File filter for webfilter
Introduction
File Filter is a new feature introduced in FortiOS 6.2, and provides the Web filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.
In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. Currently, File Filtering in Web filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.
FTP inspection and GUI configuration have yet to be implemented. In addition, Web filter File Filtering will only work on proxy mode policies.
File Types Supported
File Filter in Web filter profile supports the following file types:
| File Type Name | Description |
| all | Match any file |
| 7z | Match 7-zip files |
| arj | Match arj compressed files |
| cab | Match Windows cab files |
| lzh | Match lzh compressed files |
| rar | Match rar archives |
| tar | Match tar files |
| zip | Match zip files |
| bzip | Match bzip files |
| gzip | Match gzip files |
| bzip2 | Match bzip2 files |
| xz | Match xz files |
| bat | Match Windows batch files |
| msc | Match msc files |
| uue | Match uue files |
| mime | Match mime files |
| base64 | Match base64 files |
| binhex | Match binhex files |
| File Type Name | Description |
| bin | Match bin files |
| elf | Match elf files |
| exe | Match Windows executable files |
| hta | Match hta files |
| html | Match html files |
| jad | Match jad files |
| class | Match class files |
| cod | Match cod files |
| javascript | Match javascript files |
| msoffice | Match MS-Office files. For example, doc, xls, ppt, and so on. |
| msofficex | Match MS-Office XML files. For example, docx, xlsx, pptx, and so on. |
| fsg | Match fsg files |
| upx | Match upx files |
| petite | Match petite files |
| aspack | Match aspack files |
| prc | Match prc files |
| sis | Match sis files |
| hlp | Match Windows help files |
| activemime | Match activemime files |
| jpeg | Match jpeg files |
| gif | Match gif files |
| tiff | Match tiff files |
| png | Match png files |
| bmp | Match bmp files |
| ignored | Match ignored files |
| unknown | Match unknown files |
| mpeg | Match mpeg files |
| mov | Match mov files |
| mp3 | Match mp3 files |
| wma | Match wma files |
| File Type Name | Description |
| wav | Match wav files |
| Match pdf files | |
| avi | Match avi files |
| rm | Match rm files |
| torrent | Match torrent files |
| msi | Match Windows Installer msi bzip files |
| mach-o | Match Mach object files |
| dmg | Match Apple disk image files |
| .net | Match .NET files |
| xar | Match xar archive files |
| chm | Match Windows compiled HTML help files |
| iso | Match ISO archive files |
| crx | Match Chrome extension files |
Configure File Filter from CLI
Using CLI, configuration for File Filtering is nested inside Web filter profile’s configuration.
In File filtering configuration, file filtering functionality and logging is independent of the Web filter profile.
To block or log a file type, configure file filter entries. Within each entry, specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.
In the CLI example below, we want to file filter the following using Web filter profile:
- Block PDFs from entering our leaving our network (filter1).
- Log the download of some graphics file-types via HTTP (filter2).
- Block EXE files from leaving to our network via FTP (filter3).
| config webfilter profile edit “webfilter-file-filter” config file-filter | |
| set status enable filtering | <– Allow user to disable/enable file |
| set log enable file filtering | <– Allow user to disable/enable logging for |
| set scan-archive-contents enable such as ZIP, RAR etc. config entries edit “filter1” | <– Allow scanning of files inside archives |
| set comment “Block PDF files”
set protocol http ftp <– Inspect HTTP and FTP traffic set action block <– Block file once file type is matched |
|
set direction any <– Inspect both incoming and outgoing traffic set encryption any <– Inspect both encrypted and un-encrypted
files set file-type “pdf” <– Choosing the file type to match next edit “filter2” set comment “Log graphics files”
set protocol http <– Inspect only HTTP traffic set action log <– Log file once file type is matched set direction incoming <– Only inspect incoming traffic set encryption any
set file-type “jpeg” “png” “gif” <– Multiple file types can be configured
in a single entry
next edit “filter3” set comment “Block upload of EXE files”
set protocol ftp <– Inspect only FTP traffic set action log
set direction outgoing <– Inspect only outgoing traffic set encryption any set file-type “exe”
next
end
end
end
After configuring File Filter in Webfilter profile we must apply it to a firewall policy using the following command:
config firewall policy edit 1 set name “client-to-internet” set srcintf “dmz” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set webfilter profile “webfilter-filefilter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”
set nat enable
next end
Log Example
GUI > VDOM > Log & Report > Web Filter: