Fortinet 460 FortiWeb 5.0 Patch 6 Administration Guide
See also
•Sequence of scans
Configuring decompression to enable scanning & rewritingIf the HTTP body is compressed, FortiWeb cannot parse it for rewriting, nor scan for potential
problems such as a data leak or virus. Traffic that is encrypted and/or compressed is not a
normalized stream. Bodies of compressed responses effectively have low-grade encryption:
they are not in clear text, and therefore do not match signatures, and cannot be rewritten.
How, then, can you scan or rewrite compressed traffic?
If your protected web servers compress files themselves (i.e. compression has not been
offloaded), configure a FortiWeb decompression policy.
You can configure FortiWeb to temporarily decompress the body of a response based on its file
type, which is specified by the HTTP Content-Type: header. After, if there is no
policy-violating content nor rewriting required, the FortiWeb appliance will allow the
compressed version of the response to pass. Otherwise, if modification is required, FortiWeb
will modify the response before re-compressing it and passing it to the client.
To configure a decompression policy
1. Configure your web servers to compress their responses.
2. Before you configure the decompression policy, configure the exceptions, if any, that you
want it to include. See “Configuring compression/decompression exemptions” on page 456.
3. Go to Application Delivery > Compression > File Uncompress Policy.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
The maximum compressed file size that FortiWeb can decompress is configured in Maximum
Antivirus Buffer Size. By default, files larger than that limit are passed along without scanning
or modification. This could allow malware to reach your web servers, and cause HTTP
body rewriting to fail. If you prefer to block requests greater than this buffer size, configure
Body Length. To be sure that it will not disrupt normal traffic, first configure Action to be Alert.
If no problems occur, switch it to Alert & Deny.
The response headers must include Content-Encoding: gzip in order to match the
decompression policy. Other compression algorithms are not currently supported.