Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wayne11
Contributor

ZIP blocked without being in pattern list

Hi After we updated from 4.3.14 to 5.0.4 some file types are blocked, even if those are not listed in the file pattern lists.
config dlp filepattern
     edit 1
         set comment " block in emails" 
             config entries
                 edit " *.bat" 
                 next
                 edit " *.com" 
                 next
                 edit " *.dll" 
                 next
                 edit " *.exe" 
                 next
                 edit " *.gz" 
                 next
                 edit " *.hta" 
                 next
                 edit " *.scr" 
                 next
                 edit " *.tar" 
                 next
                 edit " *.tgz" 
                 next
                 edit " *.vb?" 
                 next
                 edit " *.wps" 
                 next
                 edit " *.pif" 
                 next
                 edit " *.cpl" 
                 next
                 edit " *.pif*" 
                 next
                 edit " *.vb" 
                 next
                 edit " *.msi" 
                 next
                 edit " *.msp" 
                 next
                 edit " *.sct" 
                 next
                 edit " *.cmd" 
                 next
                 edit " *.dbx" 
                 next
                 edit " *.wab" 
                 next
                 edit " *.js" 
                 next
                 edit " *.lha" 
                 next
                 edit " *.lzh" 
                 next
                 edit " *.reg" 
                 next
                 edit " *.swf" 
                 next
                 edit " *.sys" 
                 next
                 edit " *.asm" 
                 next
                 edit " *.cgi" 
                 next
                 edit " *.dcx" 
                 next
                 edit " *.dtd" 
                 next
                 edit " *.ocx" 
                 next
                 edit " *.tmp" 
                 next
                 edit " *.bin" 
                 next
                 edit " *.css" 
                 next
                 edit " *.drv" 
                 next
                 edit " *.lib" 
                 next
                 edit " *.vxd" 
                 next
                 edit " *.bad" 
                 next
                 edit " *.enc" 
                 next
                 edit " *.mp?" 
                 next
                 edit " *.shs" 
                 next
                 edit " *.mht" 
                 next
             end
         set name " FileFilter-Mail" 
     next
 end
 
But the profile blocks those. Here an example of the DLP log:
 Action: log-only
 DLP Extra Info.: FileFilter-Mail
 Date/Time: 16:44:52
 Destination Port: 25
 Epoch: 811809101
 Event ID: 0
 Event Type: dlp
 File: Case_74Z0EKUGDZ6HIA4.zip
 File Type: zip
 Filter Category: file
 Filter Index: 1
 Filter Type: file-type
 Identity Index: 0
 Log ID: 24577
 Policy ID: 43
 Profile: default
 Received: 50 B
 Sent: 13 KB
 Sequence No.: 237121
 Service: smtp
 Source IP: [United States] xx.201.104.xx
 Sub Type: dlp
 Subject: FW%3A%20IMPORTANT%20-%20Suspicious%20Activity%2074Z0EKUGDZ6HIA4
 Time Stamp: 2013-08-30 16:44:52
 To: info@domain.com
 Type: utm
 Virtual Domain: root
We have only 2 file pattern lists, one for email and one for web and *.zip isn' t listed in them. Not in the GUI and not in the CLI. Any suggestions?
6 REPLIES 6
Dave_Hall
Honored Contributor

Action: log-only
This log event into only states the event was logged -- no indication that the zip file attachment was blocked. Do you have any log events indicating zipped files were actually blocked? Do you have any size limit set on attachment size? Say to block or allow them through?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Wayne11
Contributor

Hi Dave Sorry, but I changed the whole dlp profile after I realized it blocks each zip and xlsx file from block to log-only, thats why. But the fact that it detects zip files is the same, if it blocks or logs those. No we havent set a file size limit on the FG. Before the upgrade to 5.0.4 we had the zip in this file pattern list, but I deleted it and it' s not in the list anymore. But it still blocks zip files. I checked these 2 pattern lists with CLI and GUI and there isnt any other list. I have no idea where the DLP engine got this zip pattern from. Thx
Ralf_Lauerwald
New Contributor

Hi, i have the same problem ! It Blocks zip and cab Files even they are not listed in the dlp Filter. Do you Resolved it ? OS = 5.0.6
AndreaSoliva
Contributor III

Hi only to give here also my comment :) All what is below 5.0.5 is not useable meaning " buggy" which means also not only one or two bugs. 5.0.5 is or can be used but has also some stuff which is not clean. What is useable is 5.0.6 and I recommend to go asap to 5.0.6. The reason is also following: If you have a config based on 5.0.5 and you look to the memory -as if you do so after upgrade to 5.0.6- you will recognize that you use 15 - 20% less memory which fully indicates also that 5.0.6 is better smoother. I also did not recognize any " heavy" bugs for 5.0.6. I recommend really to run any device not lower as 5.0.6. As of information 5.0.7 is coming aprox beginning of June 2014. 5.2 which will be not in GA usable will come approx mid to end April 2014. hope this helps have fun Andrea
Ralf_Lauerwald
New Contributor

Hi Andrea, we have 5.0.6 installed and also with that Version DLP blocks ZIP and CAB files although they are not listed in the File Filter List
nbctcp

I encounter the same thing in 6.2.3 vm eval license

It block zip even though zip not listed in filepattern

config dlp filepattern edit 1 set name "DLP-BLOCKFILE" config entries edit "bat" set filter-type type set file-type bat next edit "com" set filter-type type next edit "dll" set filter-type type next edit "exe" set filter-type type next edit "hta" set filter-type type next edit "scr" set filter-type type next edit "pif" set filter-type type next edit "cpl" set filter-type type next end

end

 

config dlp sensor edit "default" set comment "Default sensor." config filter edit 1 set proto smtp pop3 imap http-get http-post ftp nntp mapi set filter-by file-type set file-type 2 set action block next end next edit "sniffer-profile" set comment "Log a summary of email and web traffic." set summary-proto smtp pop3 imap http-get http-post next edit "DLP-BLOCKSENSOR" config filter edit 1 set proto smtp pop3 imap http-get http-post ftp mapi set filter-by file-type set file-type 1 set archive enable set action block next end set extended-log enable next end

 

config firewall policy edit 1 set name "FGT1-SWtoWAN" set srcintf "FGT1-SW" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set dlp-sensor "DLP-BLOCKSENSOR" set logtraffic disable set nat enable next

 

 

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
Labels
Top Kudoed Authors