CSCva10734

gcook0001 — Fri, 28 Jan 2022 19:18:35 GMT

I am wondering if anyone else is running into this issue where Firepower is blocking archive files. It seems there is a bug that has been around for 10 versions of the software.

Symptom: When transmitting an archive (GZ, ZIP, etc.) through a Firepower sensor that contains clear text files, the archive may be blocked with the 'Archive Block (Failed to Inspect) action if the traffic is sent via clear text (such as HTTP). This is due to a known limitation in software used for the inspection. Conditions: This issue may be seen if the FMC File policy rule is configured to "Inspect Archives" along with the "Block Uninspectable Archives" option being enabled. This does NOT affect HTTPS traffic unless decryption is also being performed on the Firepower appliance. Workaround: Disable "Block Uninspectable Archive" from File policy rule Advanced setting. Alternatively, this issue has also been observed when a web server compresses files on-the-fly (such as compressed AXD files from Microsoft IIS). In those scenarios, it may be possible to disable compression on the web server to avoid this scenario.

I am wondering what everyone is doing with this. I find that disabling a security feature on the firewall as a solution is not acceptable. Especially if this bug has been around for 10 versions as indicated in the bug report.

Re: CSCva10734

Aref Alsouqi — Sat, 29 Jan 2022 21:40:27 GMT

I agree, typically I wouldn't want to turn off a security feature on a security device to accommodate some software bugs, however, in this specific case, I think if your endpoints have a solid endpoint protection system, it would be a forced acceptable solution.

Re: CSCva10734

c_s1 — Tue, 11 Apr 2023 21:11:47 GMT

Are there any software versions for FMC that this issue is not happening on?

topic Re: CSCva10734 in Network Security

CSCva10734

Re: CSCva10734

Re: CSCva10734