Fortinet black logo

Administration Guide

Creating an FTP file check rule

Creating an FTP file check rule

You can create FTP file check rules so that FortiWeb places restrictions on uploading or downloading files and scans files that clients attempt to upload to or download from your server(s). When configured, FortiWeb can also send files to FortiSandbox for analysis and perform an antivirus scan.

For details about applying an FTP file check rule to an FTP server policy, see Configuring an FTP security inline profile.

To create an FTP file check rule
tooltip icon

If FTP security isn't enabled in Feature Visibility, you must enable it before you can create an FTP file check rule. To enable FTP security, go to System > Config > Feature Visibility and enable FTP Security.

  1. Go to FTP Security > FTP File Security.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
  5. Name

    Enter a unique name that can be referenced in other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    The default value is Alert & Deny.

    Note: This setting will be ignored if Monitor Mode is enabled in a server policy.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600 seconds (1 hour). See also Monitoring currently blocked IPs.

    This setting is available only if Action is set to Period Block.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Action

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.

    File Check Direction

    Select one of the following:

    • UploadingFortiWeb applies the rule to files being uploaded to your server(s).
    • DownloadingFortiWeb applies the rule to files being downloaded from your server(s).
    • BothFortiWeb applies the rule to files being either downloaded from or uploaded to your server(s).

    AntiVirus Scan

    Enable so that FortiWeb performs an antivirus scan on files that match the File Check Direction.

    Send Files to FortiSandbox

    Enable so that FortiWeb sends files to FortiSandbox that match the File Check Direction.

    Also specify the FortiSandbox settings for your FortiWeb. For details, see To configure a FortiSandbox connection.

    FortiSandbox evaluates the file and returns the results to FortiWeb.

    If AntiVirus Scan is enabled and FortiWeb detects a virus, it does not send the file to FortiSandbox.

    Send Files to ICAP Server

    Enable so that FortiWeb sends files to ICAP server that matches the File Check Direction.

    Also specify the ICAP server settings for your FortiWeb. For details, see Limiting file uploads.

    ICAP server detects the file and returns the results to FortiWeb.

    If AntiVirus Scan is enabled and FortiWeb detects a virus, it does not send the file to ICAP server.

  6. Click OK.

Creating an FTP file check rule

You can create FTP file check rules so that FortiWeb places restrictions on uploading or downloading files and scans files that clients attempt to upload to or download from your server(s). When configured, FortiWeb can also send files to FortiSandbox for analysis and perform an antivirus scan.

For details about applying an FTP file check rule to an FTP server policy, see Configuring an FTP security inline profile.

To create an FTP file check rule
tooltip icon

If FTP security isn't enabled in Feature Visibility, you must enable it before you can create an FTP file check rule. To enable FTP security, go to System > Config > Feature Visibility and enable FTP Security.

  1. Go to FTP Security > FTP File Security.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
  5. Name

    Enter a unique name that can be referenced in other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    The default value is Alert & Deny.

    Note: This setting will be ignored if Monitor Mode is enabled in a server policy.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600 seconds (1 hour). See also Monitoring currently blocked IPs.

    This setting is available only if Action is set to Period Block.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Action

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.

    File Check Direction

    Select one of the following:

    • UploadingFortiWeb applies the rule to files being uploaded to your server(s).
    • DownloadingFortiWeb applies the rule to files being downloaded from your server(s).
    • BothFortiWeb applies the rule to files being either downloaded from or uploaded to your server(s).

    AntiVirus Scan

    Enable so that FortiWeb performs an antivirus scan on files that match the File Check Direction.

    Send Files to FortiSandbox

    Enable so that FortiWeb sends files to FortiSandbox that match the File Check Direction.

    Also specify the FortiSandbox settings for your FortiWeb. For details, see To configure a FortiSandbox connection.

    FortiSandbox evaluates the file and returns the results to FortiWeb.

    If AntiVirus Scan is enabled and FortiWeb detects a virus, it does not send the file to FortiSandbox.

    Send Files to ICAP Server

    Enable so that FortiWeb sends files to ICAP server that matches the File Check Direction.

    Also specify the ICAP server settings for your FortiWeb. For details, see Limiting file uploads.

    ICAP server detects the file and returns the results to FortiWeb.

    If AntiVirus Scan is enabled and FortiWeb detects a virus, it does not send the file to ICAP server.

  6. Click OK.