Hi all,
We have 2 X 100D Hardware Appliances running firmware version 6.0.1 (build 0131 GA) in NAT (Flow-based) Mode (HA: Active-Passive).
Recently I have noticed that in the GUI under Log & Report > AntiVirus, there has been an upsurge in files being blocked by the FortiGates. As they are mostly .cab files originating from Microsoft I'm working on the assumption that they are related to clients laptops on our wireless network attempting to update via Windows Update.
No explanation is given in the logs, other than the file was blocked as it was "infected". We are not running deep inspection on our Internet traffic and as these were HTTP requests I don't think SSL/SSH Inspection is interfering here.
Could someone please shine a light on what the issue may be here and how I can resolve it?
Many thanks for your kind assistance.
Best regards,
John P
Hi Heisenberg,
What IPS Engine Version are you running? Fortinet Support supplied me with v4.00022 (we were running v4.00021 when this issue first occurred) and the issue now seems resolved. Cab files are now being 'let' through the firewalll. I don't think changing the uncompressed file size limit will make any difference if you are still on the old IPS Engine Version. We were still seeing files blocked that were in excess of 10MB.
John P
Hi,
I have opened a case and at the end I was given the IPS engine 4.00203 for manual update (Previously I had the same ips version you stated)
They even said this issue will be fixed in the next "upcoming" 6.0.3GA
Files (not only .cab) that were "blocked" previously are now "monitored" and flows correctly.
I am having the same use - a cab update from Microsoft is being blocked for being too large, however I cannot find any option in my 6.02 FortiOS to change it or disable blocking by file size. Any ideas?
Are you saying that disabling IPS (but keeping AV) on a policy will solve this?
This issue started for me very recently, can't put my finger on exactly when but within the past few weeks.
On my end this issue was specific to patching Windows 7 workstations.
FortiAnalyzer flushed out the blocked traffic.
To get around this I added a web filter rule:
URL: *.windowsupdate.com/*
Type: Wildcard
Action: Exempt
Adding that rule fixed this issue in my environment.
I have to assume that Windows 7 updates are now failing AV inspection?
Specifying action as "Allow" in the URL filter may not allow the URL access. This is because, any attempt to access a URL that matches a URL pattern with an allow action is permitted. The traffic is passed to the remaining antivirus proxy operations, including FortiGuard Web Filter, web content filter, web script filters, and antivirus scanning which may block the url access. Hence, setting the action as exempt allows URL access. However, specifying action as "Exempt” for a URL in web site bypasses following security services - activex-java-cookie - ActiveX, Java, and cookie filtering. av - Antivirus filtering. dlp - DLP scanning. filepattern - File pattern matching. fortiguard - FortiGuard web filtering. pass - Pass single connection from all. range-block - Exempt range block feature. web-content - Web filter content matching.
Hi,
Please check below post .
https://forum.fortinet.com/tm.aspx?m=117948
You can find this option under Policy&Objects > Policy > Proxy Options, Common Options. Check 'Block Oversized File/Email' and enter a limit in MB.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.