Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gregs
New Contributor

Created on ‎11-02-2004 08:23 AM

Wanted:Easier File Blocking

Hi all, I am looking for a way to deny all file transfers except for the ones I want to allow. It would be much easier to maintain a list of allowed files as opposed to blocked files. I have looked thru the docs and and can' t find a reference to what I want to do. If the file block list was treated like a policy list you could put your allowed files first then, a deny *.* Greg PS. There is a 55 file limit that I just hit on my 3600 File Block List.
983
0 Kudos
4 REPLIES 4
Not applicable

Created on ‎11-04-2004 01:36 AM

File blocking is not a strong feature of FGTs. They only look the first extension. If you block only .exe it will not be blocked if it is inside a zip file. Also it does not use file signatures so if you rename a .mp3 to .txt it will pass.. In your case use some * and ? etc to reduce size F.E. Instead of blocking *.mp4, *.mp4, *.mpeg, *.mpg just block *.mp* or even *.m* (to get also *.mov). That will save you some entries. Personaly I block only exetubles .exe .bat .scr .com .pif and .vb* .cpl (.cpl are exetubles by the way) and big mutimedia files (.avi, .mp* .mov etc...) PS. I agree it would be good to have deny all unless permit but this is tricky for web (many sites would stop working) and then you would need more than 55 file type to allow
569
0 Kudos
gregs
New Contributor

Created on ‎11-04-2004 07:05 AM

Matt, thanks for your input. We have a Mirapoint mail system that strips a large number of file extensions. We wanted to have the FG do it to all data streams, but it appears to be too unwieldy and undoable with a 55 file limit. I will take your suggestion and strip out just executables and some of the others at the FG. Thanks again Greg
569
0 Kudos
Oberon
New Contributor

Created on ‎11-08-2004 01:11 AM

Would it be might possible to set the file extensions limit higher with the console? kr Oberon
Private Use: Fortigate-50B, 4.00-MR3, NAT/IPsec-VPN/SSL-VPN
569
0 Kudos
gregs
New Contributor

Created on ‎11-08-2004 08:58 AM

Oberon, good suggestion but I don' t see any reference to that. I think I' ll let my mail server do the bulk of the work, and use the FG to strip the ones in the default list. Greg
569
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.