|
In some situations, an AntiVirus engine may detect PDF files as BAT. If the AntiVirus is configured to block BAT, the PDF file will then be blocked.
The issue occurs, and on the File Filter logs, the user can see the following information:
date=[REDACTED] time=[REDACTED] id=[REDACTED] itime=[REDACTED] euid=3 epid=[REDACTED] dsteuid=[REDACTED] dstepid=[REDACTED] logver=704032573 sfsid=[REDACTED] logid=1900064000 type="utm" subtype="file-filter" service="SMTP" proto=6 srcip=[REDACTED] dstip=[REDACTED] eventtime=[REDACTED] srcport=[REDACTED] dstport=[REDACTED] policyid=[REDACTED] sessionid=[REDACTED] filesize=[REDACTED] srcintfrole="wan" dstintfrole="lan" direction="outgoing" action="blocked" level="warning" msg="File was blocked by file filter." srcintf=[REDACTED] dstintf=[REDACTED] from=[REDACTED] to=[REDACTED] eventtype="file-filter" sender="[REDACTED] recipient=[REDACTED] subject=[REDACTED] profile="File Blocked" filename=[REDACTED].pdf" filetype="pdf" matchfiletype="javascript" tz="+0800" attachment="yes" srcuuid=[REDACTED] dstuuid=[REDACTED] policytype="policy" srccountry="Malaysia" dstcountry="Reserved" poluuid=[REDACTED] devid=[REDACTED] vd=[REDACTED] csf=[REDACTED] dtime=[REDACTED] itime_t=[REDACTED] devname=[REDACTED] srcuuid_name=all dstuuid_name="Email Server"
This is due to signature matching on the AntiVirus engine. Check Technical Tip: How to manually update the Virus Definition database or AntiVirus Engine
An update on the signature can be done manually by running the following commands on the CLI:
diagnose debug application update -1
diagnose debug enable
execute update-now
The update is done once 'UPDATE successful' is seen on the debug. To stop the debug, run 'diagnose debug disable'.
To check the current signature version, run 'diagnose autoupdate versions ':
Virus Definitions
---------
Version: 92.18344 signed
Contract Expiry Date: Sun Oct 5 2025
Last Updated using manual update on Mon Oct 28 10:03:50 2024
Last Update Attempt: Mon Oct 28 10:03:50 2024
Result: Updates Installed
AV Engine
---------
Version: 7.00031 signed
Contract Expiry Date: Tue Mar 10 2026
Last Updated using manual update on Fri Jul 12 05:01:00 2024
Last Update Attempt: Mon Nov 25 13:27:42 2024
Result: Updates Installed
If the issue persists, create a ticket with Fortinet TAC, share the PDF file for further troubleshooting. If the corresponding firewall policy is configured with proxy-mode inspection, collect the WAD and scanunitd debugs.
diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose wad debug enable level verbose
diagnose wad debug enable category all
diagnose sys scanunit debug all
diagnose wad filter src <source_IP> <--one of the PCs that user is facing the issue
diagnose debug enable
After enabling the debug, wait for the issue to occur and provide here the <Source IP> to filter the results of the logs, disable the debug with the following commands:
diagnose debug disable
diagnose debug reset
diagnose wad debug clear
When firewall policy is configured with flow-based inspection, then ipsengine will inspect the traffic. In this case, collect debugs for ipsengine and scanunitd.
diagnose ips filter set "host 1.1.1.1 and port 443" <---change the source IP and the destination port
diagnose ips debug enable all
diagnose sys scanunit debug all
diagnose debug console timestamp enable
diagnose debug enable
Note: The filter variable can be adjusted to refine ipsengine debug outputs for more targeted analysis. For more detail on available filters, refer to Troubleshooting Tip: IPS engine new debug commands.
Replicate the issue multiple times while running the debugs. After replication, stop the debugs with commands below.
diagnose debug disable
diagnose debug reset
diagnose ips debug disable all
Related articles:
|
