This help contains the following topics:

·     Introduction

¡     Basic concepts

¡     File filtering mechanism

·     Restrictions and guidelines

·     Configure file filtering

¡     Configure a file type group

¡     Configure a file filtering profile

Introduction

The file filtering feature filters files based on file extensions. You can configure file filtering to perform actions on files based on the file extensions.

File filtering supports filtering packets of the following protocols:

·     HTTP.

·     FTP.

·     SMTP.

·     IMAP.

·     NFS.

·     RTMP.

·     SMB.

Basic concepts

File type group

A file type group can contain a maximum of 32 file extensions. A file matches a file type group if it matches a file extension in the group. You can select predefined file extensions and customize file extensions in a file type group.

File filtering rule

A file filtering rule contains a set of file filtering criteria and the actions for matching packets. The file filtering criteria include file type group, direction (Upload, Download, or Both), and applications. The packet processing actions include Drop, Permit, and Logging. A file must match all the filtering criteria for the actions specified for the rule to apply.

Common configuration

The following common configuration items are supported:

·     Action for files with false extension—Select the action for packets with files carrying false extensions. To perform file filtering inspection based on the real file extension, select Permit. To discard such packets directly, select Drop.

·     Max decompressed data size—Specify the maximum size of data that can be decompressed in a file for file filtering inspection. The device can decompress only ZIP files.

File filtering mechanism

Upon receiving a packet of a protocol that file filtering supports, the device performs the following operations:

1.     Compares the packet with the security policies.

If the packet matches a security policy that is associated with a file filtering profile, the device submits the packet to the file filtering module for processing.

2.     Extracts and records the file extension in the packet.

3.     Identifies the real file extension and compares it with the recorded file extension:

¡     If the two file extensions match or if the real file extension cannot be identified, the device proceeds to step 4.

¡     If the two file extensions do not match, the device checks the setting of the Action for files with false extension item:

-     If the Drop action is selected, the device drops the packet directly.

-     If the Permit action is selected, the device proceeds to step 4 to perform file filtering inspection based on the real file extension.

4.     Determines the actions to take on the packet by comparing the packet attributes (file extension, application layer application, and file transfer direction) with the file filtering rules in the file filtering policy:

¡     If the packet does not match any file filtering rules in the policy, the device permits the packet to pass.

¡     If the packet matches only one rule, the device takes the actions specified for the rule.

¡     If the packet matches multiple rules, the device determines the actions as follows:

-     If the matching rules have both the permit and drop actions, the device takes the drop action.

-     The logging action is taken if it is specified for any of the matching rules.

Restrictions and guidelines

After you create, edit, or delete a file filtering profile, the configuration must be activated to take effect. You can click Submit to activate the configuration immediately or the configuration will be activated automatically 40 seconds later by default. Activating the configuration causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications.

Configure file filtering

Configure file filtering as shown in Figure 1.

Figure 1 File filtering configuration procedure

 

Configure a file type group

Perform this task to create a file type group and configure file extensions in the group.

Procedure

1.     Click the Objects tab.

2.     In the navigation pane, select APPSecurity > Data Filtering > File Type Groups.

3.     Click Create.

4.     Create a file type group.

Table 1 File type group configuration items

Item	Description
Name	Enter a name for the file type group.
Description	Enter a description for the file type group.
Predefined file extensions	Select the predefined file extensions for the file type group.
Custom file extensions	Enter the custom file extensions, one per line.

 

5.     Click OK.

The file type group is displayed on the File Type Groups page.

Configure a file filtering profile

Perform this task to create a file filtering profile and configure file filtering rules in the profile.

Procedure

1.     Click the Objects tab.

2.     In the navigation pane, select APPSecurity > File Filtering > Profiles.

3.     Click Create.

4.     Create a file filtering profile.

Table 2 File filtering profile configuration items

Items	Description
Name	Enter a name for the file filtering profile.
Description	Enter a description for the file filtering profile.

 

5.     In the File filtering rules area, click Create.

6.     Create a file filtering rule.

Table 3 File filtering rule configuration items

Items	Description
Name	Enter a name for the file filtering profile.
Applications	Select the application layer protocols of the applications to which the rule applies. Supported application layer protocols are FTP, HTTP, IMAP, NFS, POP3, RTMP, SMB, and SMTP.
File type groups	Select the file type group for the file filtering rule. A file matches a file type group if it matches a file extension in the group.
Direction	Select the file transfer direction to which the rule applies. Options are Upload, Download, and Both.
Action	Select the action for matching packets. Options are Permit and Drop.
Logging	Select whether to enable logging for matching packets. Options are Enable and Disable.

 

7.     Click OK.

The file filtering rule is displayed on the file filtering rule list of the file filtering profile.

8.     Click OK.

The file filtering profile is displayed on the File Filtering Profiles page.

9.     Use the file filtering profile in a security policy. For more information about security policies, see security policy online help.

10.     Click Submit to activate the configuration immediately or wait 40 seconds for the configuration to be activated automatically.

After you create a file filtering profile, the configuration must be activated to take effect. By default, the configuration will be activated automatically 40 seconds later.