ICAP integration

Kaspersky NGFW supports integration with external DLP systems (data leak protection tools) via the ICAP protocol. In this architecture, NGFW acts as an ICAP client that extracts objects from HTTP/HTTPS traffic and sends them to an external ICAP server implemented by the third-party DLP system.

Special considerations:

• Kaspersky NGFW does not perform morphological analysis and does not include engines for building morphological dictionaries.
• All content type identification and semantic processing functions are performed on the side of the DLP system that receives ICAP requests.
• Kaspersky NGFW lets you set a maximum object size as well as enable or disable the sending of objects via ICAP in the Anti-Virus profile settings.
• The default VRF for communication with external systems is Management. You can change the VRF by changing the VRF for PDK services.
• Only one ICAP server is supported.

Kaspersky NGFW can send the following types of objects:

• Text files
• Documents
• Images
• Binary data

Configuring ICAP using OSMP

You can use the Open Single Management Platform to configure the sending of objects extracted from HTTP/HTTPS traffic to an external system via ICAP. This allows passing objects to DLP systems.

To enable the sending of objects via ICAP:

1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.
2. Select the Objects tab, then select Security profiles → Anti-Virus.
3. In the upper part of the workspace, click the Create button.

   This opens the Anti-Virus profile creation window. By default, the General tab is selected.

4. In the Name field, enter a name for the new profile.

   The name of the profile must be unique among all profiles. The maximum length is 128 characters.

5. If necessary, in the Description field, enter an arbitrary description of the profile.

   The maximum length is 256 characters.

6. If necessary, enable security event logging using the Logging toggle switch.

   If logging is enabled, then when an attempt is made to visit a malicious web resource, an event is logged in the Anti-Virus security event log in the SIEM system. If logging is disabled, no events are generated or saved.

7. On the File Anti-Virus tab, set the Object Anti-Virus toggle switch to On
8. Set the Send objects to ICAP toggle switch to On.
9. Click Create.

   The new item is added to the table.

10. Apply the OSMP policy changes by clicking the Commit and push button.

The ability to send objects via ICAP is applied to the Anti-Virus profile.

Configuring ICAP on the command line

You can use the command line to configure the sending of objects extracted from HTTP/HTTPS traffic to an external system via ICAP. This allows passing objects to DLP systems.

To enable the sending of objects via ICAP:

1. Enable the Anti-Virus by running the following command on the command line:

   security antivirus> enable

2. Specify the IP address of the ICAP server and port (default port: 1344) by running the following commands on the command line:

   security antivirus> icap-client> server <IP address>

   security antivirus> icap-client> port <port>

3. Configure the services for modifying the request and response (by default: echo) by running the following commands on the command line:

   security antivirus> icap-client> reqmod-service <service name>

   security antivirus> icap-client> respmod-service <service name>

4. If monitoring mode is disabled, enable it by running the following command on the command line:

   security antivirus> icap-client> monitoring-mode

5. Set the maximum number of connections to the ICAP server (by default 10) by running the following command on the command line:

   security antivirus> icap-client> max-connections <number from 1 to 100>

6. Enable the sending of objects via ICAP by running the following command on the command line:

   security antivirus> profile <Anti-Virus profile name> > use-icap-client

The ability to send objects via ICAP is applied to the Anti-Virus profile.

Page top