Description The web filtering by MIME content header feature may be enabled on listed FortiOS firmware versions.
This
feature may prove useful in some scenarios, for example to exempt audio
streaming files from antivirus scanning (to avoid buffering on the
FortiGate unit), or to block video streaming files for end users.
Scanning
of these file types can be problematic, as those files often do not
have a pre-determined file size. This can cause the FortiGate unit to
buffer a large amount of data, without being able to perform any scan.
The content header list is configurable in the CLI only.
For other details, please refer to the FortiGate CLI reference guides at http://docs.fortinet.com .
SolutionThe
first step is to create a list of content headers. This can either be
configured to match any audio/video entry using regular expressions
(regex), or be entered one at a time, after having analyzed
the real traffic patterns.
In order to determine the Content-Type, a packet sniffer software, such as Wireshark, must be used.
Some examples when looking at video traffic from YouTube are given below:
Hypertext Transfer Protocol
HTTP/1.0 200 OK\r\n
Request Version: HTTP/1.0
Response Code: 200
Server: DCLK-AdSvr\r\n
Content-Type: video/x-ms-asf\r\n
X-Google-Inred-Content-Type: video/x-ms-asf\r\n
Content-Length: 410\r\n
Content-Encoding: gzip\r\n
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Request Version: HTTP/1.1
Response Code: 200
Last-Modified: Mon, 14 Sep 2009 00:40:51 GMT\r\n
Content-Type: video/x-flv\r\n
Content-Length: 200994\r\n
Connection: close\r\n
Content-Disposition: attachment; filename="video.flv"\r\n
Expires: Thu, 29 Oct 2009 09:06:24 GMT\r\n
Cache-Control: public,max-age=3600\r\n
Date: Thu, 29 Oct 2009 08:06:24 GMT\r\n
Server: gvs 1.0\r\n
The following example is a generic one to block any Content-Type with video and to exempt from AV scanning any Content-Type with audio.
Both are created with regular expressions (".*" matching multiple times any character).
CLI syntax:
config webfilter content-header
edit 1
set comment ''
config entries
edit "video\\/.*"
set action block
next
edit "audio\\/.*"
set action exempt
next
end
set name "weblist-01"
next
end
This second example is to exempt from AV scanning a specific Content-Type.
Important note:
The
"/" in the regex is a special character and has to be escaped. If you
write "application/vnd.rn-realmedia" without escaping the "/", every
Content-Type beginning with "application" will be matched
CLI syntax:
config webfilter content-header
edit 1
set comment ''
config entries
edit "application\\/vnd.rn-realmedia"
set action exempt
next
Once
the content-header list has been created, it must be selected from the
protection profile. In addition, the content-header check must be added
to http.
The following example shows the content-header number 1 added to the "web" protection profile.
CLI syntax for FortiOS v5.x:
config webfilter profile
edit "web"
set comment " "
config web
set content-header-list 1
end
next
end |
Related Articles
Technical Note : FortiGate configuration for HTTP chunked messages ( real time Live Trading, video /...
Technical Note: Using the 'web filtering by content header' feature to block or exempt audio / video...
