config dlp filepattern edit 1 set comment " block in emails" config entries edit " *.bat" next edit " *.com" next edit " *.dll" next edit " *.exe" next edit " *.gz" next edit " *.hta" next edit " *.scr" next edit " *.tar" next edit " *.tgz" next edit " *.vb?" next edit " *.wps" next edit " *.pif" next edit " *.cpl" next edit " *.pif*" next edit " *.vb" next edit " *.msi" next edit " *.msp" next edit " *.sct" next edit " *.cmd" next edit " *.dbx" next edit " *.wab" next edit " *.js" next edit " *.lha" next edit " *.lzh" next edit " *.reg" next edit " *.swf" next edit " *.sys" next edit " *.asm" next edit " *.cgi" next edit " *.dcx" next edit " *.dtd" next edit " *.ocx" next edit " *.tmp" next edit " *.bin" next edit " *.css" next edit " *.drv" next edit " *.lib" next edit " *.vxd" next edit " *.bad" next edit " *.enc" next edit " *.mp?" next edit " *.shs" next edit " *.mht" next end set name " FileFilter-Mail" next endBut the profile blocks those. Here an example of the DLP log:
Action: log-only DLP Extra Info.: FileFilter-Mail Date/Time: 16:44:52 Destination Port: 25 Epoch: 811809101 Event ID: 0 Event Type: dlp File: Case_74Z0EKUGDZ6HIA4.zip File Type: zip Filter Category: file Filter Index: 1 Filter Type: file-type Identity Index: 0 Log ID: 24577 Policy ID: 43 Profile: default Received: 50 B Sent: 13 KB Sequence No.: 237121 Service: smtp Source IP: [United States] xx.201.104.xx Sub Type: dlp Subject: FW%3A%20IMPORTANT%20-%20Suspicious%20Activity%2074Z0EKUGDZ6HIA4 Time Stamp: 2013-08-30 16:44:52 To: info@domain.com Type: utm Virtual Domain: rootWe have only 2 file pattern lists, one for email and one for web and *.zip isn' t listed in them. Not in the GUI and not in the CLI. Any suggestions?
Action: log-onlyThis log event into only states the event was logged -- no indication that the zip file attachment was blocked. Do you have any log events indicating zipped files were actually blocked? Do you have any size limit set on attachment size? Say to block or allow them through?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I encounter the same thing in 6.2.3 vm eval license
It block zip even though zip not listed in filepattern
config dlp filepattern edit 1 set name "DLP-BLOCKFILE" config entries edit "bat" set filter-type type set file-type bat next edit "com" set filter-type type next edit "dll" set filter-type type next edit "exe" set filter-type type next edit "hta" set filter-type type next edit "scr" set filter-type type next edit "pif" set filter-type type next edit "cpl" set filter-type type next end
end
config dlp sensor edit "default" set comment "Default sensor." config filter edit 1 set proto smtp pop3 imap http-get http-post ftp nntp mapi set filter-by file-type set file-type 2 set action block next end next edit "sniffer-profile" set comment "Log a summary of email and web traffic." set summary-proto smtp pop3 imap http-get http-post next edit "DLP-BLOCKSENSOR" config filter edit 1 set proto smtp pop3 imap http-get http-post ftp mapi set filter-by file-type set file-type 1 set archive enable set action block next end set extended-log enable next end
config firewall policy edit 1 set name "FGT1-SWtoWAN" set srcintf "FGT1-SW" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set dlp-sensor "DLP-BLOCKSENSOR" set logtraffic disable set nat enable next
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.