File Filter; Built-In Patterns And Supported File Types - Fortinet FortiGate Series Administration Manual

AntiVirus

File Filter

Built-in patterns and supported file types

FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Configure the FortiGate file filter to block files by:
• File pattern: Files can be blocked by name, extension, or any other pattern. File pattern
blocking provides the flexibility to block potentially harmful content.
File pattern entries are not case sensitive. For example, adding *.exe to the file
pattern list also blocks any files ending in .EXE.
In addition to the built-in patterns, you can specify more file patterns to block. For
details, see "Configuring the file filter list" on page
• File type: Files can be blocked by type, without relying on the file name to indicate what
type of files they are. When blocking by file type, the FortiGate unit analyzes the file
and determines the file type regardless of the file name. For details about supported
file types, see "Built-in patterns and supported file types" on page
For standard operation, you can choose to disable file filter in the protection profile, and
enable it temporarily to block specific threats as they occur.
The FortiGate unit can take any of the following three actions towards the files that match
a configured file pattern or type:
• Allow: the file will be allowed to pass.
• Block: the file will be blocked and a replacement messages will be sent to the user. If
both file filter and virus scan are enabled, the FortiGate unit blocks files that match the
enabled file filter and does not scan these files for viruses.
The FortiGate unit also writes a message to the virus log and sends an alert email
message if configured to do so.
Files are compared to the enabled file patterns and then the file types from top to bottom.
If a file does not match any specified patterns or types, it is passed along to antivirus
scanning (if enabled). In effect, files are passed if not explicitly blocked.
Using the allow action, this behavior can be reversed with all files being blocked unless
explicitly passed. Simply enter all the file patterns or types to be passed with the allow
attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action.
Allowed files continue to antivirus scanning (if enabled) while files not matching any
allowed patterns are blocked by the wildcard at the end.
The FortiGate unit is preconfigured with a default list of file patterns:
• executable files (*.bat, *.com, and *.exe)
• compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip)
• dynamic link libraries (*.dll)
• HTML application (*.hta)
• Microsoft Office files (*.doc, *.ppt, *.xl?)
• Microsoft Works files (*.wps)
• Visual Basic files (*.vb?)
• screen saver files (*.scr)
• program information files (*.pif)
• control panel files (*.cpl)
The FortiGate unit can take actions against the following file types:
523.
521.
File Filter
521