File Filter for email filter

Introduction

File Filter is a new feature introduced in FortiOS 6.2, and provides the Email filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.

In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. In this article we will discuss Email filter File Filtering.

Currently, File Filtering in Email filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.

GUI configuration have yet to be implemented. In addition, Email filter File Filtering will only work on proxy mode policies.

File Types Supported

File Filter in Email filter profile supports the following file types:

File Type Name	Description
all	Match any file
7z	Match 7-zip files
arj	Match arj compressed files
cab	Match Windows cab files
lzh	Match lzh compressed files
rar	Match rar archives
tar	Match tar files
zip	Match zip files
bzip	Match bzip files
gzip	Match gzip files
bzip2	Match bzip2 files
xz	Match xz files
bat	Match Windows batch files
msc	Match msc files
uue	Match uue files
mime	Match mime files
base64	Match base64 files
binhex	Match binhex files
bin	Match bin files
elf	Match elf files
exe	Match Windows executable files
hta	Match hta files
html	Match html files
jad	Match jad files
class	Match class files
cod	Match cod files
javascript	Match javascript files
msoffice	Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex	Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

 

File Type Name	Description
fsg	Match fsg files
upx	Match upx files
petite	Match petite files
aspack	Match aspack files
prc	Match prc files
sis	Match sis files
hlp	Match Windows help files
activemime	Match activemime files
jpeg	Match jpeg files
gif	Match gif files
tiff	Match tiff files
png	Match png files
bmp	Match bmp files
ignored	Match ignored files
unknown	Match unknown files
mpeg	Match mpeg files
mov	Match mov files
mp3	Match mp3 files
wma	Match wma files
wav	Match wav files
pdf	Match pdf files
avi	Match avi files
rm	Match rm files
torrent	Match torrent files
msi	Match Windows Installer msi bzip files
mach-o	Match Mach object files
dmg	Match Apple disk image files
.net	Match .NET files
xar	Match xar archive files
chm	Match Windows compiled HTML help files
File Type Name	Description
iso	Match ISO archive files
crx	Match Chrome extension files

Configure File Filter from CLI

Using CLI, configuration for File Filtering is nested inside Email filter profile’s configuration.

In File filtering configuration, file filtering functionality and logging is independent of the Email filter profile.

To block or log a file type, we must configure file filter entries. Within each entry we can specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and if we should match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.

In the example CLI below we want to file filter the following using Email filter profile:

1. Block EXE files from received or sent out (filter1).
2. Log the sending of document files (filter2).

config emailfilter profile edit “emailfilter-file-filter” config file-filter

set status enable                      <— Allow user to disable/enable file fil-

tering

set log enable       <— Allow user to disable/enable logging for file filtering set scan-archive-contents enable <— Allow scanning of files inside archives

such as ZIP, RAR config entries edit “filter1”

set comment “Block executable files”

set protocol smtp imap pop3  <— Inspect all email traffic set action block  <— Block file once file type is matched set encryption any       <— Inspect both encrypted and un-encrypted

files

set file-type “exe”   <— Choosing the file type to match next edit “filter2”

set comment “Log document files”

set protocol smtp                 <— Inspect only SMTP traffic

set action log  <— Log file once file type is matched set encryption any

set file-type “pdf” “msoffice” “msofficex” <— Multiple file types can be con-

figured in a single entry next

end

end

end

After configuring File Filter in Email filter profile, we must apply it to a firewall policy.

config firewall policy edit 1 set name “client-to-internet”

set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set emailfilter profile “email-file-filter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next

end

CLI Example:

File Filter action as “Block”:

1: date=2019-01-25 time=15:20:16 logid=”0554020511″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”warning” vd=”vdom1″ eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=143 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”IMAP” action=”blocked” from=”emailuser1@qa.fortinet.com” to=”emailuser2@qa.fortinet.com” recipient=”emailuser2″ direction=”incoming” subject=”EXE file block” size=”622346″ attachment=”yes” filename=”putty.exe” filtername=”filter1″ filetype=”exe” File Filter action as “Log”:

1: date=2019-01-25 time=15:23:16 logid=”0554020510″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”notice” vd=”vdom1″ eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=25 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”SMTP” pro-

file=”emailfilter-file-filter” action=”detected” from=”emailuser1@qa.fortinet.com” to=”-

“emailuser2@qa.fortinet.com” sender=”emailuser1@qa.fortinet.com” recipient=”emailuser2@qa.fortinet.com” direction=”outgoing” subject=”PDF file log” sizee=”390804″ attachment=”yes” filename=”fortiauto.pdf” filtername=”filter2″ filetype=”pdf”

Checking the log

To check the email filter log in the CLI:

execute log filter category 5 execute log display

1 logs found.

1 logs returned.

1: date=2019-04-09 time=03:41:18 logid=”0510020491″ type=”utm” subtype=”emailfilter” eventtype=”imap” level=”notice” vd=”vdom1″ eventtime=1554806478647415130 policyid=1 sessionid=439 srcip=10.1.100.22 srcport=39937 srcintf=”port21″ srcintfrole=”undefined” dstip=172.16.200.45 dstport=143 dstintf=”port17″ dstintfrole=”undefined” proto=6 service=”IMAPS” profile=”822881″ action=”blocked” from=”testpc3@qa.fortinet.com” to=”testpc3@qa.fortinet.com” recipient=”testpc3″ direction=”incoming” msg=”from ip is in ip blacklist.(path black ip 172.16.200.9)” subject=”testcase822881″ size=”525″ attachment=”no”

To check the email filter log in the GUI:

Go to Log & Report > Anti-Spam.

Webmail

The FortiGate email filter is intended to filter standard email protocols including SMTP, POP3, IMAP, and MAPI, however, it can also be configured to detect and log emails sent through some webmail interfaces. The supported webmail interfaces include Gmail and MSN-Hotmail.

To configure webmail filtering through the CLI:

config emailfilter profile edit “myWebMailDetector” set spam-filtering enable config msn-hotmail set log enable

end config gmail set log enable

end

next

end

Protocols and actions

In an email filtering profile, there are sections for SMTP, POP3, and IMAP protocols. In each section, you can set an action to either discard, tag, or pass the log for that protocol.

CLI Example:

config smtp set log enable set action tag

end

Actions available for each protocol:

Protocol	Available action
SMTP	Pass: Allow spam email to pass through.
	Tag: Tag spam email with configured text in the subject or header.
	Discard: Discards (blocks) spam email.
POP3 & IMAP MAPI:	Pass: Allow spam email to pass through.
	Tag: Tag spam email with configured text in the subject or header.
	Pass: Allow spam email to pass through.
	Discard: Discards (blocks) spam email.

MAPI email filtering

MAPI is a proprietary protocol from Microsoft. It uses HTTPS to encapsulate email requests and responses between Microsoft Outlook clients and Microsoft Exchange servers. The configuration of MAPI email filters are only possible through the CLI.

To configure the MAPI email filter in the CLI:

config emailfilter profile edit “myMapiFilter” set spam-filtering enable

set options spamfsip spamfssubmit spamfsurl spamfsphish config mapi set log enable set action “discard or pass”

end

next

end

File-type based filters

File-type based email filters can be used to filter out emails which are undesired due to a file-type attachment that the network admin qualifies as non-compatible with their business environment. The admin can define the undesired filetypes within the email filter profile and can associate an action to be taken for each file-type (for example: block or log).

To configure file-type email filtering in the CLI:

config emailfilter profile edit “myEmailFileFilter” config file-filter config entries edit “compressedFiles” set action block set file-type “7z” “rar” “zip”

next

end

end

set spam-filtering enable

next end

To configure file-type email filtering in the GUI:

1. Go to Security Profiles > Email Filter.
2. Enable File Filter.
3. Customize which files are scanned (Log/Scan Archived Contents) or click Create New to add a new entry.

