Description
This article describes how to Use file filtering which is used to block/log certain file types using web filter and email filter.
Scope
FortiGate v6.4.1 and below.
Solution
To add a file filter to a web filter profile in the GUI.
- Go to Security Profiles -> Web Filter.
- Edit an existing profile, or create a new one.
using the CLI.
edit "webfilter-file-filter"
#config file-filter
set status {enable | disable}
set log {enable | disable}
set scan-archive-contents {enable | disable}
# config entries
edit "filter1"
set comment "Block files"
set protocol [http | ftp]
set action {block | log}
set direction {any | incoming | outgoing}
set encryption {any | yes}
set file-type "pdf" "msofficex"
next
end
end
next
end
- Go to Security Profiles -> Email Filter.
- Edit an existing profile, or create a new one.
- Enable 'Enable Spam Detection and Filtering', if not already enabled.
- Enable File Filter, if not already enabled, then select 'Create New' in the filter table. The 'Create New File Filter Rule' pane opens.
edit "emailfilter-file-filter"
# config file-filter
set status {enable | disable}
set log {enable | disable}
set scan-archive-contents {enable | disable}
# config entries
edit "filter1"
set comment "Block files"
set protocol [smtp | imap | pop3]
set action {block | log}
set encryption {any | yes}
set file-type "exe"
next
end
end
next
end
Web Filter File Filter action as Block:
1: date=2019-03-19 time=09:42:15 logid="0346012673" type="utm" subtype="webfilter" eventtype="file_filter" level="warning" vd="vd1" eventtime=1548438135 policyid=1 sessionid=29449 srcip=10.1.100.22 srcport=52816 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="blocked" reqtype="direct" url="/app_data/test1.pdf" sentbyte=0 rcvdbyte=0 direction="incoming" filename="test1.pdf" filtername="filter1" filetype="pdf" msg="File was blocked by file filter."
Web Filter File Filter action as Technical Tip: Selecting an alternate firmware for the next reboot:
2: date=2019-03-19 time=10:48:23 logid="0346012672" type="utm" subtype="webfilter" eventtype="file_filter" level="notice" vd="vd1" eventtime=1548442102 policyid=1 sessionid=521 srcip=10.1.100.22 srcport=52894 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="passthrough" reqtype="direct" url="/app_data/park.jpg" sentbyte=0 rcvdbyte=0 direction="incoming" filename="park.jpg" filtername="filter2" filetype="jpeg" msg="File was detected by file filter."
Email Filter File Filter action as Block:
1: date=2019-01-25 time=15:20:16 logid="0554020511" type="utm" subtype="emailfilter" eventtype="file_filter" level="warning" vd="vdom1" eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=143 dstintf="port1" dstintfrole="undefined" proto=6 service="IMAP" action="blocked" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" recipient="emailuser2" direction="incoming" subject="EXE file block" size="622346" attachment="yes" filename="putty.exe" filtername="filter1" filetype="exe"
Email Filter File Filter action as Log:
1: date=2019-01-25 time=15:23:16 logid="0554020510" type="utm" subtype="emailfilter" eventtype="file_filter" level="notice" vd="vdom1" eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=25 dstintf="port1" dstintfrole="undefined" proto=6 service="SMTP" profile="emailfilter-file-filter" action="detected" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" sender="emailuser1@qa.fortinet.com" recipient="emailuser2@qa.fortinet.com" direction="outgoing" subject="PDF file log" size="390804" attachment="yes" filename="fortiauto.pdf" filtername="filter2" filetype="pdf"
New replacement messages.
Web Filter File Filter blocking upload:
You are not permitted to upload the file "%%FILE%%".
Web Filter File Filter blocking download:
Your attempt to access the file "%%FILE%%" has been blocked by your system administrator.
Email Filter File Filter blocking emails:
This email has been blocked. The file %%FILE%% was blocked due to its file type or properties
Note:
FortiOS 6.4.1 and above now has separate file filter security profile and is no longer embedded with the web filter feature anymore
File filter | FortiGate / FortiOS 7.0.0 | Fortinet Document Library
