Skip to main content
lmuir
lmuir
New Member
June 3, 2008
Question

Blocking MIME or " content types" in HTTP

  • June 3, 2008
  • 6 replies
  • 5903 views
Hi, I am currently evaluating a Fortigate 100A and if successful, acquiring a 1000A. I have come from the Watchguard space and am looking for features in the Fortigate device. I am trying to block content types in HTTP for example video/x-flv, rather than use category based web filtering. As most of you are aware, category based web filtering does not filter content if it doesn' t fall into the category, meaning content which you have a policy on can get allowed. On the Watchguards you can set the allowed content types for the HTTP proxy. I am unable to find this option on the Fortigate. I have had a couple of ideas while trialling the unit - - Adding the string to Web Filter>Content Block, however this yields unwanted results. For example, if you add video/x-flv, it will block the entire page rather than the video object. Also if the page contains the string, obviously it is blocked regardless of it containing video or not eg, http://en.wikipedia.org/wiki/Flash_Video - Creating a custom IPS signature. This method i believe should work, however i see this as being an overly complex way of blocking content. The next issue is I don' t quite understand how one write IPS signatures. I have read all the related documentation, yet fail to grasp the process. Should creating custom IPS signatures be the best method, it would be greatly appreciated if someone could post with a custom signature to block video/x-flv as an example for which i can base the rest of my filters. Thank you, Lachlan.

    6 replies

    lmuir
    lmuirAuthor
    New Member
    July 2, 2008
    Sorted - IPS rule F-SBID( --name " Insert.Rule.Name" ; --default_action drop_session; --protocol tcp; --service HTTP; --pattern " Insert MIME Type here" ; --context header; --flow to_client; ) That rule simply scans the header for the MIME type. Put your MIME type in " Insert MIME Type here" eg " video/x-flv"
    A
    Anonymous_User
    Contributor
    July 4, 2008
    How can I do this in a Fortigate 60? Thanks
    lmuir
    lmuirAuthor
    New Member
    July 5, 2008
    Hi, Yes, they all run FortiOS. Remember that IPS is a FortiGuard service, you may need to license it if you have not done so already. Cheers, Lachlan.
    laf
    laf
    New Member
    July 7, 2008
    F-SBID( --name " Insert.Rule.Name" ; --default_action drop_session; --protocol tcp; --service HTTP; --pattern " Insert MIME Type here" ; --context header; --flow to_client; )
    Hi, I am using a FG60 MR6patch1. IPS->Signature -> Custom -> Create New I entered Signature_custom for the name and F-SBID( --name " Insert.Rule.Name" ; --default_action drop_session; --protocol tcp; --service HTTP; --pattern " Ferrar" ; --context header; --flow to_client; ) for the signature. I received the following error: Rules file format error Can anyone tell me, what was wrong ?
    A
    Anonymous_User
    Contributor
    July 7, 2008
    I have it, I bought the license but I dont know how to do it
    lmuir
    lmuirAuthor
    New Member
    July 7, 2008
    Hi, The following example will block the content type video/x-flv - F-SBID( --name " Block.Adobe.FLV" ; --attack_id 8598; --default_action drop_session; --protocol tcp; --service HTTP; --pattern " video/x-flv" ; --context header; ) If you' re using the GUI remember to either leave the name field blank or exactly the same as what is used for " --name" . The " --attack_id" isnt strictly required, it will generate one for you. MIME Media Types - http://www.iana.org/assignments/media-types/ Recently published articles on custom IPS rules - http://kc.forticare.com/default.asp?id=3739 Cheers, Lachlan.
    Terms & ConditionsAccessibility statement