File Filter for email filter
Introduction
File Filter is a new feature introduced in FortiOS 6.2, and provides the Email filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.
In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. In this article we will discuss Email filter File Filtering.
Currently, File Filtering in Email filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.
GUI configuration have yet to be implemented. In addition, Email filter File Filtering will only work on proxy mode policies.
File Types Supported
File Filter in Email filter profile supports the following file types:
| File Type Name | Description |
| all | Match any file |
| 7z | Match 7-zip files |
| arj | Match arj compressed files |
| cab | Match Windows cab files |
| lzh | Match lzh compressed files |
| rar | Match rar archives |
| tar | Match tar files |
| zip | Match zip files |
| bzip | Match bzip files |
| gzip | Match gzip files |
| bzip2 | Match bzip2 files |
| xz | Match xz files |
| bat | Match Windows batch files |
| msc | Match msc files |
| uue | Match uue files |
| mime | Match mime files |
| base64 | Match base64 files |
| binhex | Match binhex files |
| bin | Match bin files |
| elf | Match elf files |
| exe | Match Windows executable files |
| hta | Match hta files |
| html | Match html files |
| jad | Match jad files |
| class | Match class files |
| cod | Match cod files |
| javascript | Match javascript files |
| msoffice | Match MS-Office files. For example, doc, xls, ppt, and so on. |
| msofficex | Match MS-Office XML files. For example, docx, xlsx, pptx, and so on. |
| File Type Name | Description |
| fsg | Match fsg files |
| upx | Match upx files |
| petite | Match petite files |
| aspack | Match aspack files |
| prc | Match prc files |
| sis | Match sis files |
| hlp | Match Windows help files |
| activemime | Match activemime files |
| jpeg | Match jpeg files |
| gif | Match gif files |
| tiff | Match tiff files |
| png | Match png files |
| bmp | Match bmp files |
| ignored | Match ignored files |
| unknown | Match unknown files |
| mpeg | Match mpeg files |
| mov | Match mov files |
| mp3 | Match mp3 files |
| wma | Match wma files |
| wav | Match wav files |
| Match pdf files | |
| avi | Match avi files |
| rm | Match rm files |
| torrent | Match torrent files |
| msi | Match Windows Installer msi bzip files |
| mach-o | Match Mach object files |
| dmg | Match Apple disk image files |
| .net | Match .NET files |
| xar | Match xar archive files |
| chm | Match Windows compiled HTML help files |
| File Type Name | Description |
| iso | Match ISO archive files |
| crx | Match Chrome extension files |
Configure File Filter from CLI
Using CLI, configuration for File Filtering is nested inside Email filter profile’s configuration.
In File filtering configuration, file filtering functionality and logging is independent of the Email filter profile.
To block or log a file type, we must configure file filter entries. Within each entry we can specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and if we should match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.
In the example CLI below we want to file filter the following using Email filter profile:
- Block EXE files from received or sent out (filter1).
- Log the sending of document files (filter2).
config emailfilter profile edit “emailfilter-file-filter” config file-filter
set status enable <— Allow user to disable/enable file fil-
tering
set log enable <— Allow user to disable/enable logging for file filtering set scan-archive-contents enable <— Allow scanning of files inside archives
such as ZIP, RAR config entries edit “filter1”
set comment “Block executable files”
set protocol smtp imap pop3 <— Inspect all email traffic set action block <— Block file once file type is matched set encryption any <— Inspect both encrypted and un-encrypted
files
set file-type “exe” <— Choosing the file type to match next edit “filter2”
set comment “Log document files”
set protocol smtp <— Inspect only SMTP traffic
set action log <— Log file once file type is matched set encryption any
set file-type “pdf” “msoffice” “msofficex” <— Multiple file types can be con-
figured in a single entry next
end
end
end
After configuring File Filter in Email filter profile, we must apply it to a firewall policy.
config firewall policy edit 1 set name “client-to-internet”
set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set emailfilter profile “email-file-filter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”
set nat enable
next
end
CLI Example:
File Filter action as “Block”:
1: date=2019-01-25 time=15:20:16 logid=”0554020511″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”warning” vd=”vdom1″ eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=143 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”IMAP” action=”blocked” from=”emailuser1@qa.fortinet.com” to=”emailuser2@qa.fortinet.com” recipient=”emailuser2″ direction=”incoming” subject=”EXE file block” size=”622346″ attachment=”yes” filename=”putty.exe” filtername=”filter1″ filetype=”exe” File Filter action as “Log”:
1: date=2019-01-25 time=15:23:16 logid=”0554020510″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”notice” vd=”vdom1″ eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=25 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”SMTP” pro-
file=”emailfilter-file-filter” action=”detected” from=”emailuser1@qa.fortinet.com” to=”-
“emailuser2@qa.fortinet.com” sender=”emailuser1@qa.fortinet.com” recipient=”emailuser2@qa.fortinet.com” direction=”outgoing” subject=”PDF file log” sizee=”390804″ attachment=”yes” filename=”fortiauto.pdf” filtername=”filter2″ filetype=”pdf”