I am looking for a way to deny all file transfers except for the ones I want to allow. It would be much easier to maintain a list of allowed files as opposed to blocked files. I have looked thru the docs and and can' t find a reference to what I want to do.
If the file block list was treated like a policy list you could put your allowed files first then, a deny *.*
PS. There is a 55 file limit that I just hit on my 3600 File Block List.
File blocking is not a strong feature of FGTs. They only look the first extension. If you block only .exe it will not be blocked if it is inside a zip file. Also it does not use file signatures so if you rename a .mp3 to .txt it will pass..
In your case use some * and ? etc to reduce size
Instead of blocking *.mp4, *.mp4, *.mpeg, *.mpg just block *.mp* or even *.m* (to get also *.mov). That will save you some entries.
Personaly I block only exetubles .exe .bat .scr .com .pif and .vb* .cpl (.cpl are exetubles by the way) and big mutimedia files (.avi, .mp* .mov etc...)
PS. I agree it would be good to have deny all unless permit but this is tricky for web (many sites would stop working) and then you would need more than 55 file type to allow
Matt, thanks for your input. We have a Mirapoint mail system that strips a large number of file extensions. We wanted to have the FG do it to all data streams, but it appears to be too unwieldy and undoable with a 55 file limit. I will take your suggestion and strip out just executables and some of the others at the FG.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.