FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiKoala
Staff
Staff
Description
The web filtering by MIME content header feature may be enabled on listed FortiOS firmware versions. 
 
This feature may prove useful in some scenarios, for example to exempt audio streaming files from antivirus scanning (to avoid buffering on the FortiGate unit), or to block video streaming files for end users.

Scanning of these file types can be problematic, as those files often do not have a pre-determined file size. This can cause the FortiGate unit to buffer a large amount of data, without being able to perform any scan.

The content header list is configurable in the CLI only.

For other details, please refer to the FortiGate CLI reference guides at http://docs.fortinet.com .
 

Solution
The first step is to create a list of content headers. This can either be configured to match any audio/video entry using regular expressions (regex), or be entered one at a time, after having analyzed the real traffic patterns.
 
In order to determine the Content-Type, a packet sniffer software, such as Wireshark, must be used.

Some examples when looking at video traffic from YouTube are given below:
Hypertext Transfer Protocol
HTTP/1.0 200 OK\r\n
Request Version: HTTP/1.0
Response Code: 200
Server: DCLK-AdSvr\r\n
Content-Type: video/x-ms-asf\r\n
X-Google-Inred-Content-Type: video/x-ms-asf\r\n
Content-Length: 410\r\n
Content-Encoding: gzip\r\n

Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Request Version: HTTP/1.1
Response Code: 200
Last-Modified: Mon, 14 Sep 2009 00:40:51 GMT\r\n
Content-Type: video/x-flv\r\n
Content-Length: 200994\r\n
Connection: close\r\n
Content-Disposition: attachment; filename="video.flv"\r\n
Expires: Thu, 29 Oct 2009 09:06:24 GMT\r\n
Cache-Control: public,max-age=3600\r\n
Date: Thu, 29 Oct 2009 08:06:24 GMT\r\n
Server: gvs 1.0\r\n
The following example is a generic one to block any Content-Type with video and to exempt from AV scanning any Content-Type with audio.

Both are created with regular expressions (".*" matching multiple times any character).

CLI syntax:
config webfilter content-header
edit 1
set comment ''
config entries
edit "video\\/.*"
set action block
next
edit "audio\\/.*"
set action exempt
next
end
set name "weblist-01"
next
end

This second example is to exempt from AV scanning a specific Content-Type.

Important note:

The "/" in the regex is a special character and has to be escaped. If you write "application/vnd.rn-realmedia" without escaping the "/", every Content-Type beginning with "application" will be matched

CLI syntax:


     config webfilter content-header
     edit 1
     set comment ''
     config entries
     edit "application\\/vnd.rn-realmedia"
     set action exempt
     next


Once the content-header list has been created, it must be selected from the protection profile. In addition, the content-header check must be added to http.


The following example shows the content-header number 1 added to the "web" protection profile.
  

CLI syntax for FortiOS v5.x:
config webfilter profile
  edit "web"
    set comment " "
  config web
    set content-header-list 1
  end
  next
end

Related Articles

Technical Note : FortiGate configuration for HTTP chunked messages ( real time Live Trading, video /...

Technical Note: Using the 'web filtering by content header' feature to block or exempt audio / video...

Contributors