Skip to main content
dbaddorf
dbaddorf
New Member
November 19, 2020
Question

Can't Enable Content Disarm and Reconstruction

  • November 19, 2020
  • 2 replies
  • 7017 views

I know, I know, there are FortiGate posts on how easy this is to enable (https://kb.fortinet.com/kb/documentLink.do?externalID=FD48592).  I'm following these instructions, but I can't get it working.  I'm using 6.4.3 on an 600E.

 

When I do the following commands:

config firewall profile-protocol-options

edit default

I get a message "Cannot modify the read-only factory default profiles!".

 

So, I can presumably create a new entry here, and then change the SMTP Splice to the "oversize" value that the FortiNet page recommends.  

 

But when what?  How would I attach this new firewall profile-protocol-options to my AV policy?  

 

I may be missing something easy here, but I had problems with this issue last year and didn't get the help I needed at that point: https://forum.fortinet.com/tm.aspx?m=173336.  So I'm trying again.

 

If anyone has anything to offer on the subject, I'm certainly glad to listen!

 

    2 replies

    KoolM1
    KoolM1
    New Member
    December 9, 2020

    FortiGate on 6.0.9 with deep SSL inspection.Since upgrading to 6.0.9 I have been seeing a lot of Content Disarm and Reconstruction on downloaded PDFs in email and from website download. Thing is, I don't have Content Disarm enabled for the av profiles, as far as the GUI is concerned.I had thought this was more of a logging issue, since logs showed "detected-only", but then I noticed that the action was "content-disarmed" so I looked in the CLI https://vidmate.cool/.In the CLI, checking the actual content-disarm section of the av profile I get: https://showbox.bio/ config content-disarm set original-file-destination discard set office-macro enable ...everything else enabled... set detect-only disable So it looks like content-disarm has been enabled since our upgrade, even though the GUI says it isn't enabled https://tutuapp.uno/.Trying to turn content disarm "On" in the GUI gives me the error "Value conflicts with system settings.". So I can't use the GUI to turn this on and off. I can set detect-only enable in the CLI though.Anybody else run into this?

     

    dbaddorf
    dbaddorfAuthor
    New Member
    December 30, 2020

    After working through the problem with Tech Support, here is the process to enable:

    System - Feature Visibility - Policy Advanced Options - Enable. 

    Policy & Objects - Protocol Option – Clone the default policy.  (don't need to enable Block Oversized File/Email) 

    config firewall profile-protocol-options 

    [/ul] edit <cloned profile name> 

    config smtp 

    set options fragmail oversize   # was set options fragmail splice 

    [/ul] Change firewall policies to use new Protocol Option. 

    Security Profiles – AntiVirus - <policy> - APT Protection Options – Content Disarm and Reconstruction - Enable. 

    Note: Firewall policies need to be Proxy-Based. 

    [/ul]
    Terms & ConditionsAccessibility statement