File filter

File filters allow you to block files based on their file names and types.

When a file filter list is applied to a DLP sensor filter, the network traffic is examined against the list entries, and, if the sensor filter is triggered, the predefined action is taken by the DLP sensor filter.

The general steps for configuring file filters are as follows:

1. Create a DLP sensor.
2. Edit the sensor to filter either messages or specific file types.
3. Select the DLP sensor in a security policy.

To edit a file filter:

1. From the Edit DLP Sensor window, either double-click on a filter in the file filter table, or select a filter then select Edit Filter in the table toolbar. The Edit Filter window opens.
2. Edit the filter settings as required, then select OK to apply your changes.

To delete a file filter or filters:

1. From the Edit File FilterTable window, select the file filter or filters that you need to delete.
2. Select Delete from the toolbar.
3. Select OK in the confirmation dialog box to delete the selected file filter or filters.

File type filter

In this example, the file filter senses for specific file types.

1. Go to Security Profiles > Data Leak Prevention and edit the desired sensor.
2. Select Create New from the file filters table.
3. In the New Filter window, select the Files filter type.

ICAP

4. Select to Specify File Types and select the file types to filter.
5. Configure the remaining options as desired.

File types

Archive (arj) Archive (bzip) Archive (bzip2) Archive (cab) Archive (gzip) Archive (lzh) Archive (rar) Archive (tar) Archive (zip) Audio (avi) Audio (mp3) Audio (wav) Audio (wma) BMP Image (bmp) Batch File (bat) Common Console Document (msc) Encoded Data (base64)

Encoded Data (binhex) Encoded Data (mime) Encoded Data (uue) Executable (elf) Executable (exe) GIF Image (gif) HTML Application (hta) HTML File (html) Ignored Filetype (ignored) JPEG Image (jpeg) Java Application Descriptor (jad) Java Class File (class) Java Compiled Bytecode (cod) JavaScript File (javascript) Microsoft Active Mime Object (activemime) Microsoft Office (msoffice)

PDF (pdf) PNG Image (png) Packer (aspack) Packer (fsg) Packer (petite) Packer (upx) PalmOS Application (prc) Real Media Streaming (rm) Symbian Installer System File (sis) TIFF Image (tiff) Torrent (torrent) Unknown Filetype (unknown) Video (mov) Video (mpeg) Windows Help File (hlp)

ICAP

The ICAP is supported in this release. The ICAP is a light-weight response/request protocol that allows the FortiCache unit to offload HTTP and HTTPS traffic to external servers for different kinds of processing.

You can offload HTTP responses or HTTP requests (or both) to the same or different ICAP servers.

The ICAP menu allows you to view and configure ICAP profiles and ICAP servers which can then be applied to a policy.

 

ICAP

If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to the ICAP servers in the ICAP profile added to the policy. The FortiCache unit acts as the surrogate, or middle-man, and carries the ICAP responses from the ICAP server to the ICAP client. The ICAP client then responds back, and the FortiCache unit determines the action that should be taken with these ICAP responses and requests.

ICAP profiles are configured under Security Profiles > Advanced > ICAP Servers.

Create New	Create a new ICAP profile.
Edit	Edit an ICAP profile.
Delete	Delete a profile or profiles.
Name	The name of the ICAP profile.
Request Processing	If request processing is enabled, a green circle with a check mark is shown. If disabled, a gray circle with an x is shown.
Response Processing	If response processing is enabled, a green circle with a check mark is shown. If disabled, a gray circle with an x is shown.
Bypass Streaming Media	If media streaming is bypassed, a green circle with a check mark is shown. If it is not bypassed, a gray circle with an x is shown.
Ref.	Displays the number of times the profile is referenced to other objects. To view the location of the referenced profile, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object.

To create a new ICAP profile:

1. In the ICAP profile list, select Create New from the toolbar. The New ICAP Profile page opens.
2. Configure the following settings:

Name	Specify a name for the ICAP profile.

