FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ksolovjova
Staff
Staff
Article Id 296896
Description

 

This article describes how to manually allow file downloads through the proxy mode filter.

 

Scope

 

FortiOS 7.0.8 and 7.2.1 for Antivirus profile.

FortiOS 7.2.4 for Protocol Options.

 

Solution

 

A file download can be blocked due to unknown/unsupported encoding when proxy inspection mode is used with certificate inspection or deep inspection.

This is a protection mechanism against evasion attacks. However, it can also block legitimate files that are using a specific encoding.

 

If it is suspected that legitimate files are getting blocked due to the encoding, check with the following WAD debug commands:

 

diag wad filter vd <VDOM name> <- If FortiGate has no VDOMs, use the option 'root' without quotes. Optional.
diag wad filter firewall-policy <ID> <- Optional.
diag wad filter src <IP of user OR server> <- Optional.
diag wad debug en category all
diag wad debug display pid enable
diag debug en

 

Example output of WAD debugs when the file is blocked:

 

[I][p:267] wad_dump_http_resp :2599 hreq=0x7f88bf4780 Received response from server:
HTTP/1.1 200 OK
Date: Fri, 08 Dec 2022 13:53:56 GMT
Server: Apache
X-Powered-By: PHP
Content-Encoding: windows-1250
Content-Disposition: attachment; filename=testfile.csv
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/csv; charset=windows-1250
[I][p:267] wad_http_fwd_non_cacheable_resp :2595 resp(0x7f8ab67910) starts processing.
[I][p:267] wad_http_resp_setup_fwd_resp :2572 msg(0x7f8ab67910) build fwd resp!
[I][p:267] wad_resp_setup_scan_proc :1836 content type for req=0x7f88bf4780 is allowed
[I][p:267] wad_sres_entry_find :193 svr_addr=172.16.1.127, port=443, path=/files.php
[W][p:267] __wad_setup_scan_proc :1572 msg(0x7f8ab67910) evading attack through content-encoding=-ucsk!
[I][p:267] wad_http_def_proc_msg_plan :2141 msg(0x7f8ab67910) failed to setup scan!

 

Starting from FortiOS 7.0.8 and 7.2.1, it is possible to specify the action for the unknown encoding in the Antivirus profile:


config antivirus profile

    edit <profile>

        set feature-set proxy <- The profile should be in proxy mode.

            config http

                set unknown-content-encoding {block | inspect | bypass}

end


Starting from FortiOS 7.2.4, this option has been moved to Protocol Options:


config firewall profile-protocol-options

    edit <profile>

        config http

            set unknown-content-encoding { block | inspect | bypass }

end


Explanation of actions:

  • block: block HTTP session when unknown content-encoding is detected.
  • inspect: scan HTTP traffic as plain-text when unknown content-encoding is detected.
  • bypass: bypass scan when unknown content-encoding is detected.


In both cases, this is a CLI-only setting.


In FortiOS 7.0.8 and up, it is possible to apply a non-restrictive Antivirus profile with a 'set unknown-content-encoding bypass' to the affected policy to allow file download.


The default action for 'unknown-content-encoding bypass' is block. Changing it to 'bypass' should be done only to allow the download of legitimate files.

 

Related article:
Technical Tip: Using a no default profile-protocol-options inside a firewall policy