Description
This article describes that FortiGate blocks the file when archive-block is set to mailbomb on the antivirus Profile.
Scope
FortiGate.
Solution
Configuration.
- Profile Options:
config firewall profile-protocol-options
edit "TEST_OPTION"
set comment "All default services."
set oversize-log enable
config HTTP
set ports 80
unset options
unset post-lang
end
next
end
- Antivirus Profile:
config antivirus profile
edit "TEST_AV"
set comment "Scan files and block viruses."
config http
set av-scan block
set archive-block mailbomb
end
set extended-log enable
next
end
- Firewall Policy:
config firewall policy
edit 1
set name ""
set uuid f868afee-07c6-51ef-d375-8260c0ef7aaa
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "x.x.x.x"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set profile-protocol-options "TEST_OPTION"
set ssl-ssh-profile "custom-deep-inspection"
set av-profile "TEST_AV"
set logtraffic all
set nat enable
next
end
Unable to download the file. AntiVirus Profile shows the file is blocked due to 'File reached uncompressed size limit'.
The FortiGate blocked the file because it was detected as an archive bomb (mailbomb). It has a high compression ratio (more than 100x the compressed size when uncompressed).
Example:
145 KB (Compressed file) x 100 = 14500 KB
sample_bomb.txt has 54543 KB when uncompressed. 54543 KB is greater than 14500 KB. The archive file will be treated as an archive bomb (mailbomb) and will be blocked.
