Technical Tip: 'Hold Session While Scanning File' in FortiWeb

Abin_FTNT · ‎09-27-2023

Description

This article describes how the 'Hold Session While Scanning File' feature in FortiWeb makes it possible to customize how FortiWeb manages sessions when sending files to FortiSandbox or an ICAP server for scanning. It provides control over the behavior of FortiWeb when it encounters files that require scanning before being allowed to pass through the system.

This article covers the following aspects of the 'Hold Session While Scanning File' feature in FortiWeb:

Enabling the 'Hold Session While Scanning File' Option: Step-by-step instructions on enabling this option within the FortiWeb management interface.
How It Works: An explanation of the functionality of this feature, including what happens when it's enabled and how FortiWeb handles file scanning.
Behavior without 'Hold Session While Scanning File': A description of how FortiWeb behaves when this option is not enabled, emphasising how files are processed and what actions are taken.
Timeout Interval: Details on the timeout interval for holding sessions sent to FortiSandbox.

Scope

Any supported version of FortiWeb.

Solution

Enabling the 'Hold Session While Scanning File' option.

To enable 'Hold Session While Scanning File,' follow these steps (assuming a File Security Policy is already in place):

Access the FortiWeb Management Interface: Log in to the FortiWeb management interface.
Navigate to Security Policy Configuration: Go to Web Protection -> Input Validation -> File Security.
Note: To access this part of the web UI, the administrator’s account access profile must have Read and Write permissions to items in the Web Protection Configuration category.
Edit the File Security Policy: Select the File Security Policy tab, select the desired File Security Policy, and select the 'Edit' button.
Configure 'Hold Session While Scanning File':

Within the new policy, find the 'Hold Session While Scanning File' setting.
Toggle the option to enable it.

How it works.

When the 'Hold Session While Scanning File' option is enabled, FortiWeb behaves as follows:

File Submission: FortiWeb receives a file from the client for which verdict from the FortiSandbox or the ICAP server has not yet been learned.
Scanning Process: The file is forwarded to FortiSandbox or the ICAP server for scanning.
Waiting Period: FortiWeb waits for the scanning process to complete within the 30-minute window.
Forwarding: If scanning takes longer than 30 minutes, FortiWeb forwards the session without taking any other actions. This ensures that legitimate traffic is not unnecessarily delayed due to prolonged scanning.
File Verdict: After scanning is completed, FortiWeb receives the verdict from FortiSandbox or the ICAP server and takes appropriate actions based on the verdict.
Attack Log: FortiWeb generates an attack log with the action set as the one configured in the File Security policy.

FortiWeb behavior without 'Hold Session While Scanning File'.

FortiWeb behaves differently when it receives an HTTP request containing a file in the payload for which verdict from the FortiSandbox or the ICAP server has not yet been learned and the 'Hold Session While Scanning File' option is not enabled.

File Submission: FortiWeb receives a file from the client for which verdict from the FortiSandbox or the ICAP server has not yet been learned.
Parallel Processing: It simultaneously forwards the file to FortiSandbox (FSA) and the Real server.
Verdict Handling: FortiWeb caches the file's hash and the verdict after receiving the verdict from FSA.
Attack Log: FortiWeb generates an attack log with the action set as 'Alert' for this instance since it didn't block the request.
Subsequent Requests: When FortiWeb receives the same file in subsequent requests, it verifies the file against its cache. Suppose the file's hash matches the one stored in its cache, and it is marked as a suspicious/malware file, FortiWeb takes the action configured in the File Security policy. For example, if the action is 'Alert_Deny' in the File Security Policy, File security blocks the request immediately and generates an attack log with the action defined as 'Action_Deny.'
Understanding the Delay: Note that when this option is enabled, FortiWeb will send files to the FortiSandbox/ICAP server for which a verdict has not yet been obtained, and it waits for scan results before sending the file to the server. This process may take some time, depending on how busy the FortiSandbox/ICAP server currently is.

Conclusion.

The 'Hold Session While Scanning File' feature enables Fortiweb to wait (for a maximum 30 minutes) for the submitted files' verdict from the FortiSandbox or ICAP server, preventing malicious files from reaching the protected web servers. Additionally, this makes it easier for the FortiWeb administrator to analyze the attack logs generated for the files marked as malicious by the FortiSandbox/ICAP server since the action recorded in all the attack logs is the same as defined in the File Security Profile.

Despite this, note that Fortiweb can still forward the request carrying a malicious file to the protected web server without taking action if it does not receive the verdict from the FortiSandbox/ICAP server within 30 minutes (in this case, the troubleshooting needs to be performed on the FortiSandbox/ICAP server rather than Fortiweb)