Fortinet Document Library

Version:


Table of Contents

Related Videos

File Filtering for Web and Email Filter Profiles

  • 712 views
  • 3 months ago

New Features

6.2.0
Download PDF
Copy Link

File Filtering for Web and Email Filter Profiles

This feature adds file filtering capabilities to web and email filter profiles. The web filters will cover the detection of HTTP and FTP traffic, while the email filters cover SMTP, POP3, and IMAP. New logs and replacement messages are also added.

To add a file filter to a web filter profile in the GUI:
  1. On the FortiGate, go to Security Profiles > Web Filter.
  2. Edit an existing profile, or create a new one.

  3. Enable File Filter, if not already enabled, then click Create New in the filter table. The Create New File Filter Rule pane opens.

  4. Configure the filter as required, then click OK.
To add a file filter to a web filter profile using the CLI:
config webfilter profile
  edit "webfilter-file-filter"
    config file-filter
      set status {enable | disable}
      set log {enable | disable}
      set scan-archive-contents {enable | disable}
        config entries
        edit "filter1"
          set comment "Block files"
          set protocol [http | ftp]
          set action {block | log}
          set direction {any | incoming | outgoing}
          set encryption {any | yes}
          set file-type "pdf" "msofficex"
        next
      end
    end
  next
end
Note

Web filter profiles handle HTTP and FTP protocols, and can configure the traffic direction.

Variable

Description

status {enable | disable}

Enable/disable file filtering (default = enable).

log {enable | disable}

Enable/disable file filter logging (default = enable).

scan-archive-contents {enable | disable}

Enable/disable file filter archive contents scan (default = enable).

comment <string>

Optional comments.

protocol [http | ftp]

Protocols to use (default = http ftp).

action {block | log}

The action taken for matched file (default = log).

direction {any | incoming | outgoing}

Match files transmitted in the session's originating direction (incoming), reply direction (outgoing), or either (any) (default = any).

encryption {any | yes}

Match encrypted files or not:

  • any - match any file (default).
  • yes - match only encrypted files.

file-type <string>

Select the file types to match.

To add a file filter to an email filter profile in the GUI:
  1. On the FortiGate, go to Security Profiles > Email Filter.
  2. Edit an existing profile, or create a new one.

  3. Enable Enable Spam Detection and Filtering, if not already enabled.
  4. Enable File Filter, if not already enabled, then click Create New in the filter table. The Create New File Filter Rule pane opens.

  5. Configure the filter as required, then click OK.
To add a file filter to an email filter profile with the CLI:
config emailfilter profile
  edit "emailfilter-file-filter"
    config file-filter
      set status {enable | disable}
      set log {enable | disable}
      set scan-archive-contents {enable | disable}
      config entries
        edit "filter1"
          set comment "Block files"
          set protocol [smtp | imap | pop3]
          set action {block | log}
          set encryption {any | yes}
          set file-type "exe"
        next
      end
    end
  next
end
Note

Email filter profiles handle SMTP, IMAP, and POP3 protocols. The traffic direction cannot be configured, as it is implied by the protocol.

Variable

Description

status {enable | disable}

Enable/disable file filtering (default = enable).

log {enable | disable}

Enable/disable file filter logging (default = enable).

scan-archive-contents {enable | disable}

Enable/disable file filter archive contents scan (default = enable).

comment <string>

Optional comments.

protocol [smtp | imap | pop3]

Protocols to use (default = smtp imap pop3).

action {block | log}

The action taken for matched file (default = log).

encryption {any | yes}

Match encrypted files or not:

  • any - match any file (default).
  • yes - match only encrypted files.

file-type <string>

Select the file types to match.

New logs

A new file_filter event type is added to both web and email filter log categories.

Log samples

Web Filter File Filter action as Block:

1: date=2019-03-19 time=09:42:15 logid="0346012673" type="utm" subtype="webfilter" eventtype="file_filter" level="warning" vd="vd1" eventtime=1548438135 policyid=1 sessionid=29449 srcip=10.1.100.22 srcport=52816 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="blocked" reqtype="direct" url="/app_data/test1.pdf" sentbyte=0 rcvdbyte=0 direction="incoming" filename="test1.pdf" filtername="filter1" filetype="pdf" msg="File was blocked by file filter."

