|
The file filter is set to block '.exe' file only.
# config file-filter profile
edit "block_exe"
set scan-archive-contents enable
config rules
edit "block_file"
set protocol http ftp smtp imap pop3 cifs
set action block
set file-type "bat" "exe"
next
end
next
end
However, some archive-file types like cabinet (.cab) are blocked.
The security event log shows the followings:
date=2023-01-06 time=03:36:55 eventtime=1672947415497679921 tz="+0800" logid="1900064000" type="utm" subtype="file-filter"
eventtype="file-filter" level="warning" vd="root" policyid=4 sessionid=250425 srcip=10.139.2.108 srcport=59636 srcintf="port2"
srcintfrole="undefined" dstip=99.86.178.96 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" profile="block_exe"
direction="incoming" action="blocked" url="https://filedownload.csw.lenovo.com/enm/vantage30/packages/Addins/DolbyAccessAddin/1.0.0.13/DolbyAcc..." hostname="filedownload.csw.lenovo.com"
agent="Chrome/91.0.4472.124" filtername="block_file" filename="DolbyAccessAddin.1.0.0.13.cab" filesize=1058212 filetype="cab" matchfilename="DolbyAccessAddin.dll" matchfiletype="exe" msg="File was blocked by file filter."
The cab file is blocked is due to 'DolbyAccessAddin.1.0.0.13.cab' containing multiple files and one of the files is 'DolbyAccessAddin.dll', which is an executable file.
Also ' set scan-archive-contents enable' is set in file filter profile by default. So the matched file type is detected as 'exe' for this cab file and the blocking behavior is expected.
To avoid the FortiGate to scan the archive, or prevent this file to block, it is possible to use 'set scan-archive-contents disable'.
|
