Separate file filter into a standalone profile 6.4.1
The previously embedded file filter within web filter, email filter, SSH inspection, and CIFS has moved to a standalone profile. The file filter can be applied directly to firewall policies and supports various traffic protocols in proxy or flow mode.
When upgrading to FortiOS 6.4.1, existing embedded file filter rules (web filter, email filter, SSH inspection, and CIFS) that are not used in any policies or profile groups will have new file filter profiles created for them. Any firewall policies, proxy policies, or profile groups with existing embedded file filter rules will have new file filter profiles created for them.
To configure a file filter in the GUI:
- Configure the filter profile:
- Go to Security Profiles > File Filter and click Create New.
- Select a Feature set.
- In the Rules section, click Create New.
- Configure the settings as needed.
- Click OK to save the rule.
- Optionally, create more rules if needed.
- Click OK to save the filter profile.
- Apply the filter to a policy:
- Go to Policy & Objects > Firewall Policy, and edit an existing policy or create a new one.
- In the Security Profiles section, enable File Filter.
- Select the filter from the dropdown box.
- Configure the other settings as needed.
- Click OK.
To configure a file filter in the CLI:
- Configure the file filter profile:
config file-filter profile edit "test" set comment '' set feature-set flow set replacemsg-group '' set log enable set scan-archive-contents enable config rules edit "r2" set comment '' set protocol http ftp smtp imap pop3 cifs set action block set direction outgoing set password-protected any set file-type "sis" "tar" "tiff" "torrent" "upx" "uue" "wav" "wma" "xar" "xz" "zip" next edit "r1" set comment '' set protocol http ftp smtp imap pop3 cifs set action log-only set direction any set password-protected any set file-type ".net" "7z" "activemime" "arj" "aspack" "avi" "base64" "bat" "binhex" "bmp" "bzip" "bzip2" next edit "r3" set comment '' set protocol http ftp smtp imap pop3 set action block set direction any set password-protected any set file-type "binhex" next end next end
- Apply the filter to a policy:
config firewall policy edit 1 set name "filefilter-policy" set srcintf "port10" set dstintf "port9" set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set action accept set schedule "always" set service "ALL" set utm-status enable set profile-protocol-options "protocol" set ssl-ssh-profile "protocols" set file-filter-profile "test" set auto-asic-offload disable set np-acceleration disable set nat enable next end