Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Ashika17
Staff
Staff

Created on ‎12-26-2022 07:19 AM Edited on ‎12-30-2024 01:22 AM By Moderator

Article Id 240980

Technical Tip: File filter exception

Description

 

This article describes how the 'File filter' is used to block files passing through a FortiGate based on file type.

 

File filtering profile is based on file type (file's metadata) only, and not on file size or file content.

Example: When downloading a file with the 'exe' extension which is not a real 'exe' file, the file filter will not detect this file as a '.exe' file while configuring the file type 'exe'.

It is necessary to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers, etc.

Sometimes, it is necessary to exempt a particular file that is already a part of a file type that is blocked by a File filter.

For example, allow a specific .exe file while all other .exe files should be blocked.

However, the File filter exception option is not configurable.

 

Scope

 

All FortiOS versions.

 

Solution

 

Web filter can be used instead to achieve file filter exception.

 

  1. Create a file filter that blocks 'exe' file type:
    Select Security Profiles -> File Filter.
    (In FortiOS versions before 6.4.1, the File filter is configurable under the web filter profile).
    To create a File filter in these instances, refer to Technical Tip: How to use file filtering.

 

Ashika17_0-1672064627148.png

 

  1. Add this file filter profile to the required firewall policy. Enable SSL inspection as 'deep-inspection':

Note: Verify that the destination address should not be in the exemption list of the deep inspection profile so that traffic will be inspected by FortiGate.

 

Ashika17_1-1672064627151.png

 

  1. Now, when any 'exe 'file type is attempted to be downloaded, the file filter will block it as follows:

Ashika17_0-1672066727605.png

 

On 'Download', the following block page will be shown:

The file has been blocked due to its file type and/or properties

 

Ashika17_1-1672066804953.png

 

  1. Since an exception is not possible to create in the same file filter profile, a web filter can be utilized.

    Select Security Profiles -> Web Filter -> Static URL Filter, enable URL Filter, and create a wildcard entry as follows:

URL: *xxx.com <- Website from which the .exe file will be downloaded (In this example, a wildcard entry as '*image-line.com' is necessary).

Type: Wildcard.

Action: Exempt.

Status: Enable.

 

Ashika17_2-1672066907684.png

Ashika17_3-1672066955684.png

 

  1. Add this web filter profile ('Test') to the firewall policy making use of the file filter as follows:

 

Ashika17_0-1672065011141.png

 

  1. Now. while attempting to download the 'exe' file, it will be allowed:

 

Ashika17_1-1672065037965.png

Labels:
9196
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.