Web Filter File Filter action as Log:

2: date=2019-03-19 time=10:48:23 logid="0346012672" type="utm" subtype="webfilter" eventtype="file_filter" level="notice" vd="vd1" eventtime=1548442102 policyid=1 sessionid=521 srcip=10.1.100.22 srcport=52894 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="passthrough" reqtype="direct" url="/app_data/park.jpg" sentbyte=0 rcvdbyte=0 direction="incoming" filename="park.jpg" filtername="filter2" filetype="jpeg" msg="File was detected by file filter."

Email Filter File Filter action as Block:

1: date=2019-01-25 time=15:20:16 logid="0554020511" type="utm" subtype="emailfilter" eventtype="file_filter" level="warning" vd="vdom1" eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=143 dstintf="port1" dstintfrole="undefined" proto=6 service="IMAP" action="blocked" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" recipient="emailuser2" direction="incoming" subject="EXE file block" size="622346" attachment="yes" filename="putty.exe" filtername="filter1" filetype="exe"

Email Filter File Filter action as Log:

1: date=2019-01-25 time=15:23:16 logid="0554020510" type="utm" subtype="emailfilter" eventtype="file_filter" level="notice" vd="vdom1" eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=25 dstintf="port1" dstintfrole="undefined" proto=6 service="SMTP" profile="emailfilter-file-filter" action="detected" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" sender="emailuser1@qa.fortinet.com" recipient="emailuser2@qa.fortinet.com" direction="outgoing" subject="PDF file log" size="390804" attachment="yes" filename="fortiauto.pdf" filtername="filter2" filetype="pdf"

New replacement messages

Web Filter File Filter blocking upload:

You are not permitted to upload the file "%%FILE%%".

Web Filter File Filter blocking download:

Your attempt to access the file "%%FILE%%" has been blocked by your system administrator.

Email Filter File Filter blocking emails:

This email has been blocked. The file %%FILE%% was blocked due to its file type or properties.

Related Videos

File Filtering for Web and Email Filter Profiles

  • 712 views
  • 3 months ago

File Filtering for Web and Email Filter Profiles

This feature adds file filtering capabilities to web and email filter profiles. The web filters will cover the detection of HTTP and FTP traffic, while the email filters cover SMTP, POP3, and IMAP. New logs and replacement messages are also added.

To add a file filter to a web filter profile in the GUI:
  1. On the FortiGate, go to Security Profiles > Web Filter.
  2. Edit an existing profile, or create a new one.

  3. Enable File Filter, if not already enabled, then click Create New in the filter table. The Create New File Filter Rule pane opens.

  4. Configure the filter as required, then click OK.
To add a file filter to a web filter profile using the CLI:
config webfilter profile
  edit "webfilter-file-filter"
    config file-filter
      set status {enable | disable}
      set log {enable | disable}
      set scan-archive-contents {enable | disable}
        config entries
        edit "filter1"
          set comment "Block files"
          set protocol [http | ftp]
          set action {block | log}
          set direction {any | incoming | outgoing}
          set encryption {any | yes}
          set file-type "pdf" "msofficex"
        next
      end
    end
  next
end
Note

Web filter profiles handle HTTP and FTP protocols, and can configure the traffic direction.

Variable

Description

status {enable | disable}

Enable/disable file filtering (default = enable).

log {enable | disable}

Enable/disable file filter logging (default = enable).

scan-archive-contents {enable | disable}

Enable/disable file filter archive contents scan (default = enable).

comment <string>

Optional comments.

protocol [http | ftp]

Protocols to use (default = http ftp).

action {block | log}

The action taken for matched file (default = log).

direction {any | incoming | outgoing}

Match files transmitted in the session's originating direction (incoming), reply direction (outgoing), or either (any) (default = any).

encryption {any | yes}

Match encrypted files or not:

  • any - match any file (default).
  • yes - match only encrypted files.

file-type <string>

Select the file types to match.

