Login
- Table of Contents
-
- 09-Configuration Examples
- 01-Web Login Configuration Examples
- 02-Internet Access Through a Static IP Address Configuration Examples
- 03-Internet access through PPPoE configuration examples
- 04-License Configuration Examples
- 05-Signature Library Upgrade Configuration Examples
- 06-Software Upgrade Examples
- 06-Software Upgrade Examples (only for F50X0-D and F5000-AK5X5 firewalls)
- 07-Routing deployment configuration examples
- 08-Transparent deployment configuration examples
- 09-Static routing configuration examples
- 10-RIP configuration examples
- 11-OSPF configuration examples
- 12-BGP configuration examples
- 13-Policy-based routing configuration examples
- 14-Security Policy Configuration Examples
- 15-APR-Based Security Policy Configuration Examples
- 16-Object Group Configuration Examples
- 17-User identification configuration examples
- 18-Attack defense configuration examples
- 19-IPCAR Configuration Examples
- 20-IPS Configuration Examples
- 21-URL Filtering Configuration Examples
- 22-Anti-Virus Configuration Examples
- 23-File Filtering Configuration Examples
- 24-Data Filtering Configuration Examples
- 25-WAF Configuration Examples
- 26-IP Reputation Configuration Examples
- 27-APT Defense Configuration Examples
- 28-NetShare Control Configuration Examples
- 29-Bandwidth Management Configuration Examples
- 30-IPsec configuration examples
- 31-SSL VPN IP access configuration examples
- 31-SSL VPN TCP access configuration examples
- 31-SSL VPN Web access configuration examples
- 32-L2TP Configuration Examples
- 33-NAT configuration examples
- 34-NPTv6 Configuration Examples
- 35-Policy-based NAT configuration examples
- 36-NAT hairpin configuration examples
- 37-NAT Flow Logging Configuration Examples
- 38-Inbound Link Load Balancing Configuration Examples
- 39-Outbound Link Load Balancing Configuration Examples
- 40-Server Load Balancing Configuration Examples
- 41-Transparent DNS Proxy Configuration Examples
- 42-High Availability Group Configuration Examples
- 43-Context Configuration Examples
- 43-Context Configuration Examples(only for F50X0-D and F5000-AK5X5 firewalls)
- 44-IRF configuration examples
- 44-IRF configuration examples(only for F50X0-D and F5000-AK5X5 firewalls)
- 45-DHCP configuration examples
- 46-DNS configuration examples
- 47-Server Connection Detection Configuration Examples
- 48-Connection Limit Configuration Examples
- 49-Public key management configuration examples
- 50-SSL Decryption Configuration Examples
- 51-MAC Address Learning Through a Layer 3 Device Configuration Examples
- 52-4G Configuration Examples
- 53-WLAN Configuration Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 23-File Filtering Configuration Examples | 170.31 KB |
File filtering configuration examples
Contents
· Example: Configuring file filtering
The following information provides file filtering configuration examples.
The file filtering feature filters files based on file extensions. You can configure file filtering to perform actions on files based on the file extensions.
This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of the file filtering feature.
File filtering supports filtering packets of the following protocols:
· HTTP.
· FTP.
· SMTP.
· IMAP.
· NFS.
· POP3.
· RTMP.
· SMB.
For file filtering to inspect HTTPS protocol packets, you must also configure the application proxy feature. To configure the application proxy feature, access the Policies > Application Proxy page.
Example: Configuring file filtering
Network configuration
As shown in Figure 1, a security gateway device is deployed at the border of the enterprise network. Configure file filtering on the device to control the file transfer behaviors of internal users as follows:
· Block uploading of common files and compressed files to the Internet to reduce the risk of internal information leakage.
· Block downloading of script files from Web servers to reduce the risk of virus entering the enterprise network.
Software versions used
This configuration example was created and verified on R8860 of the F1000-AI-55 device.
Procedure
1. Assign IP addresses to interfaces and add the interfaces to security zones:
# On the top navigation bar, click Network.
# From the navigation pane, select Interface Configuration > Interfaces.
# Click the Edit icon for GE 1/0/1.
# In the dialog box that opens, configure the interface:
a. Select the Trust security zone.
b. Click the IPv4 Address tab, and then enter the IP address and mask of the interface. In this example, enter 10.1.1.1/24.
c. Click OK.
# Add GE 1/0/2 to the Untrust security zone and set its IP address to 20.1.1.1./24 in the same way you configure GE 1/0/1.
2. Configure a route:
This example configures a static route. If dynamic routes are required, configure a dynamic routing protocol.
Configure the next hop IP address to reach the Web server in the external network according to the actual network conditions. In this example, the next hop IP address is 20.1.1.2.
To configure a static route:
# On the top navigation bar, click Network.
# From the navigation pane, select Routing > Static Routing.
# On the IPv4 Static Routing tab, click Create.
# In the dialog box that opens, create an IPv4 static route:
¡ Enter destination address 5.5.5.0.
¡ Enter mask length 24.
¡ Enter next hop address 20.1.1.2.
# Click OK.
3. Configure file type groups.
# Create file type group filetype1 as follows:
a. On the top navigation bar, click Objects.
b. From the navigation pane, select APP Security > File Filtering > File Type Groups.
c. Click Create.
d. In the dialog box that opens, configure the file type group:
- Enter filetype1 in the Name field.
- From the Predefined file extensions list, select Compressed_File and Docmument_File.
- Click OK.
Figure 2 Creating file type group filetype1
# Create file type group filetype2 with the Script_File predefined file extension selected.
Figure 3 Creating file type group filetype2
4. Configure a file filtering profile.
# On the top navigation bar, click Objects.
# From the navigation pane, select APP Security > File Filtering > Profiles.
# Click Create.
# In the dialog box that opens, configure a file filtering profile:
a. Enter the name filefilter.
b. In the File filtering rules area, click Create.
c. In the dialog box that opens, configure file filtering rule rule1 as shown in Figure 4, and then click OK.
Figure 4 Creating file filtering rule rule1
d. Create file filtering rule rule2 (as shown in Figure 5) in the same way you configure file filtering rule rule1.
Figure 5 Creating file filtering rule rule2
The file filtering rules are displayed in the Create File Filtering Profile dialog box, as shown in Figure 6.
e. Click OK.
Figure 6 Creating a file filtering profile
5. Create a security policy:
# On the top navigation bar, click Policies.
# From the navigation pane, select Security Policies > Security Policies.
# Click Create.
# In the dialog box that opens, configure a security policy:
¡ Enter policy name filefilter.
¡ Select source zone Trust.
¡ Select destination zone Untrust.
¡ Select type IPv4.
¡ Select action Permit.
¡ Select source IP address 10.1.1.0/24.
¡ Select file filtering profile filefilter in the Content security area.
# Cilck OK.
6. Activate the settings on the Security Policies page:
# After you apply the file filtering profile to the security policy, click Submit (the second Submit in Figure 7) to have the content security configuration take effect.
# Click Activate (the first Submit in Figure 7) to activate security policy matching acceleration.
Figure 7 Activate security policy settings
7. Enable logging:
# On the top navigation bar, click System.
# From the navigation pane, select Log Settings > Basic Settings.
# Click the Storage Space Settings tab.
# Edit the storage space settings for the file filtering service and enable logging for the service.
Verifying the configuration
Verify that internal users cannot upload document files or compressed files to the Internet, or download script files from Web servers.
To view the file filtering logs, click Monitor on the top navigation bar, and then select Security Logs > File Filtering Logs from the navigation pane.
