Email Filter – File Filter for email filter

File Filter for email filter

Introduction

File Filter is a new feature introduced in FortiOS 6.2, and provides the Email filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.

In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. In this article we will discuss Email filter File Filtering.

Currently, File Filtering in Email filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.

GUI configuration have yet to be implemented. In addition, Email filter File Filtering will only work on proxy mode policies.

File Types Supported

File Filter in Email filter profile supports the following file types:

File Type Name Description
all Match any file
7z Match 7-zip files
arj Match arj compressed files
cab Match Windows cab files
lzh Match lzh compressed files
rar Match rar archives
tar Match tar files
zip Match zip files
bzip Match bzip files
gzip Match gzip files
bzip2 Match bzip2 files
xz Match xz files
bat Match Windows batch files
msc Match msc files
uue Match uue files
mime Match mime files
base64 Match base64 files
binhex Match binhex files
bin Match bin files
elf Match elf files
exe Match Windows executable files
hta Match hta files
html Match html files
jad Match jad files
class Match class files
cod Match cod files
javascript Match javascript files
msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

 

File Type Name Description
fsg Match fsg files
upx Match upx files
petite Match petite files
aspack Match aspack files
prc Match prc files
sis Match sis files
hlp Match Windows help files
activemime Match activemime files
jpeg Match jpeg files
gif Match gif files
tiff Match tiff files
png Match png files
bmp Match bmp files
ignored Match ignored files
unknown Match unknown files
mpeg Match mpeg files
mov Match mov files
mp3 Match mp3 files
wma Match wma files
wav Match wav files
pdf Match pdf files
avi Match avi files
rm Match rm files
torrent Match torrent files
msi Match Windows Installer msi bzip files
mach-o Match Mach object files
dmg Match Apple disk image files
.net Match .NET files
xar Match xar archive files
chm Match Windows compiled HTML help files
File Type Name Description
iso Match ISO archive files
crx Match Chrome extension files

Configure File Filter from CLI

Using CLI, configuration for File Filtering is nested inside Email filter profile’s configuration.

In File filtering configuration, file filtering functionality and logging is independent of the Email filter profile.

To block or log a file type, we must configure file filter entries. Within each entry we can specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and if we should match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.

In the example CLI below we want to file filter the following using Email filter profile:

  1. Block EXE files from received or sent out (filter1).
  2. Log the sending of document files (filter2).

config emailfilter profile edit “emailfilter-file-filter” config file-filter

set status enable                      <— Allow user to disable/enable file fil-

tering

set log enable       <— Allow user to disable/enable logging for file filtering set scan-archive-contents enable <— Allow scanning of files inside archives

such as ZIP, RAR config entries edit “filter1”

set comment “Block executable files”

set protocol smtp imap pop3  <— Inspect all email traffic set action block  <— Block file once file type is matched set encryption any       <— Inspect both encrypted and un-encrypted

files

set file-type “exe”   <— Choosing the file type to match next edit “filter2”

set comment “Log document files”

set protocol smtp                 <— Inspect only SMTP traffic

set action log  <— Log file once file type is matched set encryption any

set file-type “pdf” “msoffice” “msofficex” <— Multiple file types can be con-

figured in a single entry next

end

end

end

After configuring File Filter in Email filter profile, we must apply it to a firewall policy.

config firewall policy edit 1 set name “client-to-internet”

set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set emailfilter profile “email-file-filter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next

end

CLI Example:

File Filter action as “Block”:

1: date=2019-01-25 time=15:20:16 logid=”0554020511″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”warning” vd=”vdom1″ eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=143 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”IMAP” action=”blocked” from=”emailuser1@qa.fortinet.com” to=”emailuser2@qa.fortinet.com” recipient=”emailuser2″ direction=”incoming” subject=”EXE file block” size=”622346″ attachment=”yes” filename=”putty.exe” filtername=”filter1″ filetype=”exe” File Filter action as “Log”:

1: date=2019-01-25 time=15:23:16 logid=”0554020510″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”notice” vd=”vdom1″ eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=25 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”SMTP” pro-

file=”emailfilter-file-filter” action=”detected” from=”emailuser1@qa.fortinet.com” to=”-

“emailuser2@qa.fortinet.com” sender=”emailuser1@qa.fortinet.com” recipient=”emailuser2@qa.fortinet.com” direction=”outgoing” subject=”PDF file log” sizee=”390804″ attachment=”yes” filename=”fortiauto.pdf” filtername=”filter2″ filetype=”pdf”

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.