Description
This article describes that when trying to block files greater than a certain size, try first to set this up using DLP.
For example, configure DLP to block files greater than 100MB. However, run into the following difficulties:
- The file may pass without being blocked.
- The file may need to buffer completely before being blocked or passed, using system resources and causing users to wait to find out if the file will be downloaded.
Reference: Technical Tip: How to block the 3mb file or larger file using DLP on the FortiGate
Scope
FortiGate.
Solution
An alternative method that avoids these pitfalls is to use the Proxy Options profile to block larger files instead. The Proxy Options profile has an oversize limit that will prevent the file from being scanned if it is too large. Because of this, large files may not be scanned for antivirus or DLP (or other issues) and therefore will be allowed even if the DLP is configured to block the file. To overcome this, set the Proxy Options profile to block oversized files instead.
Configuration of Proxy Options can be done in the GUI, but oversized settings are available in CLI only. They can be configured as follows:
config firewall profile-protocol-options
edit default
set oversize-log enable
config <protocol>
set options oversize
set uncompressed-oversize-limit {integer} <--- File Size (in MB).
set oversize-limit {integer} <--- File Size (in MB).
end
end
Note: Repeat the following for <protocol> = http, ftp, imap, mapi, pop3, smtp, nntp.
