Use file filter rules in sniffer policy
File filter rules can be used in one-arm sniffer policies in the GUI and CLI.
The following example shows how to configure a file filter profile that blocks PDF and RAR files used in a one-arm sniffer policy.
To configure a one-arm sniffer policy in the GUI:
- Go to Network > Interfaces and double-click a physical interface to edit it.
- For Role, select either LAN, DMZ, or Undefined.
- For Addressing Mode, select One-Arm Sniffer.
- In the Security Profiles section, enable File Filter and click Edit. The Edit File Filter Profile pane opens.
- In the Rules table, click Create New.
- Configure the rule:
- For File types, click the + and select pdf and rar.
- For Action, select Block.
- Click OK to save the rule.
- Click OK to save the file filter profile.
- Click OK to save the interface settings.
- Go to Log & Report > File Filter to view the logs.
To configure a one-arm sniffer policy in the CLI:
- Configure the interface:
config system interface edit "s1" set vdom "root" set ips-sniffer-mode enable set type physical set role undefined set snmp-index 31 next end
- Configure the file filter profile:
config file-filter profile edit "sniffer-profile" set comment "File type inspection." config rules edit "1" set protocol http ftp smtp imap pop3 cifs set action block set file-type "pdf" "rar" next end next end
- Configure the firewall sniffer policy:
config firewall sniffer edit 1 set interface "s1" set file-filter-profile-status enable set file-filter-profile "sniffer-profile" next end
- View the log:
# execute log filter category 19 # execute log display 1 logs found. 1 logs returned. 1: date=2020-12-29 time=09:14:46 eventtime=1609262086871379250 tz="-0800" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" policyid=1 sessionid=792 srcip=172.16.200.55 srcport=20 srcintf="s1" srcintfrole="undefined" dstip=10.1.100.11 dstport=56745 dstintf="s1" dstintfrole="undefined" proto=6 service="FTP" profile="sniffer-profile" direction="outgoing" action="blocked" filtername="1" filename="hello.pdf" filesize=9539 filetype="pdf" msg="File was blocked by file filter."