File filter for webfilter

File filter for webfilter

Introduction

File Filter is a new feature introduced in FortiOS 6.2, and provides the Web filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.

In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. Currently, File Filtering in Web filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.

FTP inspection and GUI configuration have yet to be implemented. In addition, Web filter File Filtering will only work on proxy mode policies.

File Types Supported

File Filter in Web filter profile supports the following file types:

File Type Name Description
all Match any file
7z Match 7-zip files
arj Match arj compressed files
cab Match Windows cab files
lzh Match lzh compressed files
rar Match rar archives
tar Match tar files
zip Match zip files
bzip Match bzip files
gzip Match gzip files
bzip2 Match bzip2 files
xz Match xz files
bat Match Windows batch files
msc Match msc files
uue Match uue files
mime Match mime files
base64 Match base64 files
binhex Match binhex files

 

File Type Name Description
bin Match bin files
elf Match elf files
exe Match Windows executable files
hta Match hta files
html Match html files
jad Match jad files
class Match class files
cod Match cod files
javascript Match javascript files
msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.
fsg Match fsg files
upx Match upx files
petite Match petite files
aspack Match aspack files
prc Match prc files
sis Match sis files
hlp Match Windows help files
activemime Match activemime files
jpeg Match jpeg files
gif Match gif files
tiff Match tiff files
png Match png files
bmp Match bmp files
ignored Match ignored files
unknown Match unknown files
mpeg Match mpeg files
mov Match mov files
mp3 Match mp3 files
wma Match wma files
File Type Name Description
wav Match wav files
pdf Match pdf files
avi Match avi files
rm Match rm files
torrent Match torrent files
msi Match Windows Installer msi bzip files
mach-o Match Mach object files
dmg Match Apple disk image files
.net Match .NET files
xar Match xar archive files
chm Match Windows compiled HTML help files
iso Match ISO archive files
crx Match Chrome extension files

Configure File Filter from CLI

Using CLI, configuration for File Filtering is nested inside Web filter profile’s configuration.

In File filtering configuration, file filtering functionality and logging is independent of the Web filter profile.

To block or log a file type, configure file filter entries. Within each entry, specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.

In the CLI example below, we want to file filter the following using Web filter profile:

  1. Block PDFs from entering our leaving our network (filter1).
  2. Log the download of some graphics file-types via HTTP (filter2).
  3. Block EXE files from leaving to our network via FTP (filter3).
config webfilter profile edit “webfilter-file-filter” config file-filter  
set status enable filtering <– Allow user to disable/enable file
set log enable file filtering <– Allow user to disable/enable logging for
set scan-archive-contents enable such as ZIP, RAR etc. config entries edit “filter1” <– Allow scanning of files inside archives
set comment “Block PDF files”

set protocol http ftp     <– Inspect HTTP and FTP traffic set action block <– Block file once file type is matched

set direction any <– Inspect both incoming and outgoing traffic set encryption any    <– Inspect both encrypted and un-encrypted

files set file-type “pdf” <– Choosing the file type to match next edit “filter2” set comment “Log graphics files”

set protocol http <– Inspect only HTTP traffic set action log   <– Log file once file type is matched set direction incoming <– Only inspect incoming traffic set encryption any

set file-type “jpeg” “png” “gif” <– Multiple file types can be configured

in a single entry

next edit “filter3” set comment “Block upload of EXE files”

set protocol ftp  <– Inspect only FTP traffic set action log

set direction outgoing   <– Inspect only outgoing traffic set encryption any set file-type “exe”

next

end

end

end

After configuring File Filter in Webfilter profile we must apply it to a firewall policy using the following command:

config firewall policy edit 1 set name “client-to-internet” set srcintf “dmz” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set webfilter profile “webfilter-filefilter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Log Example

GUI > VDOM > Log & Report > Web Filter:

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.