Skip to main content
iskandar_lie
Staff
iskandar_lie
Staff
September 21, 2022

Technical Tip: Using file-filter to block unwanted file type from being downloaded

  • September 21, 2022
  • 0 replies
  • 4065 views
Description This article describes how the FortiGate File filter blocks unwanted file types. A number of tests are presented for demonstration purposes.
Scope Tested on: FortiGate v. 6.4.10
Solution

The following LAB tests involve FortiGate as a Firewall with a File-filter security profile applied. These were simulated on a Windows PC Client.

 

The following conditions were used:

 

1) A Firewall policy (flow and proxy-based, tested separately)

2) A file-filter security profile (flow and proxy-based, tested separately)

3) ssl-ssh-profile deep inspection (not covered in this KB, refer to related KB or document)

 

Test 1 with flow-based policies:  

 

This test used a flow-based firewall policy with a flow-based file-filter security profile:

 

iskandar_lie_1-1663760098221.png

 

The flow-based file-filter security profile was configured as follows (blocked file types are underlined):

 

iskandar_lie_2-1663760116635.png

 

FortiGate was configured to only log blocked files or monitored file types:

 

iskandar_lie_3-1663760141728.png

 

In the client simulation on Windows 8 with a flow-based rule, as seen here, .dat and .csv files could be downloaded successfully:

 

iskandar_lie_5-1663760215351.png

 

iskandar_lie_6-1663760225428.png

 

However, the .exe and .gzip files could not be downloaded due to the blocking rule:

 

iskandar_lie_7-1663760257819.png

 

The following was exported under GUI -- Log & report - > File Filter:

 

iskandar_lie_9-1663760299462.png

 

Test 2 with proxy-based policies: 

 

This test used a proxy-based firewall policy with a proxy-based file-filter security profile:

 

iskandar_lie_10-1663760362157.png

 

The proxy-based file-filter security profile was configured as follows (blocked file types are underlined):

 

iskandar_lie_11-1663760377432.png

 

In the client simulation on Windows 8 with a proxy-based rule, as seen here, .dat and .csv files could be downloaded successfully:

 

iskandar_lie_5-1663760215351.png

 

iskandar_lie_6-1663760225428.png

 

The .exe and .zip files could not be downloaded due to the blocking rule:

 

iskandar_lie_12-1663760439878.png

 

iskandar_lie_13-1663760448046.png

 

The following was exported under GUI -- Log & report - > File Filter:

 

iskandar_lie_14-1663760462848.png

 

Conclusion:

 

  • Both File-filter flow-based and proxy-based work as expected. The file-filter will only block the particular file-type under the configured rule action block.
  • All other allowed file-types will not be logged.
  • A proxy-based rule will redirect the user to a 'block page' by default, as it operates at the application layer to rebuild sessions and allow full SSL decryption and analysis. While a flow-based rule will not show a block page because it prioritizes speed by scanning packets in transit without reassembly, resulting in limited visibility.

  

Related Fortinet Documentation 

File filter | Fortinet Document Library

SSL & SSH Inspection | Fortinet Document Library

Basic deep SSL inspection configuration
Terms & ConditionsAccessibility statement