I have configured a File Filter on a FortiGate 40F running FortiOS 7.6.3. The filter is applied to the LAN -> WAN policy and set to Both (two-way). However, the problem is that it only blocks files being uploaded from LAN to WAN, while downloads are not blocked.
Additionally, the antivirus on the same policy correctly blocks infected downloaded files, so the issue doesn’t seem to be with the policy or antivirus itself. I don’t want to create a WAN -> LAN policy because I don’t want external users to have access to the LAN network.
Also, I can’t find the PROXY feature in the configuration — it seems like it might have been removed or is unavailable in this version.
Does anyone know if this is expected behavior for the file filter in FortiOS 7.6.3? Am I missing some configuration to actually make it work two-way? Any advice would be much appreciated.
Solved! Go to Solution.
Hi @PatrykINTERNET ,
On a FortiGate 40F running FortiOS 7.6.3, the File Filter profile can block uploads but not downloads because two-way inspection works only when the policy runs in proxy mode. Proxy mode—and every proxy-based feature—was removed from models with ≤ 2 GB RAM (40F/60F series) starting in FortiOS 7.4.4, so those units operate exclusively in flow mode.
Flow mode sees the filename in an HTTP POST (upload) and can act on it, but it cannot pause an HTTP response (download) to examine the file. Antivirus still scans downloads because its flow engine looks at the payload, but File Filter rules that rely on filename, MIME type, or true file type are upload-only on 2 GB models.
https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/984084/file-filter
Work-arounds:
BR.
If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.
CCIE #68781
Hi @PatrykINTERNET ,
On a FortiGate 40F running FortiOS 7.6.3, the File Filter profile can block uploads but not downloads because two-way inspection works only when the policy runs in proxy mode. Proxy mode—and every proxy-based feature—was removed from models with ≤ 2 GB RAM (40F/60F series) starting in FortiOS 7.4.4, so those units operate exclusively in flow mode.
Flow mode sees the filename in an HTTP POST (upload) and can act on it, but it cannot pause an HTTP response (download) to examine the file. Antivirus still scans downloads because its flow engine looks at the payload, but File Filter rules that rely on filename, MIME type, or true file type are upload-only on 2 GB models.
https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/984084/file-filter
Work-arounds:
BR.
If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.
CCIE #68781
User | Count |
---|---|
2546 | |
1354 | |
795 | |
643 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.