Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dbaddorf
New Contributor

Can't Enable Content Disarm and Reconstruction

I know, I know, there are FortiGate posts on how easy this is to enable (https://kb.fortinet.com/kb/documentLink.do?externalID=FD48592).  I'm following these instructions, but I can't get it working.  I'm using 6.4.3 on an 600E.

 

When I do the following commands:

config firewall profile-protocol-options

edit default

I get a message "Cannot modify the read-only factory default profiles!".

 

So, I can presumably create a new entry here, and then change the SMTP Splice to the "oversize" value that the FortiNet page recommends.  

 

But when what?  How would I attach this new firewall profile-protocol-options to my AV policy?  

 

I may be missing something easy here, but I had problems with this issue last year and didn't get the help I needed at that point: https://forum.fortinet.com/tm.aspx?m=173336.  So I'm trying again.

 

If anyone has anything to offer on the subject, I'm certainly glad to listen!

 

2 REPLIES 2
KoolM1
New Contributor

FortiGate on 6.0.9 with deep SSL inspection.Since upgrading to 6.0.9 I have been seeing a lot of Content Disarm and Reconstruction on downloaded PDFs in email and from website download. Thing is, I don't have Content Disarm enabled for the av profiles, as far as the GUI is concerned.I had thought this was more of a logging issue, since logs showed "detected-only", but then I noticed that the action was "content-disarmed" so I looked in the CLI https://vidmate.cool/.In the CLI, checking the actual content-disarm section of the av profile I get: https://showbox.bio/ config content-disarm set original-file-destination discard set office-macro enable ...everything else enabled... set detect-only disable So it looks like content-disarm has been enabled since our upgrade, even though the GUI says it isn't enabled https://tutuapp.uno/.Trying to turn content disarm "On" in the GUI gives me the error "Value conflicts with system settings.". So I can't use the GUI to turn this on and off. I can set detect-only enable in the CLI though.Anybody else run into this?

 

dbaddorf
New Contributor

After working through the problem with Tech Support, here is the process to enable:

System - Feature Visibility - Policy Advanced Options - Enable. 

Policy & Objects - Protocol Option – Clone the default policy.  (don't need to enable Block Oversized File/Email) 

config firewall profile-protocol-options 

[/ul] edit <cloned profile name> 

config smtp 

set options fragmail oversize   # was set options fragmail splice 

[/ul] Change firewall policies to use new Protocol Option. 

Security Profiles – AntiVirus - <policy> - APT Protection Options – Content Disarm and Reconstruction - Enable. 

Note: Firewall policies need to be Proxy-Based. 

[/ul]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors