Fortinet black logo

Administration Guide

Limiting file uploads

Limiting file uploads

You can configure FortiWeb to perform the following tasks:

  • Restrict file uploads based upon file type and size.
  • Scan uploaded files for viruses.
  • Submit uploaded files to FortiSandbox for evaluation and generate attack log messages for files that FortiSandbox has identified as threats.

Set restrictions according to file type and size in file security rules. Group multiple file security rules into a file security policy. Also use a file security policy to specify how FortiWeb scans for viruses in files.

Restricting uploads by file type and size

To perform file detection and restriction by file type and size, FortiWeb scans multipart/form-data; boundary=..., and application/octet-stream in the Content-Type: request header and parses files submitted to your web server(s).

For example, if you want to allow only specific types of files (MP3 audio files, PDF text files, and GIF and JPG picture files) to be uploaded to:

HTTP://www.example.com/upload.php

create file security rules that define only those specific file types for that URL. When FortiWeb receives an HTTP PUT or POST request for the /upload.php URL with Host: www.example.com, it scans the HTTP request and allows or blocks the specified file types to be uploaded. FortiWeb blocks file uploads for any HTTP request that contains non-specified file types. When you create file security rules that define acceptable file types, you can also specify size limits for those file types.

Restrict uploads by file type and size in file security rules. For details, see Configuring a file security rule.

tooltip icon
  • FortiWeb applies file upload limits based on file type and size to only files that use multipart/form-data and application/octet-stream.
  • For the multipart/form-data file, if the file name is empty, FortiWeb can't apply file upload rules to it.

Using FortiSandbox to evaluate uploaded files

You can configure FortiWeb to submit all files that match your upload restriction rules to FortiSandbox. FortiWeb packs each of the files in TAR format and sends the TAR archives to FortiSandbox.

FortiSandbox evaluates whether files pose a threat and returns the results to FortiWeb. If FortiSandbox determines that the file is malicious, FortiWeb performs the following tasks:

  • Generate an attack log message that contains the result (for example, messages with the Alert action in the illustration).
  • Take the action specified in the file security policy. During this time, FortiWeb does not resubmit the file to FortiSandbox (for example, messages with the Alert_Deny action in the illustration).

By default, FortiWeb does not log a file transfer to FortiSandbox. You can manually enable it through the CLI command set elog enable in system fortisandbox. For details, see the FortiWeb CLI Reference:

HTTPs://docs.fortinet.com/product/fortiweb/

When elog is enabled, FortiWeb generates a log only if a file is successfully transferred to FortiSandbox. No logs are generated for failed transfers. You can see the logs in Log&Report > Log Access > Event.

Example attack log with FortiSandbox file scan results

To configure a FortiSandbox connection
  1. Go to System > Config > FortiSandbox.
  2. Complete the settings according to the below table:
  3. FortiSandbox Type
    • FortiSandbox Appliance—Submit files that match the upload restriction rules to a FortiSandbox physical appliance or FortiSandbox-VM.
    • FortiWeb Cloud Sandbox—Submit files to FortiWeb Cloud Sandbox. You need to register your FortiWeb and a FortiWeb FortiGuard Sandbox Cloud Service subscription.
    Server IP/Domain

    Enter the IP address or domain name of the FortiSandbox.

    Available only when FortiSandbox Appliance is selected.

    FortiSandbox Status

    The connectivity status of FortiSandbox is displayed here.

    Cache Timeout After it receives the FortiSandbox results, FortiWeb takes the action specified by the file security policy. During this time, it does not re-submit the file to FortiSandbox. The valid range is 1-168 hours. The default value is 72.
    Admin Email Enter the email address that FortiSandbox sends weekly reports and notifications to.
    Statistics Interval Specifies how often FortiWeb retrieves statistics from FortiSandbox, in minutes. The valid range is 1-60 minutes. The default value is 5.
  4. Click Apply.

Refer to Configuring a file security rule and Creating a file security policy for how to configure the rule and policy for handling threats detected by FortiSandbox.

Using ICAP server to detect threats

The Internet Content Adaptation Protocol (ICAP) is a lightweight HTTP-based protocol, which is generally used to implement virus scanning and content filters in transparent HTTP proxy caches.

You can configure FortiWeb to send all files that match your upload restriction rules to ICAP server.

ICAP server evaluates whether files pose a threat and returns the results to FortiWeb. If ICAP determines that the file is malicious, FortiWeb performs the following tasks:

  • Generate an attack log message that contains the result .
  • Take the action specified in the file security policy. During this time, FortiWeb does not resubmit the file to ICAP server.

By default, FortiWeb does not log a file transfer to ICAP server. You can manually enable it through the CLI command set elog enable in system icapserver. For details, see the FortiWeb CLI Reference:

HTTPs://docs.fortinet.com/product/fortiweb/

When elog is enabled, FortiWeb generates a log only if a file is successfully transferred to ICAP server. No logs are generated for failed transfers. You can see the logs in Log&Report > Log Access > Event.

To enable ICAP server

Before you can begin configuring an ICAP server connection, you have to enable it first.

  1. Go to System > Config > Feature Visibility.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.
  2. Locate Additional Features.
  3. Enable ICAP Server.
  4. Click Apply.
To configure an ICAP server connection
  1. Go to System > Config > ICAP Server.
  2. Complete the settings according to the below table:
  3. Server IP / Domain

    Enter the IP address or domain name of the ICAP server.

    Port

    Enter the port on which the ICAP server is listening.

    When Transmission Encryption is disabled, the default port is 1344; while when Transmission Encryption is enabled, the default port is 11344.

    Cache Timeout

    After it receives the ICAP results, FortiWeb takes the action specified by the file security policy. During this time, it does not re-submit the file to ICAP server. The valid range is 1-168 hours. The default value is 72.

    Service Name

    The name of the ICAP service, which appears in the URL configured in the ICAP client. For example, icap://<ip_address>/<name>.

    Transmission Encryption

    Enable to encrypt the transmission. The port varies depending on whether this option is enabled or not.

  4. Click Test ICAP to test whether the SSL connection is established to the ICAP server.
  5. Click Apply.

Refer to Configuring a file security rule and Creating a file security policy for how to configure the rule and policy for handling threats detected by ICAP server.

Configuring a file security rule

  1. Go to Web Protection > Input Validation > File Security and select the File Security Rule tab.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permissions to items in the Web Protection Configuration category. For details, see Permissions.

  3. Click Create New.
  4. In Name, enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  5. In Type, select one of the following:
  6. Allow File Types—the file security rule will allow the specified file type(s).

    Block File Types—the file security rule will block the specified file type(s).

    Limiting file uploads allows you to determine which file types to allow or block, depending on the Type you selected.

  7. If you want to apply this file security rule to requests for a specific web host:
  • Enable Host Status.
  • From Host, select the IP address or FQDN of a protected host.
  • Disable Host Status to match the file security rule based upon the other criteria, such as the URL, regardless of the Host: field.
  • If you want to apply this file security rule to a specific URL:

    In Request URL, type the URL, such as /upload.php, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. to which the file security rule will apply. The URL must begin with a slash ( / ). Do not include the name of the host, such as www.example.com, which is configured separately in the Host drop-down list above.

  • In File Upload Limit, enter a number to represent the maximum size in kilobytes for any individual file. The file security rule rejects allowed files larger than this number. The maximum values are:
  • 102400 KB: FortiWeb 100D, 100E, 400C, 400D, 400E, 600D, 600E, 1000C, 3000CFsx, 4000C

    204800 KB: FortiWeb 1000D, 2000D, 3000D, 3000DFsx, 4000D, 1000E, 2000E, 3010E, 2000F

    358400 KB: FortiWeb 3000E, 4000E, 3000F, 4000F

    Note: FortiWeb applies file upload limits to only files that use multipart/form-data and application/octet-stream.

  • Enable File Uncompress if you want to do file size and file type check for compressed files.
    FortiWeb by default supports up to 12 levels of compression, and the decompressed file size should be smaller than 5000 KB. User CLI command uncompress-nest-limit and uncompress-oversize-limit in config waf file-upload-restriction-rule to change the default settings. For more information, see FortiWeb CLI Reference.
  • Enable JSON File Support if you want FortiWeb to further parse the file contained in JSON file.
    1. File Name JSON Key Field: FortiWeb will parse the JSON file to find the value of the filename parameter, and compare it against the value you set for File Name JSON Key Field. This is optional.
    2. File Upload JSON Key Field: FortiWeb will parse the JSON file to find the value of the content parameter, and compare it against the value you set for File Name JSON Key Field.

    Both File Name JSON Key Field and File Upload JSON Key Field require exact match and are case sensitive.

    If both of them matches, FortiWeb will apply File Security policy to the file contained in JSON file.

    If only File Upload JSON Key Field matches, FortiWeb will apply File Security policy to the file contained in JSON file, and in the attack log the name of the file will be shown as "JSON File".

    If only File Name JSON Key Field matches, it equals to no match. FortiWeb will not execute further scan to the file contained in JSON file.

  • Click OK.
  • In the Predefined File Types section , click Create New to select from the predefined file type(s) to which you want to file security rule to apply, then click the right arrow to include the file type(s) . Or you can define custom file types in the Custom File Types section.
  • Microsoft Office Open XML file types such as .docx, xlsx, .pptx, and .vsdx are a type of ZIP-compressed XML. If you specify restrictions for them, those signatures will take priority. However, if you do not select a MSOOX restriction but do have an XML or ZIP restriction, the XML and ZIP restrictions will still apply, and the files will still be restricted.
  • Click OK.
  • Creating a file security policy

    1. Go to Web Protection > Input Validation > File Security and select the File Security Policy tab.
    2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permissions to items in the Web Protection Configuration category. For details, see Permissions.

    3. Click Create New.
    4. Configure these settings:
    5. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Action

      Select which action FortiWeb will take when it detects a violation of a rule in the policy:

      • Alert—Accept the connection and generate an alert email and/or log message.

      • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      • Deny (no log)—Block the request (or reset the connection).

      • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

        Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.

      The default value is Alert & Deny.

      Caution: This setting will be ignored if Monitor Mode is enabled.

      Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

      Block Period

      Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated a rule in the policy.

      This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 seconds. For details, see Monitoring currently blocked IPs.

      Severity

      When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

      • Informative
      • Low
      • Medium
      • High

      The default value is Low.

      Trigger Action Select which trigger action, if any, that FortiWeb will carry out when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
      Antivirus Scan

      Enable to scan for viruses, malware, and greyware.

      Attackers often modify the HTTP header so that Content-Type: indicates an allowed file type even though the byte code contained in the body is actually a virus. This scan ensures that the request actually contains the file type specified by Content-Type: and is not infected.

      Attack log messages contain the file name and signature ID (for example, filename [eicar.com] virus name [EICAR_TEST_FILE]: Waf anti-virus) when this feature detects a possible virus.

      To configure which database of signatures to use, select either Regular Virus Database, Extended Virus Database or Use FortiSandbox Malware Signature Database. For details, see Choosing the virus signature database & decompression buffer.

      Caution: Files greater than the scan buffer configured in Maximum Antivirus Buffer Size are too large for FortiWeb to decompress, and will pass through without being scanned. This could allow malware to reach your web servers. To block oversized files, you must configure Body Length.

      Caution: To remain effective as new malware emerges, it is vital that your FortiWeb can connect to FortiGuard services to regularly update its engine and signatures. Failure to do so will cause this feature to become less effective over time, and may allow viruses to pass through your FortiWeb. For instructions on how to verify connectivity and enable automatic updates, see Connecting to FortiGuard services.

      Send files to FortiSandbox Enable to send matching files to FortiSandbox for evaluation.

      Also specify the FortiSandbox settings for your FortiWeb. For details, see To configure a FortiSandbox connection.

      FortiSandbox evaluates the file and returns the results to FortiWeb.

      If Antivirus Scan is enabled and FortiWeb detects a virus, it does not send the file to FortiSandbox.

      Send Files to ICAP Server

      Enable so that FortiWeb sends matching files to ICAP server.

      Also specify the ICAP server settings for your FortiWeb. For details, see Limiting file uploads.

      ICAP server detects the file and returns the results to FortiWeb.

      If Limiting file uploads is enabled and FortiWeb detects a virus, it does not send the file to ICAP server.

      Hold Session While Scanning File

      This option is available only when you enable Send files to FortiSandbox or Send Files to ICAP Server.

      Enable it, and FortiWeb waits for up to 30 minutes. If FortiWeb holds the session for over 30 minutes while FortiSandbox or ICAP server scans the file in the request, FortiWeb will forward the session without taking any other actions.

      Scan attachments in Email

      Enable to scan attachments in email using the OWA and/or ActiveSync exchange protocols. If enabled, FortiWeb will perform antivirus scan, and will send the attachments to FortiSandbox.

      Note: To perform antivirus scan, and send attachments to FortiSandbox, you must enable Antivirus Scan, and Send files to FortiSandbox or Send Files to ICAP Server, respectively, in the file security policy.

      Protocol

      Available only when Scan attachments in Email is enabled. Select one or all of the following options:

      • OWA—FortiWeb will scan attachments in Email sent and received via a web browser login.

      • ActiveSync—FortiWeb will scan attachments in Email sent and received via a mobile phone login.

      • MAPI—FortiWeb will scan attachments in Email sent and received via the Messaging Application Programming Interface (MAPI), a new transport protocol implemented in Microsoft Exchange Server 2013 Service Pack 1 (SP1).
    6. Click OK.
    7. To include a rule in the file security policy, click Create New.
    8. From the File Security Rule drop-down list, select an existing file security rule that you want to use in the policy.
    9. To view or change the information associated with the item, select the Detail icon. The File Security Rule appears. Use your browser's back button to return.

    10. Click OK.
    11. Repeat steps 16 through 18 for each rule that you want to add to the file security policy.
    12. To apply the file security policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
    See also

    Limiting file uploads

    You can configure FortiWeb to perform the following tasks:

    • Restrict file uploads based upon file type and size.
    • Scan uploaded files for viruses.
    • Submit uploaded files to FortiSandbox for evaluation and generate attack log messages for files that FortiSandbox has identified as threats.

    Set restrictions according to file type and size in file security rules. Group multiple file security rules into a file security policy. Also use a file security policy to specify how FortiWeb scans for viruses in files.

    Restricting uploads by file type and size

    To perform file detection and restriction by file type and size, FortiWeb scans multipart/form-data; boundary=..., and application/octet-stream in the Content-Type: request header and parses files submitted to your web server(s).

    For example, if you want to allow only specific types of files (MP3 audio files, PDF text files, and GIF and JPG picture files) to be uploaded to:

    HTTP://www.example.com/upload.php

    create file security rules that define only those specific file types for that URL. When FortiWeb receives an HTTP PUT or POST request for the /upload.php URL with Host: www.example.com, it scans the HTTP request and allows or blocks the specified file types to be uploaded. FortiWeb blocks file uploads for any HTTP request that contains non-specified file types. When you create file security rules that define acceptable file types, you can also specify size limits for those file types.

    Restrict uploads by file type and size in file security rules. For details, see Configuring a file security rule.

    tooltip icon
    • FortiWeb applies file upload limits based on file type and size to only files that use multipart/form-data and application/octet-stream.
    • For the multipart/form-data file, if the file name is empty, FortiWeb can't apply file upload rules to it.

    Using FortiSandbox to evaluate uploaded files

    You can configure FortiWeb to submit all files that match your upload restriction rules to FortiSandbox. FortiWeb packs each of the files in TAR format and sends the TAR archives to FortiSandbox.

    FortiSandbox evaluates whether files pose a threat and returns the results to FortiWeb. If FortiSandbox determines that the file is malicious, FortiWeb performs the following tasks:

    • Generate an attack log message that contains the result (for example, messages with the Alert action in the illustration).
    • Take the action specified in the file security policy. During this time, FortiWeb does not resubmit the file to FortiSandbox (for example, messages with the Alert_Deny action in the illustration).

    By default, FortiWeb does not log a file transfer to FortiSandbox. You can manually enable it through the CLI command set elog enable in system fortisandbox. For details, see the FortiWeb CLI Reference:

    HTTPs://docs.fortinet.com/product/fortiweb/

    When elog is enabled, FortiWeb generates a log only if a file is successfully transferred to FortiSandbox. No logs are generated for failed transfers. You can see the logs in Log&Report > Log Access > Event.

    Example attack log with FortiSandbox file scan results

    To configure a FortiSandbox connection
    1. Go to System > Config > FortiSandbox.
    2. Complete the settings according to the below table:
    3. FortiSandbox Type
      • FortiSandbox Appliance—Submit files that match the upload restriction rules to a FortiSandbox physical appliance or FortiSandbox-VM.
      • FortiWeb Cloud Sandbox—Submit files to FortiWeb Cloud Sandbox. You need to register your FortiWeb and a FortiWeb FortiGuard Sandbox Cloud Service subscription.
      Server IP/Domain

      Enter the IP address or domain name of the FortiSandbox.

      Available only when FortiSandbox Appliance is selected.

      FortiSandbox Status

      The connectivity status of FortiSandbox is displayed here.

      Cache Timeout After it receives the FortiSandbox results, FortiWeb takes the action specified by the file security policy. During this time, it does not re-submit the file to FortiSandbox. The valid range is 1-168 hours. The default value is 72.
      Admin Email Enter the email address that FortiSandbox sends weekly reports and notifications to.
      Statistics Interval Specifies how often FortiWeb retrieves statistics from FortiSandbox, in minutes. The valid range is 1-60 minutes. The default value is 5.
    4. Click Apply.

    Refer to Configuring a file security rule and Creating a file security policy for how to configure the rule and policy for handling threats detected by FortiSandbox.

    Using ICAP server to detect threats

    The Internet Content Adaptation Protocol (ICAP) is a lightweight HTTP-based protocol, which is generally used to implement virus scanning and content filters in transparent HTTP proxy caches.

    You can configure FortiWeb to send all files that match your upload restriction rules to ICAP server.

    ICAP server evaluates whether files pose a threat and returns the results to FortiWeb. If ICAP determines that the file is malicious, FortiWeb performs the following tasks:

    • Generate an attack log message that contains the result .
    • Take the action specified in the file security policy. During this time, FortiWeb does not resubmit the file to ICAP server.

    By default, FortiWeb does not log a file transfer to ICAP server. You can manually enable it through the CLI command set elog enable in system icapserver. For details, see the FortiWeb CLI Reference:

    HTTPs://docs.fortinet.com/product/fortiweb/

    When elog is enabled, FortiWeb generates a log only if a file is successfully transferred to ICAP server. No logs are generated for failed transfers. You can see the logs in Log&Report > Log Access > Event.

    To enable ICAP server

    Before you can begin configuring an ICAP server connection, you have to enable it first.

    1. Go to System > Config > Feature Visibility.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.
    2. Locate Additional Features.
    3. Enable ICAP Server.
    4. Click Apply.
    To configure an ICAP server connection
    1. Go to System > Config > ICAP Server.
    2. Complete the settings according to the below table:
    3. Server IP / Domain

      Enter the IP address or domain name of the ICAP server.

      Port

      Enter the port on which the ICAP server is listening.

      When Transmission Encryption is disabled, the default port is 1344; while when Transmission Encryption is enabled, the default port is 11344.

      Cache Timeout

      After it receives the ICAP results, FortiWeb takes the action specified by the file security policy. During this time, it does not re-submit the file to ICAP server. The valid range is 1-168 hours. The default value is 72.

      Service Name

      The name of the ICAP service, which appears in the URL configured in the ICAP client. For example, icap://<ip_address>/<name>.

      Transmission Encryption

      Enable to encrypt the transmission. The port varies depending on whether this option is enabled or not.

