FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 242592
Description This article describes why the '.dll'(Dynamic Link Library) file is blocked in the archive file when execute file (.exe) is configured as block in the file-filter.
Scope FortiGate.

The file filter is set to block '.exe' file only.


# config file-filter profile
    edit "block_exe"
        set scan-archive-contents enable
        config rules
            edit "block_file"
            set protocol http ftp smtp imap pop3 cifs
            set action block
            set file-type "bat" "exe"


However,  some archive-file types like cabinet (.cab) are blocked.

The security event log shows the followings:


date=2023-01-06 time=03:36:55 eventtime=1672947415497679921 tz="+0800" logid="1900064000" type="utm" subtype="file-filter"
eventtype="file-filter" level="warning" vd="root" policyid=4 sessionid=250425 srcip= srcport=59636 srcintf="port2"
srcintfrole="undefined" dstip= dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" profile="block_exe"
direction="incoming" action="blocked" url="" hostname=""
agent="Chrome/91.0.4472.124" filtername="block_file" filename="" filesize=1058212 filetype="cab" matchfilename="DolbyAccessAddin.dll" matchfiletype="exe" msg="File was blocked by file filter."


The cab file is blocked is due to '' containing multiple files and one of the files is 'DolbyAccessAddin.dll', which is an executable file.
Also ' set scan-archive-contents enable' is set in file filter profile by default. So the matched file type is detected as 'exe' for this cab file and the blocking behavior is expected.


To avoid the FortiGate to scan the archive, or prevent this file to block, it is possible to use 'set scan-archive-contents disable'.