Description

This article describes how files inspected with an Antivirus profile that is considered as oversized will not be sent to FortiSandbox. Flow-based mode has already implemented this behavior. Proxy-based mode implemented this starting v7.4.2.

Scope

v7.4.

Solution

Configuration:

config firewall profile-protocol-options

edit "TEST_OPTIONS_FSA"

set oversize-log enable

config http

set inspect-all enable
unset options
unset post-lang

end

config ftp

set ports 21

set oversize-limit 10

unset options

end

next

end

config antivirus profile

edit "TEST_AV_Proxy"

set comment "Scan files and block viruses."
set feature-set proxy

config ftp

set av-scan block
set fortisandbox monitor

end

set scan-mode legacy

next

end

config firewall policy

edit 21

set name "FSA FTP"
set srcintf "port4"
set dstintf "port2"
set action accept
set srcaddr "10.40.4.131"
set dstaddr "all"
set schedule "always"
set service "FTP"
set utm-status enable
set inspection-mode proxy
set profile-protocol-options "TEST_OPTIONS_FSA"
set ssl-ssh-profile "certificate-inspection"
set av-profile "TEST_AV_Proxy"
set logtraffic all

next

end

Upload a file greater than the oversize-limit - in this example, a 54 MB file:

Upload a file less than the oversize-limit - in this example, a 1.6 MB file.