Fortinet white logo
Fortinet white logo

Cookbook

File type-based filters

File type-based filters

With File Filter, you can define undesired file types within the email filter profile and associate an action to be taken for each file type, such as block or log.

For each entry, you can also specify the protocol to inspect (SMTP, POP3, or IMAP) and if only encrypted files should be matched. While file filter entries are ordered, the block action takes precedence over the log action.

File filtering in email filter profiles is based only on the file type (file meta data) and not on file size or content. You would need to configure a DLP sensor to block files based on size or content, such as SSN numbers, credit card numbers, or regexp.

File filtering only works in proxy mode policies. The traffic direction cannot be configured because it is implied by the protocol.

The following file types are supported:

File Type Name

Description

7z

Match 7-zip files

arj

Match arj compressed files

cab

Match Windows cab files

lzh

Match lzh compressed files

rar

Match rar archives

tar

Match tar files

zip

Match zip files

bzip

Match bzip files

gzip

Match gzip files

bzip2

Match bzip2 files

xz

Match xz files

bat

Match Windows batch files

msc

Match msc files

uue

Match uue files

mime

Match mime files

base64

Match base64 files

binhex

Match binhex files

bin

Match bin files

elf

Match elf files

exe

Match Windows executable files

hta

Match hta files

html

Match html files

jad

Match jad files

class

Match class files

cod

Match cod files

javascript

Match javascript files

msoffice

Match MS-Office files. For example, doc, xls, ppt, and so on.

msofficex

Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

fsg

Match fsg files

upx

Match upx files

petite

Match petite files

aspack

Match aspack files

prc

Match prc files

sis

Match sis files

hlp

Match Windows help files

activemime

Match activemime files

jpeg

Match jpeg files

gif

Match gif files

tiff

Match tiff files

png

Match png files

bmp

Match bmp files

unknown

Match unknown files

mpeg

Match mpeg files

mov

Match mov files

mp3

Match mp3 files

wma

Match wma files

wav

Match wav files

pdf

Match pdf files

avi

Match avi files

rm

Match rm files

torrent

Match torrent files

msi

Match Windows Installer msi bzip files

mach-o

Match Mach object files

dmg

Match Apple disk image files

.net

Match .NET files

xar

Match xar archive files

chm

Match Windows compiled HTML help files

iso

Match ISO archive files

crx

Match Chrome extension files

Example

In the following example, one file filter entry is created to block executable (exe) files from being sent or received, and a second entry logs any documents that are sent.

To configure a file-type based email filter in the CLI:
  1. Configure an email filter profile:
    config emailfilter profile
        edit "file-type-filter"
            config file-filter 
                set status enable
                set log enable
                set scan-archive-contents enable
                config entries 
                    edit "filter1"
                        set comment "Block executable files"
                        set protocol smtp imap pop3
                        set action block
                        set encryption any
                        set file-type "exe"
                    next
                    edit "filter2"
                        set comment "Log document files"
                        set protocol smtp
                        set action log
                        set encryption any
                        set file-type "pdf" "msoffice" "msofficex"
                    next
                end
            end
            set spam-filtering enable
        next
    end
  2. Use the profile in a firewall policy:
    config firewall policy
        edit 1
            set name "client-to-internet"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set utm-inspection-mode proxy
            set logtraffic all
            set emailfilter profile "file-type-filter"
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set nat enable
        next
    end
To view the file filter logs:
# execute log filter category utm-file-filter
# execute log display 

File filter block action:

1: date=2019-01-25 time=15:20:16 logid="0554020511" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=143 dstintf="port1" dstintfrole="undefined" proto=6 service="IMAP" action="blocked" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" recipient="emailuser2" direction="incoming" subject="EXE file block" size="622346" attachment="yes" filename="putty.exe" filtername="filter1" filetype="exe"

File filter log action:

1: date=2019-01-25 time=15:23:16 logid="0554020510" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="vdom1" eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=25 dstintf="port1" dstintfrole="undefined" proto=6 service="SMTP" profile="emailfilter-file-filter" action="detected" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" sender="emailuser1@qa.fortinet.com" recipient="emailuser2@qa.fortinet.com" direction="outgoing" subject="PDF file log" size="390804" attachment="yes" filename="fortiauto.pdf" filtername="filter2" filetype="pdf"
To configure a file-type based email filter in the GUI:
  1. Go to Security Profiles > Email Filter.
  2. Click Create New, or select an existing profile and click Edit.
  3. Enable Enable Spam Detection and Filtering.
  4. Enable File Filter.
  5. Enable Log and Scan Archived Contents.
  6. In the File Filter table, click Create New.

  7. Configure the filters:
    1. filter1 blocks all sent or received executable files.

    2. filter2 logs all sent documents.

  8. Click OK.
  9. Add the new email filter profile to a firewall policy.
  10. To see if there are file filter logs, go to VDOM > Log & Report > Forward Traffic. Select an entry and view the Log Details. The number of file filter logs for that entry is listed in the Other category.

    Note

    File filter logs can only be viewed in the CLI.

