01-28-2022 11:18 AM
I am wondering if anyone else is running into this issue where Firepower is blocking archive files. It seems there is a bug that has been around for 10 versions of the software.
Symptom: When transmitting an archive (GZ, ZIP, etc.) through a Firepower sensor that contains clear text files, the archive may be blocked with the 'Archive Block (Failed to Inspect) action if the traffic is sent via clear text (such as HTTP). This is due to a known limitation in software used for the inspection. Conditions: This issue may be seen if the FMC File policy rule is configured to "Inspect Archives" along with the "Block Uninspectable Archives" option being enabled. This does NOT affect HTTPS traffic unless decryption is also being performed on the Firepower appliance. Workaround: Disable "Block Uninspectable Archive" from File policy rule Advanced setting. Alternatively, this issue has also been observed when a web server compresses files on-the-fly (such as compressed AXD files from Microsoft IIS). In those scenarios, it may be possible to disable compression on the web server to avoid this scenario.
I am wondering what everyone is doing with this. I find that disabling a security feature on the firewall as a solution is not acceptable. Especially if this bug has been around for 10 versions as indicated in the bug report.
01-29-2022 01:40 PM
I agree, typically I wouldn't want to turn off a security feature on a security device to accommodate some software bugs, however, in this specific case, I think if your endpoints have a solid endpoint protection system, it would be a forced acceptable solution.
04-11-2023 02:11 PM
Are there any software versions for FMC that this issue is not happening on?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide