Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 8.0.0 Administration Guide
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Configuring a file filter profile with the warning action NEW

    Configuring a file filter profile with the warning action NEW

    In this example, a proxy-based file filter profile is created that has one rule. The rule is applied to HTTP traffic to warn about any matched Office Binary File Format or Office Open XML files.

    After the user acknowledges the warning, the content is allowed and access is logged. This behavior applies only to incoming HTTP traffic (eg. HTTP GET); outgoing HTTP traffic (eg. HTTP POST) and non-HTTP protocols are log-only, with no warning or blocking when applied to the same profile.

    To configure and use a file filter profile with the warning action in the GUI:

    1. Go to Security Profiles > File Filter and click Create New.

    2. Set Feature set to Proxy-based.

    3. In the Rules table, click Create New.

    4. Set Action to Warning.

    5. Configure the remaining settings as needed, then click OK.

    6. Configure the remaining filter profile settings as needed, then click OK.

    7. Go to Policy & Objects > Firewall Policy and create a new policy or edit an existing one.

    8. In the Security Profiles section, enable File filter and select the file filter profile.

    9. Configure the remaining settings as required, then click OK.

    To configure and use a file filter profile with the warning action in the CLI:

    1. Configure a file filter profile with the warning action:

      config file-filter profile
  edit "filefilter"
        set feature-set proxy
        config rules
            edit "test"
                set protocol http
                set action warning
                set file-type "msoffice" "msofficex"
            next
        end
    next
end

    2. Apply the file filter profile to a firewall policy:

      config firewall policy
    edit 1
        set name "filefilter"
        set srcintf "port1"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "ssl"
        set file-filter-profile "filefilter"
        set logtraffic all
        set nat enable
    next
end
    To test the file filter:

    1. On a Windows client, access an absolute URL (http://<iP address>/sample/test.doc) to download file test.doc.

      A replacement message is shown that asks the user to authorize or cancel the file download, and a blocking UTM file filter log is generated.

      2: date=2025-09-13 time=05:26:26 eventtime=1757697986602674439 tz="+1200" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" policyid=1 poluuid="61c636d2-5b59-51f0-b555-76579a0b21fa" policytype="policy" sessionid=1583 srcip=10.1.100.195 srcport=51426 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" srcuuid="1027adc4-5b59-51f0-7577-e6bcd1ba3541" dstip=172.16.200.55 dstport=80 dstcountry="Reserved" dstintf="port3" dstintfrole="undefined" dstuuid="1027adc4-5b59-51f0-7577-e6bcd1ba3541" proto=6 service="HTTP" profile="filefilter" direction="incoming" action="blocked" url="http://172.16.200.55/sample/test.doc" hostname="172.16.200.55" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" httpmethod="GET" rulename="test" filename="test.doc" filesize=19456 filetype="msoffice" msg="File was blocked by file filter."

    2. Click Continue Anyway to download the file. A log-only file filter log is generated:

      1: date=2025-09-13 time=05:26:42 eventtime=1757698001607832698 tz="+1200" logid="1900064001" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="vdom1" policyid=1 poluuid="61c636d2-5b59-51f0-b555-76579a0b21fa" policytype="policy" sessionid=1602 srcip=10.1.100.195 srcport=51432 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" srcuuid="1027adc4-5b59-51f0-7577-e6bcd1ba3541" dstip=172.16.200.55 dstport=80 dstcountry="Reserved" dstintf="port3" dstintfrole="undefined" dstuuid="1027adc4-5b59-51f0-7577-e6bcd1ba3541" proto=6 service="HTTP" profile="filefilter" direction="incoming" action="log-only" url="http://172.16.200.55/sample/test.doc" hostname="172.16.200.55" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" httpmethod="GET" referralurl="http://172.16.200.55/sample/test.doc" rulename="test" filename="test.doc" filesize=19456 filetype="msoffice" msg="File was detected by file filter."

    3. Go to Log & Report > Security Events and view the File Filter logs.

    Previous
    Next

    Configuring a file filter profile with the warning action NEW

    Configuring a file filter profile with the warning action NEW

    In this example, a proxy-based file filter profile is created that has one rule. The rule is applied to HTTP traffic to warn about any matched Office Binary File Format or Office Open XML files.

    After the user acknowledges the warning, the content is allowed and access is logged. This behavior applies only to incoming HTTP traffic (eg. HTTP GET); outgoing HTTP traffic (eg. HTTP POST) and non-HTTP protocols are log-only, with no warning or blocking when applied to the same profile.

    To configure and use a file filter profile with the warning action in the GUI:

    1. Go to Security Profiles > File Filter and click Create New.

    2. Set Feature set to Proxy-based.

    3. In the Rules table, click Create New.

    4. Set Action to Warning.

    5. Configure the remaining settings as needed, then click OK.

    6. Configure the remaining filter profile settings as needed, then click OK.

    7. Go to Policy & Objects > Firewall Policy and create a new policy or edit an existing one.

    8. In the Security Profiles section, enable File filter and select the file filter profile.

    9. Configure the remaining settings as required, then click OK.

    To configure and use a file filter profile with the warning action in the CLI:

    1. Configure a file filter profile with the warning action:

      config file-filter profile
  edit "filefilter"
        set feature-set proxy
        config rules
            edit "test"
                set protocol http
                set action warning
                set file-type "msoffice" "msofficex"
            next
        end
    next
end

    2. Apply the file filter profile to a firewall policy:

      config firewall policy
    edit 1
        set name "filefilter"
        set srcintf "port1"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "ssl"
        set file-filter-profile "filefilter"
        set logtraffic all
        set nat enable
    next
end
    To test the file filter:

    1. On a Windows client, access an absolute URL (http://<iP address>/sample/test.doc) to download file test.doc.

      A replacement message is shown that asks the user to authorize or cancel the file download, and a blocking UTM file filter log is generated.

      2: date=2025-09-13 time=05:26:26 eventtime=1757697986602674439 tz="+1200" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="vdom1" policyid=1 poluuid="61c636d2-5b59-51f0-b555-76579a0b21fa" policytype="policy" sessionid=1583 srcip=10.1.100.195 srcport=51426 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" srcuuid="1027adc4-5b59-51f0-7577-e6bcd1ba3541" dstip=172.16.200.55 dstport=80 dstcountry="Reserved" dstintf="port3" dstintfrole="undefined" dstuuid="1027adc4-5b59-51f0-7577-e6bcd1ba3541" proto=6 service="HTTP" profile="filefilter" direction="incoming" action="blocked" url="http://172.16.200.55/sample/test.doc" hostname="172.16.200.55" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" httpmethod="GET" rulename="test" filename="test.doc" filesize=19456 filetype="msoffice" msg="File was blocked by file filter."

    2. Click Continue Anyway to download the file. A log-only file filter log is generated:

      1: date=2025-09-13 time=05:26:42 eventtime=1757698001607832698 tz="+1200" logid="1900064001" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="vdom1" policyid=1 poluuid="61c636d2-5b59-51f0-b555-76579a0b21fa" policytype="policy" sessionid=1602 srcip=10.1.100.195 srcport=51432 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" srcuuid="1027adc4-5b59-51f0-7577-e6bcd1ba3541" dstip=172.16.200.55 dstport=80 dstcountry="Reserved" dstintf="port3" dstintfrole="undefined" dstuuid="1027adc4-5b59-51f0-7577-e6bcd1ba3541" proto=6 service="HTTP" profile="filefilter" direction="incoming" action="log-only" url="http://172.16.200.55/sample/test.doc" hostname="172.16.200.55" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" httpmethod="GET" referralurl="http://172.16.200.55/sample/test.doc" rulename="test" filename="test.doc" filesize=19456 filetype="msoffice" msg="File was detected by file filter."

    3. Go to Log & Report > Security Events and view the File Filter logs.

    Previous
    Next