Created on 01-31-2024 04:45 AM Edited on 05-22-2024 10:31 PM By Jean-Philippe_P
This article describes how to manually allow file downloads through the proxy mode filter.
FortiOS 7.0.8 and 7.2.1 for Antivirus profile.
FortiOS 7.2.4 for Protocol Options.
A file download can be blocked due to unknown/unsupported encoding when proxy inspection mode is used with certificate inspection or deep inspection.
This is a protection mechanism against evasion attacks. However, it can also block legitimate files that are using a specific encoding.
If it is suspected that legitimate files are getting blocked due to the encoding, check with the following WAD debug commands:
diag wad filter vd <VDOM name> <- If FortiGate has no VDOMs, use the option 'root' without quotes. Optional.
diag wad filter firewall-policy <ID> <- Optional.
diag wad filter src <IP of user OR server> <- Optional.
diag wad debug en category all
diag wad debug display pid enable
diag debug en
Example output of WAD debugs when the file is blocked:
[I][p:267] wad_dump_http_resp :2599 hreq=0x7f88bf4780 Received response from server:
HTTP/1.1 200 OK
Date: Fri, 08 Dec 2022 13:53:56 GMT
Server: Apache
X-Powered-By: PHP
Content-Encoding: windows-1250
Content-Disposition: attachment; filename=testfile.csv
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/csv; charset=windows-1250
[I][p:267] wad_http_fwd_non_cacheable_resp :2595 resp(0x7f8ab67910) starts processing.
[I][p:267] wad_http_resp_setup_fwd_resp :2572 msg(0x7f8ab67910) build fwd resp!
[I][p:267] wad_resp_setup_scan_proc :1836 content type for req=0x7f88bf4780 is allowed
[I][p:267] wad_sres_entry_find :193 svr_addr=172.16.1.127, port=443, path=/files.php
[W][p:267] __wad_setup_scan_proc :1572 msg(0x7f8ab67910) evading attack through content-encoding=-ucsk!
[I][p:267] wad_http_def_proc_msg_plan :2141 msg(0x7f8ab67910) failed to setup scan!
Starting from FortiOS 7.0.8 and 7.2.1, it is possible to specify the action for the unknown encoding in the Antivirus profile:
config antivirus profile
edit <profile>
set feature-set proxy <- The profile should be in proxy mode.
config http
set unknown-content-encoding {block | inspect | bypass}
end
Starting from FortiOS 7.2.4, this option has been moved to Protocol Options:
config firewall profile-protocol-options
edit <profile>
config http
set unknown-content-encoding { block | inspect | bypass }
end
Explanation of actions:
In both cases, this is a CLI-only setting.
In FortiOS 7.0.8 and up, it is possible to apply a non-restrictive Antivirus profile with a 'set unknown-content-encoding bypass' to the affected policy to allow file download.
The default action for 'unknown-content-encoding bypass' is block. Changing it to 'bypass' should be done only to allow the download of legitimate files.
Related article:
Technical Tip: Using a no default profile-protocol-options inside a firewall policy
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.