ICAP

Enable Request Processing	Select to enable request processing. Select a server from the dropdown menu, specify the path on the server to the processing component, and then select the behavior on failure, either Error or Bypass.
Enable                        Response Processing	Select to enable request processing. Select a server from the drop down menu, specify the path on the server to the processing component, and then select the behavior on failure, either Error or Bypass.
Enable               Streaming             Media Bypass	Select to allow streaming media to ignore offloading to the ICAP server.

3. Select Apply to create the new profile.

To edit an ICAP profile:

1. Select the profile you would like to edit then select Edit from the toolbar, or double-click on the profile. The Edit ICAP Profile window opens.
2. Edit the profile information as required and select Apply to apply your changes.

To delete an ICAP profile or profiles:

1. Select the profile or profiles that you would like to delete.
2. Select Delete from the toolbar.
3. Select OK in the confirmation dialog box to delete the selected profile or profiles.

Server

To view the ICAP server list, go to Security Profiles > Advanced > ICAP Servers.

To create a new ICAP server:

1. In the ICAP Server list, select Create New from the dropdown. The New ICAP Server window opens.
2. Configure the following settings:

Name	Enter a name for the ICAP server.
IP Address	Enter the ICAP server IP address.
Port	Enter the TCP port number used by the ICAP server, from 1 to 65535 (default = 1344).

3. Select OK to create the new ICAP server.

Content Analysis

To edit an ICAP server:

1. Select the server you would like to edit then select Edit from the toolbar, or double-click on the server. The Edit ICAP Server window opens.
2. Edit the ICAP server information as required and select OK to apply your changes.

To delete an ICAP server or servers:

1. Select the ICAP server or servers that you would like to delete.
2. Select Delete from the toolbar.
3. Select OK in the confirmation dialog box to delete the selected server or servers.

Content Analysis

Content Analysis is a licensed feature that allows you to detect adult content in real-time. This service is a real time analysis of the content passing through the FortiCache. Unlike other image analysis tools, this one does not just look for skin tone colors but can detect limbs, body parts, and the position of bodies. Once detected, such content can be optionally blocked or reported.

In general, the procedure is similar to the HTTP AV scanning procedure.

When a client HTTP requests an image, the HTTP header content-type determines the image type. Then the WAD process holds the image content from the server for scanning prior to sending it to the client.

If the scan results are larger than the configurable threshold, the requested image will be blocked and the client will receive a replacement image. This replacement image will keep the same image type and size if you enable the option to re-size images. The FortiCache will store the results to improve performance for future requests.

The default settings provide a good balance, but they will never be 100% and may require some adjustment.

In order to use Content Analysis you need to setup at least one profile and apply it to a policy. Content Analysis profiles are configured under Security Profiles > Content Analysis.

When you select Create New or Edit, the following attributes can be configured:

Name	Enter a name for this profile.
Comments	Optional description of the profile.

Content Analysis

Image Score Threshold	Enter a value between 0 and 9999. The higher the image score, the more chance of the image being explicit. The challenge with this is that if you set it too high, it will block legitimate images. If you set it too low it will allow explicit images through. If the image score is above the Image Score Threshold setting, the Rating ErrorAction is taken (see below). The default value is 600.
Image Skip Size	Enter a value between 0 and 2048. This value represents the size of image that will be skipped by the image scan unit, in kilobytes. Images that are too small are difficult to scan and are more likely to be rated incorrectly by the image scan engine. The default value is 1.
Image Rating Sensitivity	This value determines the strictness of the Image Score Threshold. The higher the sensitivity, the more strict it will be on the threshold. Make it too strict and you end up blocking legitimate images. The default, but balanced value is 75.
Rating Error Action	Set to either pass or block the image when it exceeds the rating threshold. The default is pass.
Replace Image Action	If you choose to display a replacement image (see below), you can set the Replace Image Action value to re-size the replacement image to match the original (resize), or leave the replacement image at its default size (no-resize).
Replace Image	Choose whether or not to display a replacement image.

Validating content analysis

You can use the following debug commands to validate the service licensing and image cache:

get system fortiguard – Display licensing information. diag test app wad 143 – Display image cache. diag test app wad 144 – Clear image cache.

Displaying and clearing the image cache require a license, otherwise these commands will not be available.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!