Description

This article describes that FortiGate blocks the file when archive-block is set to mailbomb on the antivirus Profile.

Scope

FortiGate.

Solution

Configuration.

• Profile Options:

config firewall profile-protocol-options
    edit "TEST_OPTION"
        set comment "All default services."
        set oversize-log enable
            config HTTP
                set ports 80
                unset options
                unset post-lang
            end
        next
    end

• Antivirus Profile:

config antivirus profile
    edit "TEST_AV"
        set comment "Scan files and block viruses."
            config http
                set av-scan block

                set archive-log mailbomb
                set archive-block mailbomb
            end
                set extended-log enable
            next
end

• Firewall Policy:

config firewall policy
    edit 1
        set name ""
        set uuid f868afee-07c6-51ef-d375-8260c0ef7aaa
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "x.x.x.x"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "TEST_OPTION"
        set ssl-ssh-profile "custom-deep-inspection"
        set av-profile "TEST_AV"
        set logtraffic all
        set nat enable
    next
end

Unable to download the file. AntiVirus Profile shows the file is blocked due to 'File reached uncompressed size limit'.

The FortiGate blocked the file because it was detected as an archive bomb (mailbomb). It has a high compression ratio (more than 100x the compressed size when uncompressed).

Example:

145 KB (Compressed file) x 100 = 14500 KB.

sample_bomb.txt has 54543 KB when uncompressed. 54543 KB  is greater than 14500 KB. The archive file will be treated as an archive bomb (mailbomb) and will be blocked.