Created on
01-31-2024
04:45 AM
Edited on
05-22-2024
10:31 PM
By
Jean-Philippe_P
Description
This article describes how to manually allow file downloads through the proxy mode filter.
Scope
FortiOS 7.0.8 and 7.2.1 for Antivirus profile.
FortiOS 7.2.4 for Protocol Options.
Solution
A file download can be blocked due to unknown/unsupported encoding when proxy inspection mode is used with certificate inspection or deep inspection.
This is a protection mechanism against evasion attacks. However, it can also block legitimate files that are using a specific encoding.
If it is suspected that legitimate files are getting blocked due to the encoding, check with the following WAD debug commands:
diag wad filter vd <VDOM name> <- If FortiGate has no VDOMs, use the option 'root' without quotes. Optional.
diag wad filter firewall-policy <ID> <- Optional.
diag wad filter src <IP of user OR server> <- Optional.
diag wad debug en category all
diag wad debug display pid enable
diag debug en
Example output of WAD debugs when the file is blocked:
[I][p:267] wad_dump_http_resp :2599 hreq=0x7f88bf4780 Received response from server:
HTTP/1.1 200 OK
Date: Fri, 08 Dec 2022 13:53:56 GMT
Server: Apache
X-Powered-By: PHP
Content-Encoding: windows-1250
Content-Disposition: attachment; filename=testfile.csv
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/csv; charset=windows-1250
[I][p:267] wad_http_fwd_non_cacheable_resp :2595 resp(0x7f8ab67910) starts processing.
[I][p:267] wad_http_resp_setup_fwd_resp :2572 msg(0x7f8ab67910) build fwd resp!
[I][p:267] wad_resp_setup_scan_proc :1836 content type for req=0x7f88bf4780 is allowed
[I][p:267] wad_sres_entry_find :193 svr_addr=172.16.1.127, port=443, path=/files.php
[W][p:267] __wad_setup_scan_proc :1572 msg(0x7f8ab67910) evading attack through content-encoding=-ucsk!
[I][p:267] wad_http_def_proc_msg_plan :2141 msg(0x7f8ab67910) failed to setup scan!
Starting from FortiOS 7.0.8 and 7.2.1, it is possible to specify the action for the unknown encoding in the Antivirus profile:
config antivirus profile
edit <profile>
set feature-set proxy <- The profile should be in proxy mode.
config http
set unknown-content-encoding {block | inspect | bypass}
end
Starting from FortiOS 7.2.4, this option has been moved to Protocol Options:
config firewall profile-protocol-options
edit <profile>
config http
set unknown-content-encoding { block | inspect | bypass }
end
Explanation of actions:
- block: block HTTP session when unknown content-encoding is detected.
- inspect: scan HTTP traffic as plain-text when unknown content-encoding is detected.
- bypass: bypass scan when unknown content-encoding is detected.
In both cases, this is a CLI-only setting.
In FortiOS 7.0.8 and up, it is possible to apply a non-restrictive Antivirus profile with a 'set unknown-content-encoding bypass' to the affected policy to allow file download.
The default action for 'unknown-content-encoding bypass' is block. Changing it to 'bypass' should be done only to allow the download of legitimate files.
Related article:
Technical Tip: Using a no default profile-protocol-options inside a firewall policy