Fortinet black logo

New Features

Use file filter rules in sniffer policy

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:19656
Download PDF

Use file filter rules in sniffer policy

File filter rules can be used in one-arm sniffer policies in the GUI and CLI.

The following example shows how to configure a file filter profile that blocks PDF and RAR files used in a one-arm sniffer policy.

To configure a one-arm sniffer policy in the GUI:
  1. Go to Network > Interfaces and double-click a physical interface to edit it.
  2. For Role, select either LAN, DMZ, or Undefined.
  3. For Addressing Mode, select One-Arm Sniffer.

  4. In the Security Profiles section, enable File Filter and click Edit. The Edit File Filter Profile pane opens.
  5. In the Rules table, click Create New.

  6. Configure the rule:
    1. For File types, click the + and select pdf and rar.
    2. For Action, select Block.
    3. Click OK to save the rule.
  7. Click OK to save the file filter profile.

  8. Click OK to save the interface settings.
  9. Go to Log & Report > File Filter to view the logs.

To configure a one-arm sniffer policy in the CLI:
  1. Configure the interface:
    config system interface
        edit "s1"
            set vdom "root"
            set ips-sniffer-mode enable
            set type physical
            set role undefined
            set snmp-index 31
        next
    end
  2. Configure the file filter profile:
    config file-filter profile
        edit "sniffer-profile"
            set comment "File type inspection."
            config rules
                edit "1"
                    set protocol http ftp smtp imap pop3 cifs
                    set action block
                    set file-type "pdf" "rar"
                next
            end
        next
    end
  3. Configure the firewall sniffer policy:
    config firewall sniffer
        edit 1
            set interface "s1"
            set file-filter-profile-status enable
            set file-filter-profile "sniffer-profile"
        next
    end
  4. View the log:
    # execute log filter  category  19
    # execute log display
    1 logs found.
    1 logs returned.
    
    1: date=2020-12-29 time=09:14:46 eventtime=1609262086871379250 tz="-0800" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" policyid=1 sessionid=792 srcip=172.16.200.55 srcport=20 srcintf="s1" srcintfrole="undefined" dstip=10.1.100.11 dstport=56745 dstintf="s1" dstintfrole="undefined" proto=6 service="FTP" profile="sniffer-profile" direction="outgoing" action="blocked" filtername="1" filename="hello.pdf" filesize=9539 filetype="pdf" msg="File was blocked by file filter."

Use file filter rules in sniffer policy

File filter rules can be used in one-arm sniffer policies in the GUI and CLI.

The following example shows how to configure a file filter profile that blocks PDF and RAR files used in a one-arm sniffer policy.

To configure a one-arm sniffer policy in the GUI:
  1. Go to Network > Interfaces and double-click a physical interface to edit it.
  2. For Role, select either LAN, DMZ, or Undefined.
  3. For Addressing Mode, select One-Arm Sniffer.

  4. In the Security Profiles section, enable File Filter and click Edit. The Edit File Filter Profile pane opens.
  5. In the Rules table, click Create New.

  6. Configure the rule:
    1. For File types, click the + and select pdf and rar.
    2. For Action, select Block.
    3. Click OK to save the rule.
  7. Click OK to save the file filter profile.

  8. Click OK to save the interface settings.
  9. Go to Log & Report > File Filter to view the logs.

To configure a one-arm sniffer policy in the CLI:
  1. Configure the interface:
    config system interface
        edit "s1"
            set vdom "root"
            set ips-sniffer-mode enable
            set type physical
            set role undefined
            set snmp-index 31
        next
    end
  2. Configure the file filter profile:
    config file-filter profile
        edit "sniffer-profile"
            set comment "File type inspection."
            config rules
                edit "1"
                    set protocol http ftp smtp imap pop3 cifs
                    set action block
                    set file-type "pdf" "rar"
                next
            end
        next
    end
  3. Configure the firewall sniffer policy:
    config firewall sniffer
        edit 1
            set interface "s1"
            set file-filter-profile-status enable
            set file-filter-profile "sniffer-profile"
        next
    end
  4. View the log:
    # execute log filter  category  19
    # execute log display
    1 logs found.
    1 logs returned.
    
    1: date=2020-12-29 time=09:14:46 eventtime=1609262086871379250 tz="-0800" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" policyid=1 sessionid=792 srcip=172.16.200.55 srcport=20 srcintf="s1" srcintfrole="undefined" dstip=10.1.100.11 dstport=56745 dstintf="s1" dstintfrole="undefined" proto=6 service="FTP" profile="sniffer-profile" direction="outgoing" action="blocked" filtername="1" filename="hello.pdf" filesize=9539 filetype="pdf" msg="File was blocked by file filter."