I know, I know, there are FortiGate posts on how easy this is to enable (https://kb.fortinet.com/kb/documentLink.do?externalID=FD48592). I'm following these instructions, but I can't get it working. I'm using 6.4.3 on an 600E.
When I do the following commands:
config firewall profile-protocol-options
edit default
I get a message "Cannot modify the read-only factory default profiles!".
So, I can presumably create a new entry here, and then change the SMTP Splice to the "oversize" value that the FortiNet page recommends.
But when what? How would I attach this new firewall profile-protocol-options to my AV policy?
I may be missing something easy here, but I had problems with this issue last year and didn't get the help I needed at that point: https://forum.fortinet.com/tm.aspx?m=173336. So I'm trying again.
If anyone has anything to offer on the subject, I'm certainly glad to listen!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
FortiGate on 6.0.9 with deep SSL inspection.Since upgrading to 6.0.9 I have been seeing a lot of Content Disarm and Reconstruction on downloaded PDFs in email and from website download. Thing is, I don't have Content Disarm enabled for the av profiles, as far as the GUI is concerned.I had thought this was more of a logging issue, since logs showed "detected-only", but then I noticed that the action was "content-disarmed" so I looked in the CLI https://vidmate.cool/.In the CLI, checking the actual content-disarm section of the av profile I get: https://showbox.bio/ config content-disarm set original-file-destination discard set office-macro enable ...everything else enabled... set detect-only disable So it looks like content-disarm has been enabled since our upgrade, even though the GUI says it isn't enabled https://tutuapp.uno/.Trying to turn content disarm "On" in the GUI gives me the error "Value conflicts with system settings.". So I can't use the GUI to turn this on and off. I can set detect-only enable in the CLI though.Anybody else run into this?
After working through the problem with Tech Support, here is the process to enable:
System - Feature Visibility - Policy Advanced Options - Enable. Policy & Objects - Protocol Option – Clone the default policy. (don't need to enable Block Oversized File/Email) config firewall profile-protocol-options [/ul] edit <cloned profile name> config smtp set options fragmail oversize # was set options fragmail splice [/ul] Change firewall policies to use new Protocol Option. Security Profiles – AntiVirus - <policy> - APT Protection Options – Content Disarm and Reconstruction - Enable. Note: Firewall policies need to be Proxy-Based. [/ul]Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.