upload path
if {[HTTP::uri] starts_with "/upload/trusted"} {
set skip_icap 1
}
# Check file extension (only scan specific types)
set uri_path [string tolower [HTTP::uri]]
if {![regexp {(\.exe|\.pdf|\.docx)$} $uri_path]} {
set skip_icap 1
}
# Disable ICAP adaptation if skipping
if {$skip_icap} {
ICAP::disable
log local0. "ICAP bypassed for [IP::client_addr], URI: [HTTP::uri]"
} else {
log local0. "ICAP enabled for [IP::client_addr], URI: [HTTP::uri]"
}
}
Logs
tail -f /var/log/ltm | grep ICAP
Labels
-
FortiGate
10,510 -
FortiClient
2,135 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
674 -
5.4
638 -
FortiSwitch
578 -
FortiAP
558 -
FortiClient EMS
551 -
6.0
416 -
IPsec
411 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
277 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
126 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
FortiSandbox
53 -
fortilink
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
Users
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2551 | |
| 1356 | |
| 795 | |
| 646 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.