Description

This article describes how to manually allow file downloads through the proxy mode filter.

Scope

FortiOS 7.0.8 and 7.2.1 for Antivirus profile.

FortiOS 7.2.4 for Protocol Options.

Solution

Background:

In some cases, servers may return invalid headers such as 'Content-Encoding: utf8'. This is not a valid encoding directive, since utf-8 should be specified as a charset within the Content-Type header, not under Content-Encoding. Because attackers can abuse malformed or unsupported encodings to evade inspection engines, FortiGate treats this behavior as suspicious and blocks the file transfer by default.

Deciding whether the Administrator should change this behavior:

Changing the action from block to inspect or bypass may allow legitimate downloads, but it also lowers security. When set to inspect, FortiGate will try to parse the traffic as plain text, potentially letting crafted payloads through. When set to bypass, FortiGate skips scanning entirely, which creates an even higher risk. Therefore, adjustments should only be made for specific trusted sources, weighing the operational need against the risk of enabling an attack vector.

How to confirm why FortiGate blocked it:

If it is suspected that legitimate files are getting blocked due to the encoding, check with the following WAD debug commands:

diag wad filter vd <VDOM name> <- If FortiGate has no VDOMs, use the option 'root' without quotes. Optional.
diag wad filter firewall-policy <ID> <- Optional.
diag wad filter src <IP of user OR server> <- Optional.
diag wad debug en category all
diag wad debug display pid enable
diag debug en

Example output of WAD debugs when the file is blocked:

[I][p:267] wad_dump_http_resp :2599 hreq=0x7f88bf4780 Received response from server:
HTTP/1.1 200 OK
Date: Fri, 08 Dec 2022 13:53:56 GMT
Server: Apache
X-Powered-By: PHP
Content-Encoding: windows-1250
Content-Disposition: attachment; filename=testfile.csv
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/csv; charset=windows-1250
[I][p:267] wad_http_fwd_non_cacheable_resp :2595 resp(0x7f8ab67910) starts processing.
[I][p:267] wad_http_resp_setup_fwd_resp :2572 msg(0x7f8ab67910) build fwd resp!
[I][p:267] wad_resp_setup_scan_proc :1836 content type for req=0x7f88bf4780 is allowed
[I][p:267] wad_sres_entry_find :193 svr_addr=172.16.1.127, port=443, path=/files.php
[W][p:267] __wad_setup_scan_proc :1572 msg(0x7f8ab67910) evading attack through content-encoding=-ucsk!
[I][p:267] wad_http_def_proc_msg_plan :2141 msg(0x7f8ab67910) failed to setup scan!

Starting from FortiOS 7.0.8 and 7.2.1, it is possible to specify the action for the unknown encoding in the Antivirus profile:

config antivirus profile

    edit <profile>

        set feature-set proxy <- The profile should be in proxy mode.

            config http

                set unknown-content-encoding {block | inspect | bypass}

end

Starting from FortiOS 7.2.4, this option has been moved to Protocol Options:

config firewall profile-protocol-options

    edit <profile>

        config http

            set unknown-content-encoding { block | inspect | bypass }

end

Explanation of actions:

• block: block HTTP session when unknown content-encoding is detected.
• inspect: scan HTTP traffic as plain-text when unknown content-encoding is detected.
• bypass: bypass scan when unknown content-encoding is detected.

In both cases, this is a CLI-only setting.

In FortiOS 7.0.8 and up, it is possible to apply a non-restrictive Antivirus profile with a 'set unknown-content-encoding bypass' to the affected policy to allow file download.

Related article:
Technical Tip: Using a no default profile-protocol-options inside a firewall policy