Skip to main content
MB_arr
Staff
MB_arr
Staff
May 29, 2026

Technical Tip: Enforcing Deny-by-Default file upload behavior using catch-all block rules in FortiWeb file security policies

  • May 29, 2026
  • 0 replies
  • 21 views

Description

This article describes the evaluation model of File Security Policies in FortiWeb and explains how URL scoping impacts file upload enforcement.

In FortiWeb, File Security Policies control and inspect file upload traffic based on configured rules, such as allowed file types, antivirus scanning, and upload restrictions.

A common configuration scenario involves defining multiple File Security Rules of type 'Allow File Type', each associated with a specific request URL. In such deployments, unexpected behavior may be observed where file uploads are still permitted on URLs that are not explicitly defined within any File Security Rule.

This behavior occurs because File Security Rules are evaluated only when the incoming HTTP request matches the configured URL condition within the rule. Requests that do not match any configured File Security Rule are not processed by the File Security engine.

Scope

FortiWeb.

Solution

FortiWeb File Security Policies operate using a URL-scoped evaluation model. The File Security engine is invoked only when an HTTP request matches the configured criteria defined within a File Security Rule.

The evaluation flow is as follows:

  • The incoming HTTP request is processed by the applied Web Protection Profile.

  • FortiWeb evaluates the configured File Security Policy associated with the profile.

  • Individual File Security Rules are inspected sequentially.

  • A File Security Rule is evaluated only if the request URL matches the URL condition configured in the rule.

  • If no File Security Rule matches the request URL, File Security inspection is skipped entirely for that request.


As a result:

  • File upload inspection is not globally enforced across all URLs.

  • Non-matching URLs bypass File Security processing.

  • 'Allow File Type' rules do not create an implicit deny policy for undefined upload files.


This implementation is operating as designed and is consistent with the URL-scoped inspection logic utilized by the FortiWeb File Security processing engine.


Example scenario - Rule 1:

The CLI configuration below allows .pdf and .txt files.

config waf file-upload-restriction-rule
    edit "Allow_these_files"
        set host-status enable
        set host fortilab.test.com
        set request-type regular
        set request-file /dvwa/
        set file-size-limit 20000
        set file-uncompress enable
        set json-key-for-filename filename
        set json-key-field eicar
            config file-types
                edit 1
                    set file-type-name PDF(.pdf)
                    set file-type-id 00124
                next

                edit 2
                    set file-type-name TXT(.txt)
                    set file-type-id 00094
                next
            end

            config custom-file-types
            end
    next
end


5c1f7629.png


Requests matching the configured URL are processed by the File Security engine and evaluated against the configured restrictions.

However, if a file upload request is sent to a different URL path, for example,/upload-test/, /api/document/upload, and no File Security Rule explicitly matches the above URLs, the request will not be processed by the File Security Policy.

This may create the impression that File Security Policies are bypassed, while in reality, the traffic falls outside the evaluation scope of the configured rules.

Additionally, configuring a second Block File Type file security rule does not automatically create global upload enforcement. The rule remains dependent on URL scope matching and is evaluated only when the incoming request satisfies its configured URL condition.

Example below:

f9ff60c0.png


6913a3f3.png


Both the Allow File Type rule and Block File Type rule should be combined in a single policy.


Example below:

config waf file-upload-restriction-policy
    edit "file_policy"
        set av-scan enable
        set signature-check enable
            config rule
                edit 1
                    set file-upload-restriction-rule Allow_these_files
                next

                edit 2
                    set file-upload-restriction-rule Block_other_files
                next
            end
    next
end


b2b078ac.png


Important notes:

  • File Security enforcement is strictly tied to URL-matching conditions defined in each rule.

  • Allow File Type rules do not implicitly deny file uploads on non-configured URLs.

  • A catch-all File Security Rule is only evaluated when its configured URL scope is matched.

  • File upload inspection is not globally enforced across all application endpoints.

  • Requests outside the defined rule scope are not processed by the File Security engine.

  • File Security Policy operates as a contextual inspection mechanism rather than a global interception control.

Related document:

Limiting file uploads

    Terms & ConditionsAccessibility statement