Initial Configuration in Basic Mode

Configuring network settings

The Network menu item lets you configure or change settings for network interfaces (ports), set or change the default gateway, and review and edit DNS settings. It is here that you can change the IP address of the URL that you enter in a browser to access the web UI.

Configuring interfaces

The Interface tab displays the FortiMail unit’s four ports, which you can configure for various purposes. Port1 is usually the interface used to access the FortiMail unit’s web UI.

To configure a port interface

  1. Go to Settings > Network > Interface.

Figure 28:Interface tab

The table shows the available ports, with their IP/netmask, assigned access protocols and up/down status.

  1. To configure any port, do one of the following:
    • select the port in the table and click Edit
    • double-click a port

One of the following dialogs appears.

Figure 29:Network interface for gateway and server mode

Figure 30: Network interface for transparent mode

  1. Configure the following:

Addressing mode  Options in this area apply to gateway and server mode only.

Manual                      Select to enter a static IP address, then enter the IP address and netmask for the network interface in IP/Netmask.

DHCP                Select to retrieve a dynamic IP address using DHCP.

Retrieve default gateway and DNS from server Enable to retrieve both the default gateway and DNS addresses from the DHCP server, replacing any manually configured values.

Only available if DHCP is selected.

Connect to server Enable for the FortiMail unit to attempt to obtain DNS addressing information from the DHCP server. Only available if DHCP is selected.

Disable this option if you are configuring the network interface offline, and do not want the unit to attempt to obtain addressing information at this time.

  The following options apply to all modes.
IP/Netmask Enter the IP address and netmask for the network interface. Only available if Manual is selected.
Access Enable protocols that this network interface should accept for connections to the FortiMail unit itself. (These options do not affect connections that will travel through the FortiMail unit.)

Caution: For security reasons, limit the access protocols to just a few secure forms for the port used for administrative access. Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer.

MTU  
Override default

MTU value (1500).

Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.

If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes.

Administrative status Select either:

•      Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.

•      Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.

  1. Click OK.

Configuring routing settings

The Routing tab displays a list of routes. You can configure static routes and gateways used by the FortiMail unit.

Static routes direct traffic exiting the FortiMail unit — you can specify through which network interface a packet will leave, and the IP address of a next-hop router that is reachable from that network interface. The router is aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets’ ultimate destinations.

A default route is a special type of static route. A default route matches all packets, and defines a gateway router that can receive and route packets if no other, more specific static route is defined for the packet’s destination IP address.

You should configure at least one static route, a default route, that points to your gateway. However, you may configure multiple static routes if you have multiple gateway routers, each of which should receive packets destined for a different subset of IP addresses.

To edit a routing entry

  1. Go to Settings > Network > Routing.

Figure 31:Routing tab

  1. To configure an entry, do one of the following:
    • select New for a new route
    • select a route in the table and click Edit
    • double-click a route to edit it The following dialog appears. Figure 32:Routing edit and create dialog
  2. Configure the following:
Destination IP/netmask Enter the destination IP address and netmask of packets that will be subject to this static route.

To create a default route that will match all packets, enter

0.0.0.0/0.0.0.0.

Gateway Type the IP address of the next-hop router to which the FortiMail unit will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/netmask. For an Internet connection, the next hop routing gateway routes traffic to the Internet.
  1. Click Create or OK.

Configuring DNS settings

The DNS tab enables you to configure the primary and secondary DNS servers that the FortiMail unit will query to resolve domain names into IP addresses.

If you deployed the FortiMail unit for your chosen mode (gateway, server, or transparent), as described in earlier chapters, do not change these settings unless your earlier deployment settings are incorrect.

To edit a DNS entry

  1. Go to Settings > Network > DNS.

Figure 33:DNS settings

  1. Change one or both of the DNS entries, as required.
  2. Click Apply.

Configuring domains and mail servers

The Domains menu item lets you add and edit protected domain settings, and their related mail server settings.

Configuring protected domains

The Domains tab displays the domains you created using the Quick Start Wizard. You can add, edit or delete domains using this tab’s features.

To configure a domain

  1. Go to Settings > Domains > Domains.

Figure 34:Domain tab showing a domain with associated domains

  1. Either click New for a new domain, or select a domain and click Edit.
    • For a FortiMail unit in server mode, a dialog with a single field appears where you enter a fully qualified domain name.
    • For a FortiMail unit in gateway or transparent mode, the following dialog appears.

Figure 35:New domain dialog for gateway and transparent modes

Configure the following:

  The first option applies to all modes.
Domain name Enter the fully qualified domain name (FQDN) of the protected domain, such as example.com.
  The following options apply to transparent and gateway modes.
Relay type Select one of the following to define which SMTP server will receive email from the FortiMail unit that is destined for the protected domain:

•      Host: Configure the connection to one protected SMTP server or a fallback. Also configure SMTP server and Fallback SMTP server.

•      MX Record (this domain): Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.

Note: For am MX record, you may also need to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit.

See the applicable deployment chapter in this guide for your mode.

SMTP server

Fallback SMTP

server

For both servers, enter the fully qualified domain name (FQDN)or IP address of the primary SMTP server for this protected domain, then also configure Port and Use SMTPS.

If you have an internal mail relay that is located on a physically separate server from your internal mail server, this could be your internal mail relay, instead of your internal mail server. Consider your network topology, directionality of the mail flow, and the operation mode of the FortiMail unit. For more information, see “Incoming versus outgoing directionality” on page 7.

This field appears only if Relay type is Host.

Port For both servers, enter the port number on which the SMTP server listens.

If you enable Use SMTPS, Port automatically changes to the default port number for SMTPS, but can still be customized.

The default SMTP port number is 25; the default SMTPS port number is 465.

This field appears only if Relay type is Host.

Use SMTPS For both servers, enable to use SMTPS for connections originating from or destined for this protected server.

This field appears only if Relay type is Host.

Domain

Association

To expand this area, click the down-arrow beside the title.

Associated domains use the settings of the protected domain with which they are associated, and do not have separate protected domain settings of their own.

To add an association:

1     Enter a domain name in the text field at the bottom of the display area.

2     Click Create.

The domain name appears in the Members area.

  1. Click Create or OK.
This entry was posted in Administration Guides, FortiMail and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.