Configuring temporary decompression for scanning & rewriting

Similar to SSL/TLS inspection, in order for some features to function, you must configure the appliance for compression inspection, or to decompress and then re-compress traffic.

If the HTTP body is compressed, FortiWeb cannot parse it for rewriting, nor scan for potential problems such as a data leak or virus. Traffic that is encrypted and/or compressed is not a normalized stream. Bodies of compressed responses effectively have low-grade encryption: they are not in clear text, and therefore do not match signatures, and cannot be rewritten.

If your protected web servers compress files themselves (i.e. compression has not been offloaded to FortiWeb), configure a FortiWeb decompression policy.

You can configure FortiWeb to temporarily decompress the body of a response based on its file type, which is specified by the HTTP Content‑Type: header. The appliance can then inspect the traffic. After, if there is no policy-violating content nor rewriting required, the FortiWeb appliance will allow the compressed version of the response to pass. Otherwise, if modification is required, FortiWeb will modify the response before re-compressing it and passing it to the client.


	The maximum compressed file size that FortiWeb can decompress is configured in Maximum Antivirus Buffer Size. By default, files larger than that limit are passed along without scanning or modification. This could allow malware to reach your web servers, and cause HTTP body rewriting to fail. If you prefer to block requests greater than this buffer size, configure Body Length. To be sure that it will not disrupt normal traffic, first configure Action to be Alert. If no problems occur, switch it to Alert & Deny.


	The response headers must include Content-Encoding: gzip in order to match the decompression policy. Other compression algorithms are not currently supported.

2. Before you configure the decompression policy, configure the exceptions, if any, that you want it to include. See “Configuring compression/decompression exemptions”.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions”.

5. In Name, type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.

7. From Exclusion URL, you can select an existing exclusion. (See“Configuring compression/decompression exemptions”.)

Optionally, select an exclusion and click the Detail link. The exclusion dialog appears. You can view and edit the exclusion. Use the browser Back button to return.

9. In the Content Types list, select the content types that you want to decompress, then click the right arrow (->) to move them to the Allow Types list.

For external JavaScripts, content type strings vary. If you are unsure of the content type string, for maximum coverage, select all JavaScript content type strings. However, due to wide browser compatibility, despite its current deprecated status, many web servers use text/javascript.


	These decompress only JavaScripts that are external to a web page — that is, not directly embedded in a <script> tag or inline in the HTML document itself, but instead included via reference to a JavaScript file, such as <script src="/nav/menu.js">, and therefore are contained in a separate HTTP response from the HTML document. Likewise, selecting the text/css content type for compression will only compress external CSS. It will not decompress CSS embedded directly within the HTML file. (Embedded CSS or JavaScript are governed by Content-Type: text/html instead.)