Error: "Misconfiguration Detected" when clicking download button in Document Isolation
Article ID: 396910
Updated On:
Products
Issue/Introduction
When document isolation is configured on the Web Isolation tenant, documents will be displayed in the Document Isolation Viewer like:
However, when clicking the download button you receive the error:
You may also encounter the same error screen in Cloud Secure Web Gateway(CloudSWG).
The workaround is provided at the bottom of the Additional info of "Case of CloudSWG" section.
Cause
The error is due to the document file types associated with View Action in the Download Profile. Even though "View Action" is configured, the download button is still present and clickable, causing this error when clicked. While Web Isolation enforces the "View Action" properly, it displays the warning.
Resolution
To mitigate the error, Web Isolation has the feature to disable the download button in the Document Isolation Viewer.
- Login to Web Isolation Console
- Go to Profiles - Download Profiles
- Edit the default download profile or the download profile tied to the Isolation rule you want to apply the profile to.
- Click "Edit" Advanced Settings and CHECK the following and click on "Update"
fileViewer.disableDownload
- Push Settings
Additional Information
If you want to allow users to download files from the Viewer, change Order 2 Document Isolation Download Rule in My Policy to Active.
[Note] By default, the Document Isolation Download Rule is inactive.
Click the Push Setting button when you set to Active the Document Isolation Download Rule.
Please exercise caution if you are configuring a Document Isolation Rule using the default Document Isolation Download Profile.
As noted in the Caution section of the Web Isolation manual, setting the policy to "View" under "File Types" in the default Document Isolation Download Profile will cause a loop.
This occurs because the Document Isolation Download Rule uses the default Document Isolation Download Profile by default, creating a recursive trigger.
If you are using Document Isolation and intend to allow users to download the viewed page content as a PDF file, we strongly recommend creating and using a dedicated, custom Download Profile specifically for Document Isolation, as demonstrated in the rule below.
Case of CloudSWG
In CloudSWG, when you click the download button in the Document Isolation Viewer, the file is downloaded from "https://doc-isolation-prod.prod.fire.glass/".
The downloaded file is then subjected to another AV (Anti-Virus) scan.
When you download a password-protected file as a PDF, it is downloaded as an unprotected file, such as clean_XXXXXXXXXXX.xlsx.pdf.
However, because the original source data (e.g., the .xlsx file) retains its password protection, the subsequent AV scan triggers the "Scanning Error Handling" process in CloudSWG. Consequently, the download is blocked, and the error screen is displayed.
As a workaround, you will need to configure the Policy>Content & Malware Analysis>Scanning Error Handling settings in CloudSWG.
By setting the URL to doc-isolation-prod.prod.fire.glass and adding an exclusion as shown below, the behavior will become equivalent to that of the Web Isolation Cloud.
Feedback
