Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PatrykINTERNET
New Contributor II

Issue with Two-Way File Filter on FortiGate 40F (v7.6.3) – Only Blocks Uploads

I have configured a File Filter on a FortiGate 40F running FortiOS 7.6.3. The filter is applied to the LAN -> WAN policy and set to Both (two-way). However, the problem is that it only blocks files being uploaded from LAN to WAN, while downloads are not blocked.

Additionally, the antivirus on the same policy correctly blocks infected downloaded files, so the issue doesn’t seem to be with the policy or antivirus itself. I don’t want to create a WAN -> LAN policy because I don’t want external users to have access to the LAN network.

Also, I can’t find the PROXY feature in the configuration — it seems like it might have been removed or is unavailable in this version.

Does anyone know if this is expected behavior for the file filter in FortiOS 7.6.3? Am I missing some configuration to actually make it work two-way? Any advice would be much appreciated.

1 Solution
atakannatak
Contributor II

Hi @PatrykINTERNET ,

 

On a FortiGate 40F running FortiOS 7.6.3, the File Filter profile can block uploads but not downloads because two-way inspection works only when the policy runs in proxy mode. Proxy mode—and every proxy-based feature—was removed from models with ≤ 2 GB RAM (40F/60F series) starting in FortiOS 7.4.4, so those units operate exclusively in flow mode.

 

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/519079/proxy-related-feature...

 

Flow mode sees the filename in an HTTP POST (upload) and can act on it, but it cannot pause an HTTP response (download) to examine the file. Antivirus still scans downloads because its flow engine looks at the payload, but File Filter rules that rely on filename, MIME type, or true file type are upload-only on 2 GB models.

 

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/984084/file-filter


Work-arounds:

 

  • Accept upload-only filtering and rely on antivirus for malware downloads.
  • Move the traffic to a FortiGate with ≥ 4 GB RAM (proxy mode available).
  • Add a FortiProxy or a larger FortiGate used as an explicit proxy in front of the 40F.

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak

View solution in original post

Atakan Atak
1 REPLY 1
atakannatak
Contributor II

Hi @PatrykINTERNET ,

 

On a FortiGate 40F running FortiOS 7.6.3, the File Filter profile can block uploads but not downloads because two-way inspection works only when the policy runs in proxy mode. Proxy mode—and every proxy-based feature—was removed from models with ≤ 2 GB RAM (40F/60F series) starting in FortiOS 7.4.4, so those units operate exclusively in flow mode.

 

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/519079/proxy-related-feature...

 

Flow mode sees the filename in an HTTP POST (upload) and can act on it, but it cannot pause an HTTP response (download) to examine the file. Antivirus still scans downloads because its flow engine looks at the payload, but File Filter rules that rely on filename, MIME type, or true file type are upload-only on 2 GB models.

 

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/984084/file-filter


Work-arounds:

 

  • Accept upload-only filtering and rely on antivirus for malware downloads.
  • Move the traffic to a FortiGate with ≥ 4 GB RAM (proxy mode available).
  • Add a FortiProxy or a larger FortiGate used as an explicit proxy in front of the 40F.

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak
Atakan Atak
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors