Description

This article describes how to use file filters for detecting or blocking files sent or received via https. The solution stated below can also apply for encrypted protocols such as MAPI, SSH, and IMAP over SSL/TLS.

Scope

FortiGate v6.4 and above.

Solution

The File Filter feature requires proxy-based inspection in order to detect and block files effectively.

1. By default, flow-based is set as inspection mode on firewall policy and also the default feature set in File-filter. Refer to this article for changing the inspection mode of the firewall. Change the feature set option on the File Filter profile on the GUI Security Profiles -> File Filter, edit the File Filter profile, and toggle Proxy based:

If the Feature set option is not visible in the GUI, enter the following in the CLI:

config system settings

set gui-proxy-inspection enable

end

2. Enabling deep-inspection requires importing a certificate (Fortinet_CA_SSL) in the user's machine, refer this link on how to enable deep inspection and import a certificate in the browser.
3. Ensure the firewall policy is configured in 'proxy-based' mode.
   
   

    

Note:

1. File Filter may not work on some applications that are using end-to-end cipher encryptions, solution for this is to use endpoint security software such as FortiClient or FortiEDR.
2. Another alternate method is to use DLP feature of the FortiGate, which requires an additional license.

Related article:

• File filter
• Technical Tip: Block audio or video file download by using DLP sensor