Description
This article describes how to use file filtering, which is used to block/log certain file types using the web filter and email filter.
Scope
FortiGate v6.4.1 and below.
Solution
To add a file filter to a web filter profile in the GUI.
- Go to Security Profiles -> Web Filter.
- Edit an existing profile or create a new one.
Enable 'File Filter', if not already enabled, then select 'Create' New in the filter table.
The 'Create New Filter Rule' pane opens.
Configure the filter as required, then select 'OK'.
Using the CLI.
Using the CLI.
config webfilter profile
edit "webfilter-file-filter"
config file-filter
set status {enable | disable}
set log {enable | disable}
set scan-archive-contents {enable | disable}
config entries
edit "filter1"
set comment "Block files"
set protocol [http | ftp]
set action {block | log}
set direction {any | incoming | outgoing}
set encryption {any | yes}
set file-type "pdf" "msofficex"
next
end
end
next
end
edit "webfilter-file-filter"
config file-filter
set status {enable | disable}
set log {enable | disable}
set scan-archive-contents {enable | disable}
config entries
edit "filter1"
set comment "Block files"
set protocol [http | ftp]
set action {block | log}
set direction {any | incoming | outgoing}
set encryption {any | yes}
set file-type "pdf" "msofficex"
next
end
end
next
end
To add a file filter to an email filter profile in the GUI.
- Go to Security Profiles -> Email Filter.
- Edit an existing profile or create a new one.
- Enable 'Enable Spam Detection and Filtering', if not already enabled.
- Enable File Filter, if not already enabled, then select 'Create New' in the filter table. The 'Create New File Filter Rule' pane opens.
To add a file filter to an email filter profile with the CLI.
config emailfilter profile
edit "emailfilter-file-filter"
config file-filter
set status {enable | disable}
set log {enable | disable}
set scan-archive-contents {enable | disable}
config entries
edit "filter1"
set comment "Block files"
set protocol [smtp | imap | pop3]
set action {block | log}
set encryption {any | yes}
set file-type "exe"
next
end
end
next
end
edit "emailfilter-file-filter"
config file-filter
set status {enable | disable}
set log {enable | disable}
set scan-archive-contents {enable | disable}
config entries
edit "filter1"
set comment "Block files"
set protocol [smtp | imap | pop3]
set action {block | log}
set encryption {any | yes}
set file-type "exe"
next
end
end
next
end
Web Filter File Filter action as Block:
1: date=2019-03-19 time=09:42:15 logid="0346012673" type="utm" subtype="webfilter" eventtype="file_filter" level="warning" vd="vd1" eventtime=1548438135 policyid=1 sessionid=29449 srcip=10.1.100.22 srcport=52816 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="blocked" reqtype="direct" url="/app_data/test1.pdf" sentbyte=0 rcvdbyte=0 direction="incoming" filename="test1.pdf" filtername="filter1" filetype="pdf" msg="File was blocked by file filter."
Web Filter File Filter action as Passthrough:
2: date=2019-03-19 time=10:48:23 logid="0346012672" type="utm" subtype="webfilter" eventtype="file_filter" level="notice" vd="vd1" eventtime=1548442102 policyid=1 sessionid=521 srcip=10.1.100.22 srcport=52894 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="passthrough" reqtype="direct" url="/app_data/park.jpg" sentbyte=0 rcvdbyte=0 direction="incoming" filename="park.jpg" filtername="filter2" filetype="jpeg" msg="File was detected by file filter."
Email Filter File Filter action as Block:
1: date=2019-01-25 time=15:20:16 logid="0554020511" type="utm" subtype="emailfilter" eventtype="file_filter" level="warning" vd="vdom1" eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=143 dstintf="port1" dstintfrole="undefined" proto=6 service="IMAP" action="blocked" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" recipient="emailuser2" direction="incoming" subject="EXE file block" size="622346" attachment="yes" filename="putty.exe" filtername="filter1" filetype="exe"
Email Filter File Filter action as Log:
1: date=2019-01-25 time=15:23:16 logid="0554020510" type="utm" subtype="emailfilter" eventtype="file_filter" level="notice" vd="vdom1" eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=25 dstintf="port1" dstintfrole="undefined" proto=6 service="SMTP" profile="emailfilter-file-filter" action="detected" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" sender="emailuser1@qa.fortinet.com" recipient="emailuser2@qa.fortinet.com" direction="outgoing" subject="PDF file log" size="390804" attachment="yes" filename="fortiauto.pdf" filtername="filter2" filetype="pdf"
New replacement messages.
Web Filter File Filter blocking upload:
You are not permitted to upload the file "%%FILE%%".
Web Filter File Filter blocking download:
Your attempt to access the file "%%FILE%%" has been blocked by your system administrator.
Email Filter File Filter blocking emails:
This email has been blocked. The file %%FILE%% was blocked due to its file type or properties
Note: FortiOS v6.4.1 and above now has a separate file filter security profile and is no longer embedded with the web filter feature.
