| Description | This article describes how to block all .exe files when it is necessary to allow a specific URL to download an exe file without enabling multiple other UTM features on FortiGate. |
| Scope | FortiGate 7.4 onwards |
| Solution |
Requirement: Block all exe files but need to allow specific URL to download an exe file without enabling multiple other UTM features on FortiGate.
Solution: Step 1: Create Filter Filter profile to block all .exe files. Security Profiles -> Filter -> Create. Provide a Name for the profile and select protocols(HTTP, FTP etc.,) to be scanned. Direction -> Both and File type -> Exe file, and set the action to Block:
Step 2: All .exe files are blocked as per expectation: Test the download using 7 zip download and getting failed to download:
Step 3: To allow only specific URL to download the .exe file instead of creating other UTM profiles to bypass scan, add the URL to the SSL/SSH Inspection -> Exception from SSL Inspection to already enabled SSL/SSH Inspection profile in the policy:
First find the URL, under the Log and Report -> Security Events, find the URL which is blocked. In the example, it is objects.githubusercontent.com.
Add URL address object with FQDN under:
Second, apply the address object to the SSL/SSH Inspection profile which is used in the policy:
Once applied to the address object and saved, test the download from the URL again:
Able to download the file:
|
