After upgrade 1.14 there are issues with incorrect policy match rule on the "inspect" action and some requests blocked
Having investigated the reported blocked download, with the fail-open state, the understanding is that the request was blocked because of some scanning failures. please refer to the below.
In case of some failure in scanning the file (e.g. file size is bigger than max file size limit), then the file will be blocked/bypassed according to the ‘Fail Open Policy’ configuration in the upload/download policy. See the fail-open policy in the snippet below.
Upload/Download inspection max file size is 30MB and can be configured via proxy.post_request_forwarding.max_bytes/proxy.inspect.max_response_payload_buffer_allowed_in_bytes under System configuration ->Advanced Configuration. If the file is bigger, then the behavior will be according to the fail-open configuration.
Note: The upload/download policy ‘max file size’ doesn’t control inspection max file size.
So, we recommend having the max. size limit configured to the designed limit, to have the inspect rule apply. Also, please ensure to disable authentication for the affected request/transaction, to take of the issue with incorrect rule match.