Fortinet white logo
Fortinet white logo

Cookbook

File filter

File filter

File Filter allows the Web Filter profile to block files passing through a FortiGate based on file type.

HTTP and FTP File Filtering is configurable in Web Filter profile.

File Filtering in Web Filter profile is based on file type (file's meta data) only, and not on file size or file content. You need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers, or regexp.

File filtering only works on proxy mode policies.

Supported file types

The following file types are supported in File Filter and DLP profiles:

File Type Name

Description

.net

Match .NET files

7z

Match 7-zip files

activemime

Match activemime files

arj

Match arj compressed files

aspack

Match aspack files

avi

Match avi files

base64

Match base64 files

bat

Match Windows batch files

bin

Match bin files

binhex

Match binhex files

bmp

Match bmp files

bzip

Match bzip files

bzip2

Match bzip2 files

cab

Match Windows cab files

chm

Match Windows compiled HTML help files

class

Match class files

cod

Match cod files

crx

Match Chrome extension files

dmg

Match Apple disk image files

elf

Match elf files

exe

Match Windows executable files

flac

Match FLAC files

fsg

Match fsg files

gif

Match gif files

gzip

Match gzip files

hlp

Match Windows help files

hta

Match hta files

html

Match html files

iso

Match ISO archive files

jad

Match jad files

javascript

Match javascript files

jpeg

Match jpeg files

lzh

Match lzh compressed files

mach-o

Match Mach object files

mime

Match mime files

mov

Match mov files

mp3

Match mp3 files

mpeg

Match mpeg files

msc

Match msc files

msi

Match Windows Installer msi bzip files

msoffice

Match MS-Office files. For example, doc, xls, ppt, and so on.

msofficex

Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

pdf

Match pdf files

petite

Match petite files

png

Match png files

prc

Match prc files

rar

Match rar archives

rm

Match rm files

sis

Match sis files

tar

Match tar files

tiff

Match tiff files

torrent

Match torrent files

unknown*

Match unknown files

upx

Match upx files

uue

Match uue files

wav

Match wav files

wma

Match wma files

xar

Match xar archive files

xz

Match xz files

zip

Match zip files

* This file type is only available in DLP profiles.

Example

In the following example, three file filters are used in the Web Filter profile:

  1. Block PDFs from entering our leaving the network (filter1).
  2. Log the download of some graphics file-types via HTTP (filter2).
  3. Block executable files from leaving to the network over FTP (filter3).
To configure a file-type based web filter in the CLI:
config webfilter profile
    edit "webfilter-file-filter"
        config file-filter 
            set status enable
            set log enable
            set scan-archive-contents enable
            config entries 
                edit "filter1"
                    set comment "Block PDF files"
                    set protocol http ftp
                    set action block
                    set direction any
                    set encryption any
                    set file-type "pdf"
                next
                edit "filter2"
                    set comment "Log graphics files"
                    set protocol http
                    set action log
                    set direction incoming
                    set encryption any
                    set file-type "jpeg" "png" "gif"
                next
                edit "filter3"
                    set comment "Block upload of EXE files"
                    set protocol ftp
                    set action block
                    set direction outgoing
                    set encryption any
                    set file-type "exe"
                next
            end
        end
    next
end

After configuring file filters in Web Filter profile, apply it to a firewall policy:

config firewall policy
    edit 1
        set name "client-to-internet"
        set srcintf "dmz"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set utm-inspection-mode proxy
        set logtraffic all
        set webfilter profile "webfilter-filefilter"
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set nat enable
    next
end
To view the file filter logs:
# execute log filter category utm-file-filter
# execute log display 

File filter block action:

1: date=2020-06-25 time=10:10:38 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" eventtime=1593047438715790048 tz="+0900" policyid=1 sessionid=206159 srcip=10.0.0.20 srcport=46172 srcintf="port1" srcintfrole="lan" dstip=10.0.10.20 dstport=80 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTP" profile="default" direction="incoming" action="blocked" url="http://www.fortitest.jp/download/test.pdf" hostname="www.fortitest.jp" agent="curl/7.58.0" filtername="test" filename="test.pdf" filesize=17556 filetype="pdf" msg="File was blocked by file filter."

File filter log action:

2: date=2019-03-19 time=10:48:23 logid="0346012672" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="vd1" eventtime=1548442102 policyid=1 sessionid=521 srcip=10.1.100.22 srcport=52894 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="passthrough" reqtype="direct" url="/app_data/park.jpg" sentbyte=0 rcvdbyte=0 direction="incoming" filename="park.jpg" filtername="filter2" filetype="jpeg" msg="File was detected by file filter."
To configure a file-type based web filter in the GUI:
  1. Go to Security Profiles > Web Filter.
  2. Click Create New or select an existing profile and click Edit.

  3. Enable File Filter.
  4. Enable Log and Scan Archived Contents.
  5. In the File Filter table, click Create New.
  6. Configure the filters:
    1. filter1 blocks PDFs from entering our leaving the network .

    2. filter2 logs the download of some graphics file-types via HTTP .

    3. filter3 blocks EXE files from leaving to the network over FTP .

  7. Click OK.
  8. Add the new web filter profile to a firewall policy.
  9. To see if there are file filter logs, go to VDOM > Log & Report > Forward Traffic. Select an entry and view the Log Details. The number of file filter logs for that entry is listed in the Other category.

    Note

    File filter logs can only be viewed in the CLI.

Related Videos

sidebar video

File Filtering for Web and Email Filter Profiles

  • 3,903 views
  • 5 years ago

More Links

File filter

File filter

File Filter allows the Web Filter profile to block files passing through a FortiGate based on file type.

HTTP and FTP File Filtering is configurable in Web Filter profile.

File Filtering in Web Filter profile is based on file type (file's meta data) only, and not on file size or file content. You need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers, or regexp.

File filtering only works on proxy mode policies.

Supported file types

The following file types are supported in File Filter and DLP profiles:

File Type Name

Description

.net

Match .NET files

7z

Match 7-zip files

activemime

Match activemime files

arj

Match arj compressed files

aspack

Match aspack files

avi

Match avi files

base64

Match base64 files

bat

Match Windows batch files

bin

Match bin files

binhex

Match binhex files

bmp

Match bmp files

bzip

Match bzip files

bzip2

Match bzip2 files

cab

Match Windows cab files

chm

Match Windows compiled HTML help files

class

Match class files

cod

Match cod files

crx

Match Chrome extension files

dmg

Match Apple disk image files

elf

Match elf files

exe

Match Windows executable files

flac

Match FLAC files

fsg

Match fsg files

gif

Match gif files

gzip

Match gzip files

hlp

Match Windows help files

hta

Match hta files

html

Match html files

iso

Match ISO archive files

jad

Match jad files

javascript

Match javascript files

jpeg

Match jpeg files

lzh

Match lzh compressed files

mach-o

Match Mach object files

mime

Match mime files

mov

Match mov files

mp3

Match mp3 files

mpeg

Match mpeg files

msc

Match msc files

msi

Match Windows Installer msi bzip files

msoffice

Match MS-Office files. For example, doc, xls, ppt, and so on.

msofficex

Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

pdf

Match pdf files

petite

Match petite files

png

Match png files

prc

Match prc files

rar

Match rar archives

rm

Match rm files

sis

Match sis files

tar

Match tar files

tiff

Match tiff files

torrent

Match torrent files

unknown*

Match unknown files

upx

Match upx files

uue

Match uue files

wav

Match wav files

wma

Match wma files

xar

Match xar archive files

xz

Match xz files

zip

Match zip files

* This file type is only available in DLP profiles.

Example

In the following example, three file filters are used in the Web Filter profile:

  1. Block PDFs from entering our leaving the network (filter1).
  2. Log the download of some graphics file-types via HTTP (filter2).
  3. Block executable files from leaving to the network over FTP (filter3).
To configure a file-type based web filter in the CLI:
config webfilter profile
    edit "webfilter-file-filter"
        config file-filter 
            set status enable
            set log enable
            set scan-archive-contents enable
            config entries 
                edit "filter1"
                    set comment "Block PDF files"
                    set protocol http ftp
                    set action block
                    set direction any
                    set encryption any
                    set file-type "pdf"
                next
                edit "filter2"
                    set comment "Log graphics files"
                    set protocol http
                    set action log
                    set direction incoming
                    set encryption any
                    set file-type "jpeg" "png" "gif"
                next
                edit "filter3"
                    set comment "Block upload of EXE files"
                    set protocol ftp
                    set action block
                    set direction outgoing
                    set encryption any
                    set file-type "exe"
                next
            end
        end
    next
end

After configuring file filters in Web Filter profile, apply it to a firewall policy:

config firewall policy
    edit 1
        set name "client-to-internet"
        set srcintf "dmz"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set utm-inspection-mode proxy
        set logtraffic all
        set webfilter profile "webfilter-filefilter"
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set nat enable
    next
end
To view the file filter logs:
# execute log filter category utm-file-filter
# execute log display 

File filter block action:

1: date=2020-06-25 time=10:10:38 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" eventtime=1593047438715790048 tz="+0900" policyid=1 sessionid=206159 srcip=10.0.0.20 srcport=46172 srcintf="port1" srcintfrole="lan" dstip=10.0.10.20 dstport=80 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTP" profile="default" direction="incoming" action="blocked" url="http://www.fortitest.jp/download/test.pdf" hostname="www.fortitest.jp" agent="curl/7.58.0" filtername="test" filename="test.pdf" filesize=17556 filetype="pdf" msg="File was blocked by file filter."

File filter log action:

2: date=2019-03-19 time=10:48:23 logid="0346012672" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="vd1" eventtime=1548442102 policyid=1 sessionid=521 srcip=10.1.100.22 srcport=52894 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="passthrough" reqtype="direct" url="/app_data/park.jpg" sentbyte=0 rcvdbyte=0 direction="incoming" filename="park.jpg" filtername="filter2" filetype="jpeg" msg="File was detected by file filter."
To configure a file-type based web filter in the GUI:
  1. Go to Security Profiles > Web Filter.
  2. Click Create New or select an existing profile and click Edit.

  3. Enable File Filter.
  4. Enable Log and Scan Archived Contents.
  5. In the File Filter table, click Create New.
  6. Configure the filters:
    1. filter1 blocks PDFs from entering our leaving the network .

    2. filter2 logs the download of some graphics file-types via HTTP .

    3. filter3 blocks EXE files from leaving to the network over FTP .

  7. Click OK.
  8. Add the new web filter profile to a firewall policy.
  9. To see if there are file filter logs, go to VDOM > Log & Report > Forward Traffic. Select an entry and view the Log Details. The number of file filter logs for that entry is listed in the Other category.

    Note

    File filter logs can only be viewed in the CLI.