Description
This article describes that 'File filter' is used to block files passing through a FortiGate based on file type.
File filtering profile is based on file type (file's meta data) only, and not on file size or file content. It is necessary to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers, etc.
Sometimes, it is necessary to exempt a particular file that is already a part of a file type that is blocked by a File filter.
For example, allow a specific .exe file while all other .exe files should be blocked.
However, File filter exception option is not configurable.
Scope
All FortiOS versions.
Solution
Web filter can be used instead to achieve file filter exception.
1) Create a file filter that blocks 'exe' file type:
- Select Security Profiles -> File Filter.
(In FortiOS versions before 6.4.1, File filter is configurable under the web filter profile.
To create File filter in such instances, refer to: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-file-filtering/ta-p/197098 )
2) Add this file filter profile to the required firewall policy. Enable SSL inspection as 'deep-inspection':
3) Now, when any 'exe 'file type is attempted to be downloaded, the file filter will block it as follows:
On 'Download', the following block page will be shown:
'The file has been blocked due to its file type and/or properties'.
4) Since an exception is not possible to be created in the same file filter profile, a web filter can be utilized.
Select Security Profiles -> Web Filter -> Static URL Filter, enable URL Filter, and create a wildcard entry as follows:
URL: *xxx.com <----- Website from which the exe file will be downloaded. (In this example, a wildcard entry as '*image-line.com' is necessary).
Type: Wildcard.
Action: Exempt.
Status: Enable.
5) Add this web filter profile ('Test') to the firewall policy making use of the file filter as follows:
6) Now. while attempting to download the 'exe' file, it will be allowed:
