Configuring Profiles

View the virus database information

Go to Profile > AntiVirus >> Virus Database to view the antivirus database and signature update information.

The default FortiMail virus database contains most commonly seen viruses and should be sufficient enough for regular antivirus protection. Some high-end FortiMail models also support the usage of an extended virus database, which contains viruses that are not active any more. To use this database, you must enable it with the following CLI command:

config system fortiguard antivirus set extended-virus-db enable

end

For more details, see the FortiMail CLI Reference.

For details about updates, see “Configuring FortiGuard updates and antispam queries” on page 233.

Configuring content profiles and content action profiles

The Content submenu lets you configure content profiles for incoming and outgoing content-based scanning. The available options vary depending on the chosen directionality.

This topic includes:

  • Configuring content profiles
  • Configuring content action profiles

Configuring content profiles

The Content tab lets you create content profiles, which you can use to match email based upon its subject line, message body, and attachments.

Unlike antispam profiles, which deal primarily with spam, content profiles match any other type of email.

You can use content profiles to apply content-based encryption to email, or to restrict prohibited content, such as words or phrases, file names, and file attachments that are not permitted by your network usage policy. You can apply content profiles to email that you want to protect and email that you want to prevent.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see ““About administrator account permissions and domains” on page 290.

To view and configure content profiles

  1. Go to Profile > Content > Content.

Figure 216:Viewing the list of content profiles

GUI item Description
Clone

(button)

Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.
Domain

(drop-down list)

Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.
Profile Name Displays the name of the profile.
Domain Name

(column)

Displays either System or the name of a domain
GUI item Description
Direction Select either Incoming to see profiles that can be used by an incoming policy, or Outgoing to see profiles that can be used by an outgoing policy. For definitions of outgoing and incoming email, see “Incoming versus outgoing email messages” on page 454.
(Green dot in column heading) Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.
  1. Either click New to add a profile or double-click a profile to modify it.

A multisection dialog appears.

Figure 217:Configuring a content profile

  1. For a new profile, select System in the Domain list to see profiles that apply to t he entire FortiMail unit or the name of a protected domain.
  2. For a new profile, enter its name.
  3. In Direction, select either Incoming for a profile that can be used by an incoming policy, or Outgoing for a profile that can be used by an outgoing policy. For definitions of outgoing and incoming email, see “Incoming versus outgoing email messages” on page 454.
  4. In Action, select a content action profile to use. For details, see “Configuring content action profiles” on page 535.
  5. Configure the following sections as needed:
    • “Configuring attachment filtering” on page 528
    • “Configuring file type filtering” on page 528
    • “Configuring other content settings” on page 529
    • “Configuring scan conditions” on page 531
    • “Configuring content monitor and filtering” on page 533
  6. Click Create or OK to save the entire content profile.

Configuring attachment filtering

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see “Configuring content profiles and content action profiles” on page 526.

  1. Go to Profile > Content.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Click the arrow to expand the Attachment Filtering section and configure the following:
GUI item Description
Block or

Pass

Select either Block (that is, apply the content action profile selected in the Action section) or Pass (that is, bypass the content action profile) from the drop-down menu, if a file attachment matches the file name patterns whose check boxes you mark.

If an attachment matches a pattern whose check box you did not mark, the FortiMail unit will perform the opposite action of whatever you selected, either Block or Pass.

For example, if you select Block and mark the check box for *.exe, files whose names end in .exe will be blocked. All other file names will pass attachment filtering, but will still be subject to any other filters or antispam scans that you have configured.

Conversely, if you select Pass and mark the check box for *.doc, all file names other than those ending in .doc will be blocked.

Enable Mark the check boxes of file extension patterns that you want to Block or Pass. (Click the label first if the check boxes are unavailable.)
Name Displays the attachment filtering pattern, which describes a file name or file name extension that can be filtered, such as *.exe for all files with the executable file name extension.
Create

(button)

To add extensions to the list, enter the file extension pattern in the text box next to Create (for example, *.docx), then click Create.
Delete

(button)

Mark the check box of an attachment filtering pattern, then click this button to remove it from the list.

Configuring file type filtering

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see “Configuring content profiles and content action profiles” on page 526.

  1. Go to Profile > Content.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Click the arrow to expand File Type Filtering.
  4. Select either Block (that is, apply the content action profile selected in the Action section) or Pass (that is, bypass the content action profile) from the drop-down menu.
  5. Select the check boxes of the MIME file types or subtypes that you want to block or pass. File types that you have not marked will receive the action opposite of your Block/Pass

For example, to allow email that contains audio content to pass the attachment file type filter, and block all other file types, select Pass and then mark the audio check box.

Passed file types will pass attachment file type filtering only, and will still be subject to any other content filters or antispam scans that you have configured.

For the image and document/encrypted file types, you can use an action profile to overwrite the default action profile used by the content profile. For example, if you want to redirect encrypted email to a third party box (such as a PGP Universal Server) for decryption, You can:

  1. Create a content action profile and enable the Send to alternate host option in the action profile. Enter the PGP server as the alternate host. For details about how create a content action profile, see “Configuring content action profiles” on page 535.
  2. Select to block the encrypted/pgp file type under document/encrypted. “Block” means to apply an action profile.
  3. Select the action profile for the document/encrypted file type. This action profile will overwrite the action profile you select for the entire content profile.

Configuring other content settings

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see “Configuring content profiles and content action profiles” on page 526.

  1. Go to Profile > Content.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Expand the Other Setting

 

Click the arrow to expand Other Setting and configure the following:

GUI item              Description

Remove hidden HTML content Enable to detect hypertext markup language (HTML) tags and, if found:

•      apply the action profile

•      add X-FEAS-ATTACHMENT-FILTER: Contains HTML tags. to the message headers

Use this option to mitigate potentially harmful HTML content such as corrupted images or files, or phishing URLs that are specially crafted for a targeted attack, and not yet identified by the FortiGuard Antispam service.