    4. Click Test ICAP to test whether the SSL connection is established to the ICAP server.
    5. Click Apply.

    Refer to Configuring a file security rule and Creating a file security policy for how to configure the rule and policy for handling threats detected by ICAP server.

    Configuring a file security rule

    1. Go to Web Protection > Input Validation > File Security and select the File Security Rule tab.
    2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permissions to items in the Web Protection Configuration category. For details, see Permissions.

    3. Click Create New.
    4. In Name, enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    5. In Type, select one of the following:
    6. Allow File Types—the file security rule will allow the specified file type(s).

      Block File Types—the file security rule will block the specified file type(s).

      Limiting file uploads allows you to determine which file types to allow or block, depending on the Type you selected.

    7. If you want to apply this file security rule to requests for a specific web host:
    • Enable Host Status.
    • From Host, select the IP address or FQDN of a protected host.
  • Disable Host Status to match the file security rule based upon the other criteria, such as the URL, regardless of the Host: field.
  • If you want to apply this file security rule to a specific URL:

    In Request URL, type the URL, such as /upload.php, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. to which the file security rule will apply. The URL must begin with a slash ( / ). Do not include the name of the host, such as www.example.com, which is configured separately in the Host drop-down list above.

  • In File Upload Limit, enter a number to represent the maximum size in kilobytes for any individual file. The file security rule rejects allowed files larger than this number. The maximum values are:
  • 102400 KB: FortiWeb 100D, 100E, 400C, 400D, 400E, 600D, 600E, 1000C, 3000CFsx, 4000C

    204800 KB: FortiWeb 1000D, 2000D, 3000D, 3000DFsx, 4000D, 1000E, 2000E, 3010E, 2000F

    358400 KB: FortiWeb 3000E, 4000E, 3000F, 4000F

    Note: FortiWeb applies file upload limits to only files that use multipart/form-data and application/octet-stream.

  • Enable File Uncompress if you want to do file size and file type check for compressed files.
    FortiWeb by default supports up to 12 levels of compression, and the decompressed file size should be smaller than 5000 KB. User CLI command uncompress-nest-limit and uncompress-oversize-limit in config waf file-upload-restriction-rule to change the default settings. For more information, see FortiWeb CLI Reference.
  • Enable JSON File Support if you want FortiWeb to further parse the file contained in JSON file.
    1. File Name JSON Key Field: FortiWeb will parse the JSON file to find the value of the filename parameter, and compare it against the value you set for File Name JSON Key Field. This is optional.
    2. File Upload JSON Key Field: FortiWeb will parse the JSON file to find the value of the content parameter, and compare it against the value you set for File Name JSON Key Field.

    Both File Name JSON Key Field and File Upload JSON Key Field require exact match and are case sensitive.

    If both of them matches, FortiWeb will apply File Security policy to the file contained in JSON file.

    If only File Upload JSON Key Field matches, FortiWeb will apply File Security policy to the file contained in JSON file, and in the attack log the name of the file will be shown as "JSON File".

    If only File Name JSON Key Field matches, it equals to no match. FortiWeb will not execute further scan to the file contained in JSON file.

  • Click OK.
  • In the Predefined File Types section , click Create New to select from the predefined file type(s) to which you want to file security rule to apply, then click the right arrow to include the file type(s) . Or you can define custom file types in the Custom File Types section.
  • Microsoft Office Open XML file types such as .docx, xlsx, .pptx, and .vsdx are a type of ZIP-compressed XML. If you specify restrictions for them, those signatures will take priority. However, if you do not select a MSOOX restriction but do have an XML or ZIP restriction, the XML and ZIP restrictions will still apply, and the files will still be restricted.
  • Click OK.
  • Creating a file security policy

    1. Go to Web Protection > Input Validation > File Security and select the File Security Policy tab.
    2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permissions to items in the Web Protection Configuration category. For details, see Permissions.

    3. Click Create New.
    4. Configure these settings:
    5. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Action

      Select which action FortiWeb will take when it detects a violation of a rule in the policy:

      • Alert—Accept the connection and generate an alert email and/or log message.

      • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      • Deny (no log)—Block the request (or reset the connection).

      • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

        Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.

      The default value is Alert & Deny.

      Caution: This setting will be ignored if Monitor Mode is enabled.

      Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

      Block Period

      Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated a rule in the policy.

      This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 seconds. For details, see Monitoring currently blocked IPs.

      Severity

      When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

      • Informative
      • Low
      • Medium
      • High

      The default value is Low.

      Trigger Action Select which trigger action, if any, that FortiWeb will carry out when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
      Antivirus Scan

      Enable to scan for viruses, malware, and greyware.

      Attackers often modify the HTTP header so that Content-Type: indicates an allowed file type even though the byte code contained in the body is actually a virus. This scan ensures that the request actually contains the file type specified by Content-Type: and is not infected.

      Attack log messages contain the file name and signature ID (for example, filename [eicar.com] virus name [EICAR_TEST_FILE]: Waf anti-virus) when this feature detects a possible virus.

      To configure which database of signatures to use, select either Regular Virus Database, Extended Virus Database or Use FortiSandbox Malware Signature Database. For details, see Choosing the virus signature database & decompression buffer.

      Caution: Files greater than the scan buffer configured in Maximum Antivirus Buffer Size are too large for FortiWeb to decompress, and will pass through without being scanned. This could allow malware to reach your web servers. To block oversized files, you must configure Body Length.

      Caution: To remain effective as new malware emerges, it is vital that your FortiWeb can connect to FortiGuard services to regularly update its engine and signatures. Failure to do so will cause this feature to become less effective over time, and may allow viruses to pass through your FortiWeb. For instructions on how to verify connectivity and enable automatic updates, see Connecting to FortiGuard services.

      Send files to FortiSandbox Enable to send matching files to FortiSandbox for evaluation.

      Also specify the FortiSandbox settings for your FortiWeb. For details, see To configure a FortiSandbox connection.

      FortiSandbox evaluates the file and returns the results to FortiWeb.

      If Antivirus Scan is enabled and FortiWeb detects a virus, it does not send the file to FortiSandbox.

      Send Files to ICAP Server

      Enable so that FortiWeb sends matching files to ICAP server.

      Also specify the ICAP server settings for your FortiWeb. For details, see Limiting file uploads.

      ICAP server detects the file and returns the results to FortiWeb.

      If Limiting file uploads is enabled and FortiWeb detects a virus, it does not send the file to ICAP server.

      Hold Session While Scanning File

      This option is available only when you enable Send files to FortiSandbox or Send Files to ICAP Server.

      Enable it, and FortiWeb waits for up to 30 minutes. If FortiWeb holds the session for over 30 minutes while FortiSandbox or ICAP server scans the file in the request, FortiWeb will forward the session without taking any other actions.

      Scan attachments in Email

      Enable to scan attachments in email using the OWA and/or ActiveSync exchange protocols. If enabled, FortiWeb will perform antivirus scan, and will send the attachments to FortiSandbox.

      Note: To perform antivirus scan, and send attachments to FortiSandbox, you must enable Antivirus Scan, and Send files to FortiSandbox or Send Files to ICAP Server, respectively, in the file security policy.

      Protocol

      Available only when Scan attachments in Email is enabled. Select one or all of the following options:

      • OWA—FortiWeb will scan attachments in Email sent and received via a web browser login.

      • ActiveSync—FortiWeb will scan attachments in Email sent and received via a mobile phone login.

      • MAPI—FortiWeb will scan attachments in Email sent and received via the Messaging Application Programming Interface (MAPI), a new transport protocol implemented in Microsoft Exchange Server 2013 Service Pack 1 (SP1).
    6. Click OK.
    7. To include a rule in the file security policy, click Create New.
    8. From the File Security Rule drop-down list, select an existing file security rule that you want to use in the policy.
    9. To view or change the information associated with the item, select the Detail icon. The File Security Rule appears. Use your browser's back button to return.

    10. Click OK.
    11. Repeat steps 16 through 18 for each rule that you want to add to the file security policy.
    12. To apply the file security policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
    See also