A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Article Id 241147

This article describes how to configure FortiWeb to perform the following tasks:

- Restrict file uploads based on file type and size.

- Scan uploaded files for viruses.

Scope FortiWeb 6.3.20, 6.3.21, 7.0.4, 7.2.0.

Limiting uploads by file type and size:
To perform file detection and restriction by file type and size, FortiWeb scans the files and parses files submitted to the web server(s) when the Content-Type: request header value is one of the following:

- multipart/form-data; boundary=...

- application/octet-stream 


1) Navigate to Web protection->Input Validation->File security

2) Select the 'File security Rule' tab and complete the configuration:

a) Select Create New.

b) Under Name, enter a unique name that can be referenced by other parts of the configuration.

c) Enable Host Status.

d) Under Host, select the IP address or a protected host. For example,

e) Keep Host Status disabled to match the file security rule only with the request URL, regardless of the Host header value (Optional setting).

f) Under Request URL, The URL must begin with a slash ( / ). Do not include the name of the host (in this case,
Type the URL, such as /upload.php. To match multiple URLs, use wild card patterns such as /folder1/* or /folder1/*/index.htm.

g) Under File Upload Limit, enter a number to represent the maximum size in kilobytes for any individual file. The file security rule will reject files larger than this number.
Reminder: FortiWeb applies file upload limits to only files that use multipart/form-data and application/octet-stream.


Please note that FortiWeb only accepts HTTP PUT or POST requests for the /upload.php URL with Host: It then scans the HTTP request and allows or blocks the specified file types from being uploaded, depending on the file type configuration.



3) In the Predefined File Types section, select Create New to select the file types from the predefined file type(s) list, which are filtered by the file security rule.

4) Select the right arrow to include the file type(s) to be blocked.

Use the 'Custom File Types' section to add the missing file types manually in the Predefined File Types section.





Creating a file security policy:

1) Navigate to Web Protection -> Input Validation -> File Security and select the File Security Policy tab.

2) Select Create New.

3) Enable Antivirus Scan to scan for viruses.

This scan ensures that the request actually contains the file type specified by Content-Type and that it is not infected, because Content-Type: indicates an allowed file type.

4) Enable Scan Attachments in Email. This will apply differently depending on protocol:

a) OWA:

FortiWeb will scan attachments in Email sent and received via a web browser login. 

b) ActiveSync:

FortiWeb will scan attachments in Email sent and received via a mobile phone login.

c) MAPI:

FortiWeb will scan attachments in Email sent and received via the Messaging Application Programming Interface (MAPI), the transport protocol implemented in Microsoft Exchange Server 2013 Service Pack 1 (SP1).



5) Navigate to the Policy -> Web Protection Profile -> Input Validation section and select the file security policy:



6) Check the results in the browser and the Attack Logs: