Configuring a maximum allowed file size
Proxy options allow you to enforce a maximum allowed file size for each of the network protocols in the profile. They are HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP. If your FortiGate unit supports SSL content scanning and inspection, you can also configure a maximum file size for HTTPS, IMAPS, POP3S, SMTPS, and FTPS.
The action you set determines what the FortiGate unit does with a file that exceeds the oversized file threshold. Two actions are available:
Block | Files that exceed the oversize threshold are dropped and a replacement message is sent to the user instead of the file. |
Pass | Files exceed the oversized threshold are allowed through the FortiGate unit to their destination. Note that passed files are not scanned for viruses. File Filtering, both file pattern and file type, are applied, however. |
You can also use the maximum file size to help secure your network. If you’re using a proxy-based virus scan, the proxy scan buffer size limits the size of the files that can be scanned for infection. Files larger than this limit are passed without scanning. If you configure the maximum file size to block files larger than the scan buffer size, large infected files will not by-pass antivirus scanning.
In this example, the maximum file size will be configured to block files larger than 10 megabytes, the largest file that can be antivirus scanned with the default settings. You will need to configure a proxy options profile and add it to a security policy.
Set proxy options profile to block files larger than 10 MB
1. Go to Policy > Policy > Proxy Options.
2. Edit the default or select Create New to add a new one.
3. Scroll down to the common Options Section and place a check in the box next to BlockOversized File/Email
4. The sub line Threshold (MB) will appear with a value field. Enter 10.
5. Select OK or Apply.
The proxy options profile is configured, but to block files, you must select it in the firewall policies handling the traffic that contains the files you want blocked.
To select the Proxy Options profile in a security policy
1. Go to Policy > Policy > Policy.
2. Edit or create a security policy.
3. Select a proxy-based security profile. You will know that there is a proxy component to the Security Profile because when a Security Profile is Proxy based the Proxy Options field will be visible (for example, select an Antivirus profile that includes proxy scanning).
4. Beside Proxy Options select the name of the MTU proxy options protocol.
5. Select OK to save the security policy.
Once you complete these steps, any files in the traffic subject to Security Profile scanning handled by this policy that are larger than 10MB will be blocked. If you have multiple firewall policies, examine each to determine if you want to apply similar file blocking the them as well.