Fortinet black logo

New Features

Home FortiGate / FortiOS 6.4.0 New Features

Separate file filter into a standalone profile 6.4.1

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:564293
Download PDF

Separate file filter into a standalone profile 6.4.1

The previously embedded file filter within web filter, email filter, SSH inspection, and CIFS has moved to a standalone profile. The file filter can be applied directly to firewall policies and supports various traffic protocols in proxy or flow mode.

When upgrading to FortiOS 6.4.1, existing embedded file filter rules (web filter, email filter, SSH inspection, and CIFS) that are not used in any policies or profile groups will have new file filter profiles created for them. Any firewall policies, proxy policies, or profile groups with existing embedded file filter rules will have new file filter profiles created for them.

To configure a file filter in the GUI:
  1. Configure the filter profile:
    1. Go to Security Profiles > File Filter and click Create New.
    2. Select a Feature set.
    3. In the Rules section, click Create New.
    4. Configure the settings as needed.
    5. Click OK to save the rule.

    6. Optionally, create more rules if needed.
    7. Click OK to save the filter profile.

  2. Apply the filter to a policy:
    1. Go to Policy & Objects > Firewall Policy, and edit an existing policy or create a new one.
    2. In the Security Profiles section, enable File Filter.
    3. Select the filter from the dropdown box.

    4. Configure the other settings as needed.
    5. Click OK.
To configure a file filter in the CLI:
  1. Configure the file filter profile:
    config file-filter profile
    edit "test"
        set comment ''
        set feature-set flow
        set replacemsg-group ''
        set log enable
        set scan-archive-contents enable
        config rules
            edit "r2"
                set comment ''
                set protocol http ftp smtp imap pop3 cifs
                set action block
                set direction outgoing
                set password-protected any
                set file-type "sis" "tar" "tiff" "torrent" "upx" "uue" "wav" "wma" "xar" "xz" "zip"
            next
            edit "r1"
                set comment ''
                set protocol http ftp smtp imap pop3 cifs
                set action log-only
                set direction any
                set password-protected any
                set file-type ".net" "7z" "activemime" "arj" "aspack" "avi" "base64" "bat" "binhex" "bmp" "bzip" "bzip2"
            next
            edit "r3"
                set comment ''
                set protocol http ftp smtp imap pop3
                set action block
                set direction any
                set password-protected any
                set file-type "binhex"
            next
        end
    next
end
  2. Apply the filter to a policy:
    config firewall policy
    edit 1
        set name "filefilter-policy"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set file-filter-profile "test"
        set auto-asic-offload disable
        set np-acceleration disable
        set nat enable
    next
end
Previous
Next

Separate file filter into a standalone profile 6.4.1

The previously embedded file filter within web filter, email filter, SSH inspection, and CIFS has moved to a standalone profile. The file filter can be applied directly to firewall policies and supports various traffic protocols in proxy or flow mode.

When upgrading to FortiOS 6.4.1, existing embedded file filter rules (web filter, email filter, SSH inspection, and CIFS) that are not used in any policies or profile groups will have new file filter profiles created for them. Any firewall policies, proxy policies, or profile groups with existing embedded file filter rules will have new file filter profiles created for them.

To configure a file filter in the GUI:
  1. Configure the filter profile:
    1. Go to Security Profiles > File Filter and click Create New.
    2. Select a Feature set.
    3. In the Rules section, click Create New.
    4. Configure the settings as needed.
    5. Click OK to save the rule.

    6. Optionally, create more rules if needed.
    7. Click OK to save the filter profile.

  2. Apply the filter to a policy:
    1. Go to Policy & Objects > Firewall Policy, and edit an existing policy or create a new one.
    2. In the Security Profiles section, enable File Filter.
    3. Select the filter from the dropdown box.

    4. Configure the other settings as needed.
    5. Click OK.
To configure a file filter in the CLI:
  1. Configure the file filter profile:
    config file-filter profile
    edit "test"
        set comment ''
        set feature-set flow
        set replacemsg-group ''
        set log enable
        set scan-archive-contents enable
        config rules
            edit "r2"
                set comment ''
                set protocol http ftp smtp imap pop3 cifs
                set action block
                set direction outgoing
                set password-protected any
                set file-type "sis" "tar" "tiff" "torrent" "upx" "uue" "wav" "wma" "xar" "xz" "zip"
            next
            edit "r1"
                set comment ''
                set protocol http ftp smtp imap pop3 cifs
                set action log-only
                set direction any
                set password-protected any
                set file-type ".net" "7z" "activemime" "arj" "aspack" "avi" "base64" "bat" "binhex" "bmp" "bzip" "bzip2"
            next
            edit "r3"
                set comment ''
                set protocol http ftp smtp imap pop3
                set action block
                set direction any
                set password-protected any
                set file-type "binhex"
            next
        end
    next
end
  2. Apply the filter to a policy:
    config firewall policy
    edit 1
        set name "filefilter-policy"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set file-filter-profile "test"
        set auto-asic-offload disable
        set np-acceleration disable
        set nat enable
    next
end
Previous
Next