Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gregs
New Contributor

Wanted:Easier File Blocking

Hi all, I am looking for a way to deny all file transfers except for the ones I want to allow. It would be much easier to maintain a list of allowed files as opposed to blocked files. I have looked thru the docs and and can' t find a reference to what I want to do. If the file block list was treated like a policy list you could put your allowed files first then, a deny *.* Greg PS. There is a 55 file limit that I just hit on my 3600 File Block List.
4 REPLIES 4
Not applicable

File blocking is not a strong feature of FGTs. They only look the first extension. If you block only .exe it will not be blocked if it is inside a zip file. Also it does not use file signatures so if you rename a .mp3 to .txt it will pass.. In your case use some * and ? etc to reduce size F.E. Instead of blocking *.mp4, *.mp4, *.mpeg, *.mpg just block *.mp* or even *.m* (to get also *.mov). That will save you some entries. Personaly I block only exetubles .exe .bat .scr .com .pif and .vb* .cpl (.cpl are exetubles by the way) and big mutimedia files (.avi, .mp* .mov etc...) PS. I agree it would be good to have deny all unless permit but this is tricky for web (many sites would stop working) and then you would need more than 55 file type to allow
gregs
New Contributor

Matt, thanks for your input. We have a Mirapoint mail system that strips a large number of file extensions. We wanted to have the FG do it to all data streams, but it appears to be too unwieldy and undoable with a 55 file limit. I will take your suggestion and strip out just executables and some of the others at the FG. Thanks again Greg
Oberon
New Contributor

Would it be might possible to set the file extensions limit higher with the console? kr Oberon
Private Use: Fortigate-50B, 4.00-MR3, NAT/IPsec-VPN/SSL-VPN
Private Use: Fortigate-50B, 4.00-MR3, NAT/IPsec-VPN/SSL-VPN
gregs
New Contributor

Oberon, good suggestion but I don' t see any reference to that. I think I' ll let my mail server do the bulk of the work, and use the FG to strip the ones in the default list. Greg
Top Kudoed Authors