New Member

Question

Unable to block WhatsApp Web file uploads despite SSL Deep Inspection and Application Control

Forum|Forum|7 months ago
October 27, 2025
3 replies
2255 views

Subject: Unable to block WhatsApp Web file uploads despite SSL Deep Inspection and Application Control

Description:
We are trying to block certain file types (PDF, EXE, BIN, ZIP, RAR, DOC, DOCX) uploaded via WhatsApp Web using FortiGate. We have applied the following configurations:

SSL Deep Inspection is enabled on the relevant firewall policy.

Custom Application Signatures for file types have been created and added to the Application Control profile.

All relevant ports (TCP/80, TCP/443, UDP/443) are included.

Logging is enabled.

@whatsapp

Issue:

Despite the above configurations, WhatsApp Web file uploads are still allowed; blocked actions are not enforced.

Packet captures with diagnose sniffer fail to detect WhatsApp Web traffic by hostname, only by IP.

Attempts to create custom signatures for multiple file types (PDF, EXE, ZIP, etc.) either fail due to CLI errors or do not block files as expected.

QUIC protocol (UDP/443) seems to bypass Application Control unless disabled.

Objective / Request:

Guidance on the correct method to block or monitor specific file types uploaded via WhatsApp Web.

Verification if additional FortiGate settings (Deep Inspection, DLP, Antivirus) are required.

Advice on proper Application Signatures and configuration to effectively block the target file types while allowing images and videos to pass.

FortiGate

Shyy

New Member

I believe QUIC is only inspected from versions 7.4.1 in deep-inspection.
I used to have that issue, Only disabling QUIC solved the matter.

Salem_AlhindwanAuthor

New Member

QUIC was disabled from the browser and from FortiGate, but the files in WhatsApp Web are still not blocked; FortiGate cannot block a specific file even though deep-inspection is enabled.

Shyy

New Member

I'd say to try and block QUIC using a firewall policy to check that it is indeed not the issue.

rp1996

Staff

@Salem_Alhindwan You may refer to the following article to block QUIC , it lists multiple options that you may use, from policy to app ctrl, as suggested earlier I would recommend that you go with the policy, which in the article is Method 3 and let me know.

Also, may I know if this upload that is being done is from the web mode or the application.

Salem_AlhindwanAuthor

New Member

Uploading files via WhatsApp Web
In Application Control
We have
WhatsApp_Web.Upload
WhatsApp_Web.Download
This works for me, but only for uploading and downloading files.
It doesn't work for specific file types. For example, I want to block PDF files from uploading, and I also want to block image files from uploading in WhatsApp Web.

rp1996

Staff

@Salem_Alhindwan Pls give me time until tomorrow I will check and update you, pls share more information such as browser in which is being used ? version and if incognito is enabled ?

Just letting you know, the signature as such would block all file uploads, is your requirement such that you would like to block just few file types and allow the rest? can you confirm?

Salem_AlhindwanAuthor

New Member

The problem hasn't been solved yet. Does anyone have any idea what the problem is?

rp1996

Staff

@Salem_Alhindwan Apologies for the delay, the requirement to have certain specific file type might not work cause based on my research on this, WhatsApp encrypts the payload (files) prior to them being uploaded on to their servers, so even though you may have deep inspection enabled, the details of the file itself would not be visible since it has been encrypted locally and then being uploaded.

As such the option available would be to use application control signature, to block file uploads, but again this will block all file uploads and not specific file types, like what you are looking for.

Hope this helps!!!

Technical Tip: How to block/disable QUIC

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded