Configuring a File Restriction rule

Configure the File Restriction Rule for Input Validation to enforce restrictions on file uploads based on file type and size. The rule performs the following checks:

• Matches the HOST using either simple string or regular expression patterns.

• Matches the URL using either simple string or regular expression patterns.

• Analyzes the uploaded file type and size based on HTTP MIME (Multipurpose Internet Mail Extensions), magic numbers (file signatures), and file extension.

When the defined conditions are met, the system enforces the specified action. Additionally, if multiple files of different types are uploaded in a single HTTP transaction, and one file type violates the rule, the entire transaction will be rejected, resulting in all files being blocked.

File Type Identification in FortiADC

FortiADC employs two methods for file type identification: file type signatures and suffix matching.

File Type Signatures:

FortiADC examines specific attributes of a file to determine its content type by detecting unique signatures, or magic codes, associated with predefined file types based on MIME types and magic numbers (file signatures). If the detected file type matches one specified in the file restriction rule, the system enforces the corresponding action. Supported file type categories include Audio Files, Compressed Files, Picture Files, Text Files, and Video Files.

Suffix Matching:

FortiADC can also identify files based on their suffix (extension). If the file suffix matches an entry under the Whole Suffix Files category in the file restriction rule, the associated action is triggered.

When both file type signature and suffix matching are configured, suffix matching takes precedence. If the file suffix matches, the file restriction rule is applied immediately. If the suffix does not match but the file signature does, the file restriction rule will still be enforced.

For the full list of the supported file types, see Supported File Types.

To configure a File Restriction rule:

1. Go to Web Application Firewall > Input Validation.
2. Click the File Restriction tab.
   
3. Click Create New to display the configuration editor.
4. Configure the following File Restriction settings:

   Setting	Description
   Name	Enter a unique File Restriction policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. Note: Once saved, the name of a File Restriction policy cannot be changed.
   Host Status	Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.
   Host	The Host option is available if Host Status is enabled. Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.
   Request URL	The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.
   Action	Select the action profile that you want to apply. See Configuring WAF Action objects. The default value is Alert.
   Severity	When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation: Low Medium High The default value is Low.
   Upload File Status	Allow: Only allow the selected file type to upload. Block: Block any upload of the selected file type.
   Upload File Size	The maximum size of the uploaded file. The default value is 0, and the range is 0-102400 KB.

5. Click Save.
   Once the File Restriction configuration is saved, the Upload File Type section can be configured.
6. Under the Upload File Type section, click Create New to display the configuration editor.
7. In the File Type field, select the supported file types for the uploaded file.
   
8. Click Save to update the File Restriction configuration.

After the File Restriction rule has been saved, you can include it in an Input Validation Policy.

Supported File Types

Category	File Type
Audio Files	MP3 MIDI WAVE AVI Apple CoreAudio (.caf) Microsoft Advanced Streaming (.asf) Real Audio File (.ra) Apple Lossless Audio (.m4a) Digital Speech Standard (.dss) Advanced Audio Coding (.aac)
Compressed Files	RAR ZIP TAR 7-ZIP Debian Package Microsoft Cabinet File Unix Archiver File (.ar) Installshield Cabinet Archive Data AIN Archive Data (.ain) BZIP2 Archive (.bz2) WinZIP ZIPX Archive (ZIPx) Gzipped Tape Archive (TGZ) Extensible Archive (XAR)
Picture Files	GIF JPG BMP PNG TIFF/TIF Windows Metafile Format (.wmf) Corel Draw Picture Windows Icon Microsoft Document Image (.mdi) Windows Enhanced Metafile (.emf) Photoshop Image File (.psd) JPEG-2000 Image File Format (.jp2) Multipage PCX Bitmap File (.dcx)
Text Files	PDF XML CHM EXE RTF Windows Help File (.hlp) Windows Mobile Note (.pwi) Windows Registry Text (.reg) SQL Server 2000 Database (.mdf) Java Archive (.jar) Windows Printer Spool File (.shd) Windows Shortcut File (.lnk) Quark Express Document (.qxd) Windows MS Info File (.mof) Microsoft Access Database (.mdb) SPSS Data (.sav) XPS Word (.docx) Word Macro-Enabled (.docm) Word Template (.dotx) Word Macro-Enabled Template (.dotm) Excel (.xlsx) Excel Macro-Enabled (.xlsm) Excel Template (.xltx) Excel Macro-Enabled Template (.xltm) Excel Add-In (.xlam) PPT (.pptx) PPT Macro-Enabled (.pptm) PPT Template (.potx) PPT Macro-Enabled Template (.potm) PPT Add-In (.ppam) PPT Show (.ppsx) PPT Macro-Enabled Show (.ppsm) Visio Drawing (.vsdx) Visio Macro-Enabled Drawing (.vsdm) Visio Stencil (.vssx) Visio Macro-Enabled Stencil (.vssm) Visio Template (.vstx) Visio Macro-Enabled Template (.vstm) VMware Virtual Disk File (.vmdk) RedHat Package Manager file (.rpm) Lotus WordPro document (.lwp) Adobe Encapsulated PostScript file (.eps) Lotus 1-2-3 spreadsheet (.wk) SkinCrafter skin file (.skf) Nero CD Compilation (.nri) TXT Microsoft Office Word (.doc) Microsoft Office Excel (.xls) Microsoft Office PowerPoint (.ppt) Hancom Office Hanword (.hwp) Electronic Publication (.epub) Dynamic link library (.dll) SYS File (.sys) COM File (.com) CMD File (.cmd) Binary File (.bin) Scalable Vector Graphics (.svg) PHP (.php) Perl (.pl) Python (.py) Ruby (.rb) Microsoft Software Installer (.msi) Batch File (.bat) Privacy Enhanced Mail (.pem) x509 certificate (.cer) x509 certificate (.crt)
Video Files	Real Media File (.rm) MPEG v4 3GPP Macromedia Flash Windows Animated Cursor DVD Video Movie File (.vob) MKV
Whole Suffix Files	TXT (.txt) ZIP (.zip) 7-ZIP (.7z) Debian Package (.pkg) Unix Archiver File (.ar) AIN Archive Data (.ain) BZIP2 Archive (.bz2) Gzipped Tape Archive (.tgz) Word (.docx) Word Macro-Enabled (.docm) Word Template (.dotx) Word Macro-Enabled Template (.dotm) Excel (.xlsx) Excel Macro-Enabled (.xlsm) Excel Template (.xltx) Excel Macro-Enabled Template (.xltm) Excel Add-In (.xlam) PPT (.pptx) PPT Macro-Enabled (.pptm) PPT Template (.potx) PPT Macro-Enabled Template (.potm) PPT Add-In (.ppam) PPT Show (.ppsx) PPT Macro-Enabled Show (.ppsm) Visio Drawing (.vsdx) Visio Macro-Enabled Drawing (.vsdm) Visio Stencil (.vssx) Visio Macro-Enabled Stencil (.vssm) Visio Template (.vstx) Visio Macro-Enabled Template (.vstm) PDF (.pdf) XML (.xml) EXE (.exe) Rich Text Format (.rtf) Windows Help File (.hlp) Windows Mobile Note (.pwi) Windows Registry Text (.reg) SQL Server 2000 Database (.mdf) Java Archive (.jar) Windows Printer Spool File (.shd) Window Shortcut File (.lnk) Quark Express Document (.qxd) Windows MS Info File (.mof) Microsoft Access Database (.mdb) SPSS Data (.sav) RedHat Package Manager file (.rpm) VMware Virtual Disk File (.vmdk) Lotus WordPro document (.lwp) Adobe Encapsulated PostScript file (.eps) Lotus 1-2-3 spreadsheet (.wk) SkinCrafter skin file (.skf) Nero CD Compilation (.nri) Microsoft Office Word (.doc) Microsoft Office Excel (.xls) Microsoft Office PowerPoint (.ppt) Hancom Office Hanword (.hwp) PHP (.php) JSP (.jsp) ASPX (.aspx) GIF (.gif) JPG (.jpg) BMP (.bmp) PNG (.png) Microsoft Metafile Format (.wmf) Windows Icon (.icon) Microsoft Document Image (.mdi) Windows Enhanced Metafile (.emf) Photoshop Image File (.psd) JPEG-2000 Image File Format (.jp2) Multipage PCX Bitmap File (.dcx) SQL (.sql) Cascading Style Sheets (.css) ASP (.asp) CSV (.csv) PHP3 (.php3) PHTML (.phtml) Workflow File (.workflow) Scalable Vector Graphics (.svg) MSG (.msg) OpenDocument Spreadsheet (.ods) OpenDocument Text (.odt) Privacy-Enhanced Mail (.pem) Electronic Publication (.epub) Advanced Audio Coding (.aac) Personal Information Exchange (.pfx) Personal Information Exchange (.p12) Microsoft Software Installer (.msi) Batch File (.bat) Dynamic link library (.dll) SYS File (.sys) COM File (.com) CMD File (.cmd) Binary File (.bin) Tab-Separated Values (.tsv) Android Package Kit (.apk) Compressed package file (.xapk) APK set archive (.apks) APKMirror Bundle file (.apkm) Distinguished Encoding Rules (.der)