FortiGuard-based filters

FortiGate consults FortiGuard servers to help identify the spammers IP address or emails, known phishing URLs, known spam URLs, known spam email checksums, etc. FortiGuard servers have maintained databases that contain black lists which are fed from Fortinet sensors and labs distributed all over the world.

To configure the FortiGuard filters in the CLI:

config emailfilter profile edit “myEmailFilterProfile” set spam-filtering enable

set options spamfsip spamfssubmit spamfschksum spamfsurl spamrbl spamhdrcheck spamfsphish next

end

To configure the FortiGuard filters in the GUI:

1. Go to Security Profiles > Email Filter.
2. In the FortiGuard Spam Filtering Spam Filtering section, you can enable or disable the following filters:
   • IP Address Check l URL Check
   • Detect Phising URLs in Email l Email Checksum Check
   • Spam Submission

Local-based filters

To configure the local-based AntiSpam filter in the CLI: config emailfilter bwl

FGT-300D-SPAM (bwl) # edit 1 new entry ‘1’ added

FGT-300D-SPAM (1) # set name myBWL

FGT-300D-SPAM (1) # config entries config entries

edit 1

set status enable set type ip set action spam set addr-type ipv4 set ip4-subnet 10.1.100.0 255.255.255.0

next

end

config emailfilter profile edit “myLocalEmailFilter” set spam-filtering enable set options spambwl spamhelodns spamraddrdns config smtp

set action tag

end set spam-bwl-table 1

next

end config firewall policy

edit 1 …..

set inspection-mode proxy set emailfilter-profile “myLocalEmailFilter”

next end

To configure the local-based AntiSpam filter in the GUI:

1. Go to Security Profiles > Email Filter.
2. Click Create or select an existing profile and click Edit.
3. In the Firewall policy, create or edit a rule.
4. Set the inspection-mode to Proxy-based.
5. Enable the Email Filter option and select the profile previously created.
6. Set SSL Inspection to a profile that has deep SSL inspection enabled.
   • Deep inspection is required if you intend to filter SMTP, POP3, IMAP, or any SSL/TLS encapsulated protocol.
   • Below is an example of a profile with deep SSL inspection enabled.

To configure bannedwords in the CLI:

config emailfilter bword edit 1 set name “banned” config entries

edit 1 set pattern “undesired_word”

next

end

next

end

config emailfilter profile edit “myBannedWordsProfile” config file-filter set status disable

end set spam-filtering enable set options bannedword set spam-bword-table 1

next

end

Filtering types

Local-based:

• BWL, black orwhite list: These lists can be made from emails or IP subnets to forbid OR allow them to sending/receiving emails.

When referring to the IP address or email listed under a black or white list, email refers to the “From:” address, and IP refers to the IP address of the source of the email. In an SMTP case, the IP refers to the client’s IP address, while in a POP3 and IMAP case, it refers to the server’s IP address.

• Bannedwords: The admin can define a list of banned words. Emails that contain any of these banned words are considered as spam.
• DNS check: With spamhelodns and spamraddrdns, the FortiGate performs a standard DNS check on the machine name used in the helo SMTP message, and/or the return-to field to determine if these names belong to a registered domain. The FortiGate does not check the FortiGuard service during these operations. FortiGuard-based:
• FortiGuard based options: FortiGate consults FortiGuard servers to help identify the spammers IP address or emails, known phishing URLs, known spam URLs, known spam email checksums, etc. Protocol tuning:
• Protocol tuning: In a profile, there are sections for SMTP, POP3, and IMAP. In each section, you can set an action to either discard, tag, or pass the log for that protocol. Webmail:
• Webmail detector: The email filter can also be configured to detect and log emails sent via Gmail and MSNHotmail. Although these two interfaces do not use the standard email protocols (SMTP, POP3, or IMAP) and instead use HTTPS, the email filter can still be configured to detect the emails sent and passed through the

FortiGate. File-type:

• File-type based filtering: This can include emails which are undesired due to a file-type attachment that the network admin qualifies as non-compatible with their business environment. The admin can define the undesired file-types within the email filter profile and can associate an action to be taken for each file-type (for example: block or log).