Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Separate file filter into a standalone profile 6.4.1

The previously embedded file filter within web filter, email filter, SSH inspection, and CIFS has moved to a standalone profile. The file filter can be applied directly to firewall policies and supports various traffic protocols in proxy or flow mode.

When upgrading to FortiOS 6.4.1, existing embedded file filter rules (web filter, email filter, SSH inspection, and CIFS) that are not used in any policies or profile groups will have new file filter profiles created for them. Any firewall policies, proxy policies, or profile groups with existing embedded file filter rules will have new file filter profiles created for them.

To configure a file filter in the GUI:
  1. Configure the filter profile:
    1. Go to Security Profiles > File Filter and click Create New.
    2. Select a Feature set.
    3. In the Rules section, click Create New.
    4. Configure the settings as needed.
    5. Click OK to save the rule.

    6. Optionally, create more rules if needed.
    7. Click OK to save the filter profile.

  2. Apply the filter to a policy:
    1. Go to Policy & Objects > Firewall Policy, and edit an existing policy or create a new one.
    2. In the Security Profiles section, enable File Filter.
    3. Select the filter from the dropdown box.

    4. Configure the other settings as needed.
    5. Click OK.
To configure a file filter in the CLI:
  1. Configure the file filter profile:
    config file-filter profile
        edit "test"
            set comment ''
            set feature-set flow
            set replacemsg-group ''
            set log enable
            set scan-archive-contents enable
            config rules
                edit "r2"
                    set comment ''
                    set protocol http ftp smtp imap pop3 cifs
                    set action block
                    set direction outgoing
                    set password-protected any
                    set file-type "sis" "tar" "tiff" "torrent" "upx" "uue" "wav" "wma" "xar" "xz" "zip"
                next
                edit "r1"
                    set comment ''
                    set protocol http ftp smtp imap pop3 cifs
                    set action log-only
                    set direction any
                    set password-protected any
                    set file-type ".net" "7z" "activemime" "arj" "aspack" "avi" "base64" "bat" "binhex" "bmp" "bzip" "bzip2"
                next
                edit "r3"
                    set comment ''
                    set protocol http ftp smtp imap pop3
                    set action block
                    set direction any
                    set password-protected any
                    set file-type "binhex"
                next
            end
        next
    end
  2. Apply the filter to a policy:
    config firewall policy
        edit 1
            set name "filefilter-policy"
            set srcintf "port10"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set file-filter-profile "test"
            set auto-asic-offload disable
            set np-acceleration disable
            set nat enable
        next
    end

Separate file filter into a standalone profile 6.4.1

The previously embedded file filter within web filter, email filter, SSH inspection, and CIFS has moved to a standalone profile. The file filter can be applied directly to firewall policies and supports various traffic protocols in proxy or flow mode.

When upgrading to FortiOS 6.4.1, existing embedded file filter rules (web filter, email filter, SSH inspection, and CIFS) that are not used in any policies or profile groups will have new file filter profiles created for them. Any firewall policies, proxy policies, or profile groups with existing embedded file filter rules will have new file filter profiles created for them.

To configure a file filter in the GUI:
  1. Configure the filter profile:
    1. Go to Security Profiles > File Filter and click Create New.
    2. Select a Feature set.
    3. In the Rules section, click Create New.
    4. Configure the settings as needed.
    5. Click OK to save the rule.

    6. Optionally, create more rules if needed.
    7. Click OK to save the filter profile.

  2. Apply the filter to a policy:
    1. Go to Policy & Objects > Firewall Policy, and edit an existing policy or create a new one.
    2. In the Security Profiles section, enable File Filter.
    3. Select the filter from the dropdown box.

    4. Configure the other settings as needed.
    5. Click OK.
To configure a file filter in the CLI:
  1. Configure the file filter profile:
    config file-filter profile
        edit "test"
            set comment ''
            set feature-set flow
            set replacemsg-group ''
            set log enable
            set scan-archive-contents enable
            config rules
                edit "r2"
                    set comment ''
                    set protocol http ftp smtp imap pop3 cifs
                    set action block
                    set direction outgoing
                    set password-protected any
                    set file-type "sis" "tar" "tiff" "torrent" "upx" "uue" "wav" "wma" "xar" "xz" "zip"
                next
                edit "r1"
                    set comment ''
                    set protocol http ftp smtp imap pop3 cifs
                    set action log-only
                    set direction any
                    set password-protected any
                    set file-type ".net" "7z" "activemime" "arj" "aspack" "avi" "base64" "bat" "binhex" "bmp" "bzip" "bzip2"
                next
                edit "r3"
                    set comment ''
                    set protocol http ftp smtp imap pop3
                    set action block
                    set direction any
                    set password-protected any
                    set file-type "binhex"
                next
            end
        next
    end
  2. Apply the filter to a policy:
    config firewall policy
        edit 1
            set name "filefilter-policy"
            set srcintf "port10"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set file-filter-profile "test"
            set auto-asic-offload disable
            set np-acceleration disable
            set nat enable
        next
    end