FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 272094

This article describes that in some situations, it is necessary to block file types such as .pdf , .png , .jpeg ,or etc via SFTP protocol, but it would not be possible to find the setting via GUI by default in FortiGate.

SFTP is also known as Secure File Transfer Protocol.


FortiGate v7.2.x.

  • To block file types such as .pdf via SFTP  protocol, go under Security Profiles -> File Filter -> Create New -> Rules and select 'Create New'.It may not be possible to see the SFTP protocol under Protocols. Correct the setting via CLI commands as below:


Correct the setting with file filter:


From CLI:


FGT # config file-filter profile

FGT # edit SFTPtest1
FGT # set feature-set proxy

FGT # config rules

FGT # edit SFTPtestRule1

FGT # set protocol ssh

FGT # set action block

FGT # set file-type pdf png jpeg
FGT # next

FGT # end

FGT # next

FGT # end


Then, it will be possible to see the SSH feature under the Protocol of 'File Filter Rule'.


  1. Go to Security Profiles -> SSL/SSH Inspection and select 'Create New'.

Name : deep-inspectionTestSFTP1

Inspection method : Full SSL Inspection

>SSH Inspection Options >SSH deep scan : enable >

SSH port : Specify : 22








Inspection all ports: Enable it if not sure about the SFTP port.

SSH port: Choose to be 'Any'  not sure about the SFTP port.



  1. Correct the setting at Firewall Policy
  • Go to Policy&Objects -> Firewall Policy and select 'Create New'.

Put the Interface, Address, Service, and etc.


From CLI:


FGT # config firewall policy

FGT # edit <XX> <----- XX is the firewall policy ID that focuses on.
FGT # set inspection-mode proxy

FGT # end



  • Go to Policy&Object -> Firewall Policy -> Security Profiles.

> File Filter : SFTPtest1

'SFTPtest1' created when 'Inspection Mode' is 'Proxy-based'.

Choose 'SFTPtest'” created under1.

-SSL Inspection :  deep-inspectionTestSFTP1  ( Choose the one that you create on step 2)  )




  1. Test to upload .pdf file or file type following the configuration via SFTP protocol as wished.

FortiGate should be able to block those files via SFTP protocol after that.