Related Videos

sidebar video

File Filtering for Web and Email Filter Profiles

  • 3,898 views
  • 5 years ago

More Links

File type-based filters

File type-based filters

With File Filter, you can define undesired file types within the email filter profile and associate an action to be taken for each file type, such as block or log.

For each entry, you can also specify the protocol to inspect (SMTP, POP3, or IMAP) and if only encrypted files should be matched. While file filter entries are ordered, the block action takes precedence over the log action.

File filtering in email filter profiles is based only on the file type (file meta data) and not on file size or content. You would need to configure a DLP sensor to block files based on size or content, such as SSN numbers, credit card numbers, or regexp.

File filtering only works in proxy mode policies. The traffic direction cannot be configured because it is implied by the protocol.

The following file types are supported:

File Type Name

Description

7z

Match 7-zip files

arj

Match arj compressed files

cab

Match Windows cab files

lzh

Match lzh compressed files

rar

Match rar archives

tar

Match tar files

zip

Match zip files

bzip

Match bzip files

gzip

Match gzip files

bzip2

Match bzip2 files

xz

Match xz files

bat

Match Windows batch files

msc

Match msc files

uue

Match uue files

mime

Match mime files

base64

Match base64 files

binhex

Match binhex files

bin

Match bin files

elf

Match elf files

exe

Match Windows executable files

hta

Match hta files

html

Match html files

jad

Match jad files

class

Match class files

cod

Match cod files

javascript

Match javascript files

msoffice

Match MS-Office files. For example, doc, xls, ppt, and so on.

msofficex

Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

fsg

Match fsg files

upx

Match upx files

petite

Match petite files

aspack

Match aspack files

prc

Match prc files

sis

Match sis files

hlp

Match Windows help files

activemime

Match activemime files

jpeg

Match jpeg files

gif

Match gif files

tiff

Match tiff files

png

Match png files

bmp

Match bmp files

unknown

Match unknown files

mpeg

Match mpeg files

mov

Match mov files

mp3

Match mp3 files

wma

Match wma files

wav

Match wav files

pdf

Match pdf files

avi

Match avi files

rm

Match rm files

torrent

Match torrent files

msi

Match Windows Installer msi bzip files

mach-o

Match Mach object files

dmg

Match Apple disk image files

.net

Match .NET files

xar

Match xar archive files

chm

Match Windows compiled HTML help files

iso

Match ISO archive files

crx

Match Chrome extension files

Example

In the following example, one file filter entry is created to block executable (exe) files from being sent or received, and a second entry logs any documents that are sent.

To configure a file-type based email filter in the CLI:
  1. Configure an email filter profile:
    config emailfilter profile
        edit "file-type-filter"
            config file-filter 
                set status enable
                set log enable
                set scan-archive-contents enable
                config entries 
                    edit "filter1"
                        set comment "Block executable files"
                        set protocol smtp imap pop3
                        set action block
                        set encryption any
                        set file-type "exe"
                    next
                    edit "filter2"
                        set comment "Log document files"
                        set protocol smtp
                        set action log
                        set encryption any
                        set file-type "pdf" "msoffice" "msofficex"
                    next
                end
            end
            set spam-filtering enable
        next
    end
  2. Use the profile in a firewall policy:
    config firewall policy
        edit 1
            set name "client-to-internet"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set utm-inspection-mode proxy
            set logtraffic all
            set emailfilter profile "file-type-filter"
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set nat enable
        next
    end
To view the file filter logs:
# execute log filter category utm-file-filter
# execute log display 

File filter block action:

1: date=2019-01-25 time=15:20:16 logid="0554020511" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=143 dstintf="port1" dstintfrole="undefined" proto=6 service="IMAP" action="blocked" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" recipient="emailuser2" direction="incoming" subject="EXE file block" size="622346" attachment="yes" filename="putty.exe" filtername="filter1" filetype="exe"

File filter log action:

1: date=2019-01-25 time=15:23:16 logid="0554020510" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="vdom1" eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.56 dstport=25 dstintf="port1" dstintfrole="undefined" proto=6 service="SMTP" profile="emailfilter-file-filter" action="detected" from="emailuser1@qa.fortinet.com" to="emailuser2@qa.fortinet.com" sender="emailuser1@qa.fortinet.com" recipient="emailuser2@qa.fortinet.com" direction="outgoing" subject="PDF file log" size="390804" attachment="yes" filename="fortiauto.pdf" filtername="filter2" filetype="pdf"
To configure a file-type based email filter in the GUI:
  1. Go to Security Profiles > Email Filter.
  2. Click Create New, or select an existing profile and click Edit.
  3. Enable Enable Spam Detection and Filtering.
  4. Enable File Filter.
  5. Enable Log and Scan Archived Contents.
  6. In the File Filter table, click Create New.

  7. Configure the filters:
    1. filter1 blocks all sent or received executable files.

    2. filter2 logs all sent documents.

  8. Click OK.
  9. Add the new email filter profile to a firewall policy.
  10. To see if there are file filter logs, go to VDOM > Log & Report > Forward Traffic. Select an entry and view the Log Details. The number of file filter logs for that entry is listed in the Other category.

    Note

    File filter logs can only be viewed in the CLI.