To add a file filter to an email filter profile in the GUI:
  1. On the FortiGate, go to Security Profiles > Email Filter.
  2. Edit an existing profile, or create a new one.

  3. Enable Enable Spam Detection and Filtering, if not already enabled.
  4. Enable File Filter, if not already enabled, then click Create New in the filter table. The Create New File Filter Rule pane opens.

  5. Configure the filter as required, then click OK.
To add a file filter to an email filter profile with the CLI:
config emailfilter profile
  edit "emailfilter-file-filter"
    config file-filter
      set status {enable | disable}
      set log {enable | disable}
      set scan-archive-contents {enable | disable}
      config entries
        edit "filter1"
          set comment "Block files"
          set protocol [smtp | imap | pop3]
          set action {block | log}
          set encryption {any | yes}
          set file-type "exe"
        next
      end
    end
  next
end
Note

Email filter profiles handle SMTP, IMAP, and POP3 protocols. The traffic direction cannot be configured, as it is implied by the protocol.

Variable

Description

status {enable | disable}

Enable/disable file filtering (default = enable).

log {enable | disable}

Enable/disable file filter logging (default = enable).

scan-archive-contents {enable | disable}

Enable/disable file filter archive contents scan (default = enable).

comment <string>

Optional comments.

protocol [smtp | imap | pop3]

Protocols to use (default = smtp imap pop3).

action {block | log}

The action taken for matched file (default = log).

encryption {any | yes}

Match encrypted files or not:

  • any - match any file (default).
  • yes - match only encrypted files.

file-type <string>

Select the file types to match.

New logs

A new file_filter event type is added to both web and email filter log categories.

Log samples

Web Filter File Filter action as Block:

1: date=2019-03-19 time=09:42:15 logid="0346012673" type="utm" subtype="webfilter" eventtype="file_filter" level="warning" vd="vd1" eventtime=1548438135 policyid=1 sessionid=29449 srcip=10.1.100.22 srcport=52816 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="blocked" reqtype="direct" url="/app_data/test1.pdf" sentbyte=0 rcvdbyte=0 direction="incoming" filename="test1.pdf" filtername="filter1" filetype="pdf" msg="File was blocked by file filter."

Web Filter File Filter action as Log:

2: date=2019-03-19 time=10:48:23 logid="0346012672" type="utm" subtype="webfilter" eventtype="file_filter" level="notice" vd="vd1" eventtime=1548442102 policyid=1 sessionid=521 srcip=10.1.100.22 srcport=52894 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="passthrough" reqtype="direct" url="/app_data/park.jpg" sentbyte=0 rcvdbyte=0 direction="incoming" filename="park.jpg" filtername="filter2" filetype="jpeg" msg="File was detected by file filter."

Email Filter File Filter action as Block:

1: date=2019-01-25 time=15:20:16 logid="0554020511" type="utm" subtype="emailfilter" eventtype="file_filter" level="warning" vd="vdom1" eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=143 dstintf="port1" dstintfrole="undefined" proto=6 service="IMAP" action="blocked" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" recipient="emailuser2" direction="incoming" subject="EXE file block" size="622346" attachment="yes" filename="putty.exe" filtername="filter1" filetype="exe"

Email Filter File Filter action as Log:

1: date=2019-01-25 time=15:23:16 logid="0554020510" type="utm" subtype="emailfilter" eventtype="file_filter" level="notice" vd="vdom1" eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=25 dstintf="port1" dstintfrole="undefined" proto=6 service="SMTP" profile="emailfilter-file-filter" action="detected" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" sender="emailuser1@qa.fortinet.com" recipient="emailuser2@qa.fortinet.com" direction="outgoing" subject="PDF file log" size="390804" attachment="yes" filename="fortiauto.pdf" filtername="filter2" filetype="pdf"

New replacement messages

Web Filter File Filter blocking upload:

You are not permitted to upload the file "%%FILE%%".

Web Filter File Filter blocking download:

Your attempt to access the file "%%FILE%%" has been blocked by your system administrator.

Email Filter File Filter blocking emails:

This email has been blocked. The file %%FILE%% was blocked due to its file type or properties.