Description

This article describes how to block attachments sent via KakaoTalk messenger when the Kakaotalk_file.transfer signature action is set to block and added to the application.

Scope

FortiGate v6.0.8 or earlier, and for IPS Engine v3.420 and above.

Solution

Adding the 'Kakao_File.Transfer' signature automatically adds the 'KakaoTalk signature.

 

 

When checking attachment blocking behavior, only logging for the KakaoTalk application policy remains and cannot be blocked.

The reason is that the configuration sequence of signatures/categories in the application control sensor affects signature detection for the IPS engine 3.420 and above, since it allows the user to choose which signatures have higher priorities.

For the order change, whenever an app control sensor configuration change is made from the web GUI, the entries order is reset to what it originally was, and reordering through CLI commands is required in this case as below.

 

config application list
    edit <entry_name>
        config entries
        move 2 before 1
    end

 

This issue has already been mitigated on v6.2 and above, where users can make arrangements of the entries order directly through the web GUI by drag-and-drop.

 

Note: 

Versions up to v6.4 are out of engineering and technical support. Therefore, these commands might be different in higher versions. Consider upgrading the firmware level on the device to a supported version (v7.0 up to v7.6). Check the firmware path and compatibility depending on the hardware: FortiGate's upgrade tool

Related article:

Technical Tip: Recommended Release for FortiOS