Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ISOffice
Contributor

Windows Update - Files Blocked

Hi all,

 

We have 2 X 100D Hardware Appliances running firmware version 6.0.1 (build 0131 GA) in NAT (Flow-based) Mode (HA: Active-Passive).

Recently I have noticed that in the GUI under Log & Report > AntiVirus, there has been an upsurge in files being blocked by the FortiGates. As they are mostly .cab files originating from Microsoft I'm working on the assumption that they are related to clients laptops on our wireless network attempting to update via Windows Update.

No explanation is given in the logs, other than the file was blocked as it was "infected". We are not running deep inspection on our Internet traffic and as these were HTTP requests I don't think SSL/SSH Inspection is interfering here.

Could someone please shine a light on what the issue may be here and how I can resolve it?

Many thanks for your kind assistance.

 

Best regards,

 

John P

19 REPLIES 19
ISOffice

Hi Heisenberg,

 

What IPS Engine Version are you running? Fortinet Support supplied me with v4.00022 (we were running v4.00021 when this issue first occurred) and the issue now seems resolved. Cab files are now being 'let' through the firewalll. I don't think changing the uncompressed file size limit will make any difference if you are still on the old IPS Engine Version. We were still seeing files blocked that were in excess of 10MB.

 

John P

heisenberg
New Contributor III

Hi,

I have opened a case and at the end I was given the IPS engine 4.00203 for manual update (Previously I had the same ips version you stated)

They even said this issue will be fixed in the next "upcoming" 6.0.3GA

Files (not only .cab) that were "blocked" previously are now "monitored" and flows correctly.

 

mlines
New Contributor II

I am having the same use - a cab update from Microsoft is being blocked for being too large, however I cannot find any option in my 6.02 FortiOS to change it or disable blocking by file size. Any ideas?

heisenberg
New Contributor III

You need the upgraded ips engine from the support or wait until october or disable antivirus. No way to solve in different way
mlines
New Contributor II

Are you saying that disabling IPS (but keeping AV) on a policy will solve this?

syscom
New Contributor

This issue started for me very recently, can't put my finger on exactly when but within the past few weeks.

On my end this issue was specific to patching Windows 7 workstations.

FortiAnalyzer flushed out the blocked traffic.

To get around this I added a web filter rule:

URL:  *.windowsupdate.com/*

Type:  Wildcard

Action: Exempt

 

Adding that rule fixed this issue in my environment.

I have to assume that Windows 7 updates are now failing AV inspection?

Ashik_Sheik

Specifying action as "Allow" in the URL filter may not allow the URL access. This is because, any attempt to access a URL that matches a URL pattern with an allow action is permitted. The traffic is passed to the remaining antivirus proxy operations, including FortiGuard Web Filter, web content filter, web script filters, and antivirus scanning which may block the url access. Hence, setting the action as exempt allows URL access. However, specifying action as "Exempt” for a URL in web site bypasses following security services - activex-java-cookie - ActiveX, Java, and cookie filtering. av                  - Antivirus filtering. dlp                 - DLP scanning. filepattern         - File pattern matching. fortiguard          - FortiGuard web filtering. pass                - Pass single connection from all. range-block         - Exempt range block feature. web-content         - Web filter content matching.

Ashu 

 

Ashu
syscom

Fresh eyes this morning.

Looking more closely at the FortiAnalyzer details it is obvious that the issue is with the file size.

 

Ashik_Sheik

Hi,

 

Please check below post .

 

https://forum.fortinet.com/tm.aspx?m=117948 

 

You can find this option under Policy&Objects > Policy > Proxy Options, Common Options. Check 'Block Oversized File/Email' and enter a limit in MB.

Ashu 

 

Ashu
syscom

Final resolution for me was upgrading the IPS engine to v4.00022

Under System->Fortiguard->Intrusion Prevention  (screenshot attached)

Labels
Top Kudoed Authors