Description

This article describes how to use file filters for detecting or blocking files sent or received via https. The solution stated below can also apply for encrypted protocols such as MAPI, SSH, and IMAP over SSL/TLS.

Scope

FortiGate v6.4 and above.

Solution

To use a file filter to detect files sent or received via HTTPS, a proxy mode file filter is required, along with a deep-inspection SSL/SSH profile.

1. By default, flow-based is set as inspection mode on firewall policy and also the default feature set in File-filter. Refer to this article for changing the inspection mode of the firewall.  Change the feature set option on the File Filter profile on the GUI Security Profiles -> File Filter, edit the File Filter profile, and toggle Proxy based:

If the Feature set option is not visible in the GUI, enter the following in the CLI:

config system settings

set gui-proxy-inspection enable

end

2. Enabling deep-inspection requires importing a certificate (Fortinet_CA_SSL) in the user's machine, refer this link on how to enable deep inspection and import a certificate in the browser.

Note:

1. File Filter may not work on some applications that are using end-to-end cipher encryptions, solution for this is to use endpoint security software such as FortiClient or FortiEDR.
2. Another alternate method is to use DLP feature of the FortiGate, which requires an additional license.

Related article:

• File filter
• Technical Tip: Block audio or video file download by using DLP sensor