FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Description

This article describes a situation that can be encountered with, for example, some real time trading servers sending HTTP chunk messages to provide information to an applet. All this information is then passed inside the same TCP connection organized in HTTP chunked messages.

Example:

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Fri, day-month-year   time GMT
Content-Type: text/html;charset=ISO-8859-1


If this flow is going through the Anti-Virus proxy of the FortiGate, an issue can arise due to the fact that the AV proxy will never detect the end of the TCP stream and can therefore block the flow.

Another scenario can arise when the sites does not use "Content-Length" headers for their streaming responses.


Scope
FortiOS v3.0 and v4.0
Solution

There is an option in a protection profile which allows to bypass the AV scanning (*)  for chunked messages. : "set http chunkedbypass"


config firewall profile
   edit <protection_profile>
       set http chunkedbypass ...<+ add all other desired options>
end


Once applied, and due to proxy buffering, there is a delay of a few seconds to get the information after having requested the URL. To minimize this delay you may try to tune the client comforting feature of this new protection profile.

(*) Use of this feature is assuming some risk inherent to the non-scanned HTTP flows.

Alternatively, those sites can be added in a URL exempt list --> AV scanning will not be processed.

 

Related Articles

Technical Note: Using the 'web filtering by content header' feature to block or exempt audio / video...

Contributors