DescriptionThe web filtering by MIME content header feature may be enabled on listed FortiOS firmware versions.
This feature may prove useful in some scenarios, for example to exempt audio streaming files from antivirus scanning (to avoid buffering on the FortiGate unit), or to block video streaming files for end users.
Scanning of these file types can be problematic, as those files often do not have a pre-determined file size. This can cause the FortiGate unit to buffer a large amount of data, without being able to perform any scan.
The content header list is configurable in the CLI only.
For other details, please refer to the FortiGate CLI reference guides at http://docs.fortinet.com .
ScopeFortiGate unit, or VDOM, in NAT or Transparent mode.
SolutionThe first step is to create a list of content headers. This can either be configured to match any audio/video entry using regular expressions (regex), or be entered one at a time, after having analyzed the real traffic patterns.
In order to determine the Content-Type, a packet sniffer software, such as Wireshark, must be used.
Some examples when looking at video traffic from YouTube are given below:
Hypertext Transfer Protocol
HTTP/1.0 200 OK\r\n
Request Version: HTTP/1.0
Response Code: 200
Server: DCLK-AdSvr\r\n
Content-Type: video/x-ms-asf\r\n
X-Google-Inred-Content-Type: video/x-ms-asf\r\n
Content-Length: 410\r\n
Content-Encoding: gzip\r\n
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Request Version: HTTP/1.1
Response Code: 200
Last-Modified: Mon, 14 Sep 2009 00:40:51 GMT\r\n
Content-Type: video/x-flv\r\n
Content-Length: 200994\r\n
Connection: close\r\n
Content-Disposition: attachment; filename="video.flv"\r\n
Expires: Thu, 29 Oct 2009 09:06:24 GMT\r\n
Cache-Control: public,max-age=3600\r\n
Date: Thu, 29 Oct 2009 08:06:24 GMT\r\n
Server: gvs 1.0\r\n
The following example is a generic one to block any Content-Type with video and to exempt from AV scanning any Content-Type with audio.
Both are created with regular expressions (".*" matching multiple times any character).
CLI syntax:
config webfilter content-header
edit 1
set comment ''
config entries
edit "video\\/.*"
set action block
next
edit "audio\\/.*"
set action exempt
next
end
set name "weblist-01"
next
end
This second example is to exempt from AV scanning a specific Content-Type.
Important note:
The "/" in the regex is a special character and has to be escaped. If you write "application/vnd.rn-realmedia" without escaping the "/", every Content-Type beginning with "application" will be matched
CLI syntax:
config webfilter content-header
edit 1
set comment ''
config entries
edit "application\\/vnd.rn-realmedia"
set action exempt
next
Once the content-header list has been created, it must be selected from the protection profile. In addition, the content-header check must be added to http.
The following example shows the content-header number 1 added to the "web" protection profile.
CLI syntax for FortiOS firmware versions 5.x:
config webfilter profile edit "web" set comment " " config web set content-header-list 1 end next end |
CLI syntax for FortiOS firmware version 4.0 MR1: The "contenttype-check" option has been discontinued, and is no longer used in the FortiOS firmware version 5.x
config firewall profile edit web set content-header-list 1 set http scan contenttype-check next end |
CLI syntax for FortiOS firmware versions 4.0 MR2 and 4.0 MR3:
config webfilter profile edit "web" set comment " " config http set options contenttype-check end config web set content-header-list 1 end next end |
Related Articles
Technical Note : FortiGate configuration for HTTP chunked messages ( real time Live Trading, video /...
Technical Note: Using the 'web filtering by content header' feature to block or exempt audio / video...