This article describes that FortiGate blocks the file when archive-block is set to mailbomb on the antivirus Profile.
Scope
FortiGate.
Solution
Configuration.
Profile Options:
config firewall profile-protocol-options edit "TEST_OPTION" set comment "All default services." set oversize-log enable config HTTP set ports 80 unset options unset post-lang end next end
Antivirus Profile:
config antivirus profile edit "TEST_AV" set comment "Scan files and block viruses." config http set av-scan block set archive-block mailbomb end set extended-log enable next end
Firewall Policy:
config firewall policy edit 1 set name "" set uuid f868afee-07c6-51ef-d375-8260c0ef7aaa set srcintf "port2" set dstintf "port1" set action accept set srcaddr "x.x.x.x" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set profile-protocol-options "TEST_OPTION" set ssl-ssh-profile "custom-deep-inspection" set av-profile "TEST_AV" set logtraffic all set nat enable next end
Unable to download the file.
AntiVirus Profile shows the file is blocked due to ‘File reached uncompressed size limit’.
The FortiGate blocked the file because it was detected as an archive bomb (Zip bomb).
It has a high compression ratio.
