File filter
File Filter allows the Web Filter profile to block files passing through a FortiGate based on file type.
HTTP and FTP File Filtering is configurable in Web Filter profile.
File Filtering in Web Filter profile is based on file type (file's meta data) only, and not on file size or file content. You need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers, or regexp.
File filtering only works on proxy mode policies.
Supported file types
The following file types are supported in File Filter and DLP profiles:
|
File Type Name |
Description |
|---|---|
|
.net |
Match .NET files |
|
7z |
Match 7-zip files |
|
activemime |
Match activemime files |
|
arj |
Match arj compressed files |
|
aspack |
Match aspack files |
|
avi |
Match avi files |
|
base64 |
Match base64 files |
|
bat |
Match Windows batch files |
|
bin |
Match bin files |
|
binhex |
Match binhex files |
|
bmp |
Match bmp files |
|
bzip |
Match bzip files |
|
bzip2 |
Match bzip2 files |
|
cab |
Match Windows cab files |
|
chm |
Match Windows compiled HTML help files |
|
class |
Match class files |
|
cod |
Match cod files |
|
crx |
Match Chrome extension files |
|
dmg |
Match Apple disk image files |
|
elf |
Match elf files |
|
exe |
Match Windows executable files |
|
flac |
Match FLAC files |
|
fsg |
Match fsg files |
|
gif |
Match gif files |
|
gzip |
Match gzip files |
|
hlp |
Match Windows help files |
|
hta |
Match hta files |
|
html |
Match html files |
|
iso |
Match ISO archive files |
|
jad |
Match jad files |
|
javascript |
Match javascript files |
|
jpeg |
Match jpeg files |
|
lzh |
Match lzh compressed files |
|
mach-o |
Match Mach object files |
|
mime |
Match mime files |
|
mov |
Match mov files |
|
mp3 |
Match mp3 files |
|
mpeg |
Match mpeg files |
|
msc |
Match msc files |
|
msi |
Match Windows Installer msi bzip files |
|
msoffice |
Match MS-Office files. For example, doc, xls, ppt, and so on. |
|
msofficex |
Match MS-Office XML files. For example, docx, xlsx, pptx, and so on. |
|
|
Match pdf files |
|
petite |
Match petite files |
|
png |
Match png files |
|
prc |
Match prc files |
|
rar |
Match rar archives |
|
rm |
Match rm files |
|
sis |
Match sis files |
|
tar |
Match tar files |
|
tiff |
Match tiff files |
|
torrent |
Match torrent files |
|
unknown* |
Match unknown files |
|
upx |
Match upx files |
|
uue |
Match uue files |
|
wav |
Match wav files |
|
wma |
Match wma files |
|
xar |
Match xar archive files |
|
xz |
Match xz files |
|
zip |
Match zip files |
* This file type is only available in DLP profiles.
Example
In the following example, three file filters are used in the Web Filter profile:
- Block PDFs from entering our leaving the network (filter1).
- Log the download of some graphics file-types via HTTP (filter2).
- Block executable files from leaving to the network over FTP (filter3).
To configure a file-type based web filter in the CLI:
config webfilter profile
edit "webfilter-file-filter"
config file-filter
set status enable
set log enable
set scan-archive-contents enable
config entries
edit "filter1"
set comment "Block PDF files"
set protocol http ftp
set action block
set direction any
set encryption any
set file-type "pdf"
next
edit "filter2"
set comment "Log graphics files"
set protocol http
set action log
set direction incoming
set encryption any
set file-type "jpeg" "png" "gif"
next
edit "filter3"
set comment "Block upload of EXE files"
set protocol ftp
set action block
set direction outgoing
set encryption any
set file-type "exe"
next
end
end
next
end
After configuring file filters in Web Filter profile, apply it to a firewall policy:
config firewall policy
edit 1
set name "client-to-internet"
set srcintf "dmz"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set utm-inspection-mode proxy
set logtraffic all
set webfilter profile "webfilter-filefilter"
set profile-protocol-options "protocol"
set ssl-ssh-profile "protocols"
set nat enable
next
end
To view the file filter logs:
# execute log filter category utm-file-filter # execute log display
File filter block action:
1: date=2020-06-25 time=10:10:38 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" eventtime=1593047438715790048 tz="+0900" policyid=1 sessionid=206159 srcip=10.0.0.20 srcport=46172 srcintf="port1" srcintfrole="lan" dstip=10.0.10.20 dstport=80 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTP" profile="default" direction="incoming" action="blocked" url="http://www.fortitest.jp/download/test.pdf" hostname="www.fortitest.jp" agent="curl/7.58.0" filtername="test" filename="test.pdf" filesize=17556 filetype="pdf" msg="File was blocked by file filter."
File filter log action:
2: date=2019-03-19 time=10:48:23 logid="0346012672" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="vd1" eventtime=1548442102 policyid=1 sessionid=521 srcip=10.1.100.22 srcport=52894 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="passthrough" reqtype="direct" url="/app_data/park.jpg" sentbyte=0 rcvdbyte=0 direction="incoming" filename="park.jpg" filtername="filter2" filetype="jpeg" msg="File was detected by file filter."
To configure a file-type based web filter in the GUI:
- Go to Security Profiles > Web Filter.
- Click Create New or select an existing profile and click Edit.
- Enable File Filter.
- Enable Log and Scan Archived Contents.
- In the File Filter table, click Create New.
- Configure the filters:
- filter1 blocks PDFs from entering our leaving the network .
- filter2 logs the download of some graphics file-types via HTTP .
- filter3 blocks EXE files from leaving to the network over FTP .
- filter1 blocks PDFs from entering our leaving the network .
- Click OK.
- Add the new web filter profile to a firewall policy.
- To see if there are file filter logs, go to VDOM > Log & Report > Forward Traffic. Select an entry and view the Log Details. The number of file filter logs for that entry is listed in the Other category.
File filter logs can only be viewed in the CLI.