Depending on the action profile, for example, you could warn email users by tagging email that contains potentially dangerous HTML content, or, if you have removed the HTML tags, allow users to safely read the email to decide whether or not it is legitimate first, without automatically displaying and executing potentially dangerous scripts, images, or other files. (Automatic display of HTML content is a risk on some email clients.)

Caution: Unless you also select Replace in the content action profile, HTML is not removed, and the email will not be converted to plain text. Instead, the FortiMail unit will only apply whichever other action profile “block” action you have selected.

To actually remove HTML tags, you must also select Replace. If you select Replace, all HTML tags are removed, except for the minimum required by the HTML document type definition (DTD): <html>, <head>, and <body>.

Stripped body text is surrounded by <pre> tags, which is typically rendered in a monospace font, causing the appearance to mimic plain text.

For linked files, which are hosted on an external web site for subsequent download rather than directly attached to the email, the FortiMail unit will download and attach the file to the email before removing the <img> or <embed> tag. In this way, while the format is converted to plain text, attachments and linked files which may be relevant to the content are still preserved.

For example, in an email is a mixture of HTML and plain text

(Content-Type: multipart/alternative), and the action profile’s “block” action is Replace, the FortiMail unit removes hyperlink, font, and other HTML tags in the sections labeled with Content-Type: text/html. Linked images are converted to attachments. (The MIME

Content-Type: text/html label itself is not be modified.)

Block email without any attachment Enable to apply the block action configured in the content action profile if an email does not have any attachments.
Block fragmented email Enable to detect and block fragmented email.

Some mail user agents, such as Outlook, can fragment big emails into multiple sub-messages. This is used to bypass oversize limits/scanning.

Defer delivery of message on policy match Enable to defer mail delivery from specific senders configured in policy to conserve peak time bandwidth at the expense of sending low priority, bandwidth consuming traffic at scheduled times. For example, you can apply this function to senders of marketing campaign emails or mass mailing.

For information on policy, see “How to use policies” on page 454.

For information on scheduling deferred delivery, see “Configuring mail server settings” on page 366.

Defer delivery of messages larger than Enter the file size limit over which the FortiMail unit will defer processing large email messages. If not enabled, large messages are not deferred.

For information on scheduling deferred delivery, see “Configuring mail server settings” on page 366.

Maximum number of attachment Specify how many attachments are allowed in one email message. The valid range is between 1 and 100. The default value is 10.
GUI item Description
Block password protected Office

document

Enable to apply the block action configured in the content action profile if an attached MS Office document is password-protected, and therefore cannot be decompressed in order to scan its contents.

Configuring scan conditions

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see “Configuring content profiles and content action profiles” on page 526.

  1. Go to Profile > Content.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Expand the Scan Conditions section and configure the following:

Click the arrow to expand Scan Conditions and configure the following:

GUI item Description
Check Archive Content Enable to determine which action to perform, instead of blocking/passing based solely upon the application/archive MIME type you specify in the File Type Filtering settings (see “Configuring file type filtering”). FortiMail is capable of decompressing such archive attachments as ZIP, PKZIP, LHA, ARJ, and RAR files.

•      blocking password protected archives if you have selected Block Password Protected Archive

•      blocking archives that could not be successfully decompressed if you have selected Block on Failure to Decompress

•      passing/blocking by comparing the depth of nested archives with the nesting depth threshold configured in Max Level of Compression

By default, archives with less than 10 levels of compression will be blocked if they cannot be successfully decompressed or are password-protected.

Depending on the nesting depth threshold and the attachment’s depth of nested archives, the FortiMail unit may also consider the file types of files within the archive when determining which action to perform. For details, see the section below.

If disabled, the FortiMail unit will perform the Block/Pass action solely based upon whether an email contains an archive. It will disregard the depth of nesting, password protection, successful decompression, and the file types of contents within the archive.

Max Level of

Compression

Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit uses one of the following methods to determine if it should block or pass the email.

•      Max Level of Compression is 0, or attachment’s depth of nesting equals or is less than Max Level of Compression: If the attachment contains a file that matches one of the other MIME file types, perform the action configured for that file type, either block or pass.

•      Attachment’s depth of nesting is greater than Max Level of

Compression: Apply the block action, unless you have deselected the check box for Max Level of Compression, in which case it will pass the MIME file type content filter. Block actions are specified in the content action profile.

The specified compression value is always considered if Check Archive Content is enabled, but has an effect only if the threshold is exceeded.

This option is available only if Check Archive Content is enabled.

Block on Failure Enable to apply the block action configured in the content action profile if to Decompress an attached archive cannot be successfully decompressed, such as if the compression algorithm is unknown, and therefore cannot be decompressed in order to scan its contents.

This option is available only if Check Archive Content is enabled.

GUI item              Description

Block Password

Protected

Archive

Enable to apply the block action configured in the content action profile if an attached archive is password-protected, and therefore cannot be decompressed in order to scan its contents.

This option is available only if Check Archive Content is enabled.

Check embedded component Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector.

Enable to, for application/document MIME types such as Microsoft Office, Microsoft Visio, and OpenOffice.org documents, scan files that are encapsulated within the document itself. The FortiMail unit will scan only for MIME types that are enabled in File type filtering.

Bypass scan on Enable to omit content profile scanning if the SMTP session is

SMTP         authenticated. authentication

6 thoughts on “Configuring Profiles

  1. Steve

    Hi, on these instructions it states “personal black lists and white lists” on page 620.”

    Where can i get the book to view page 620??

    Reply
  2. Laurent

    Hello,
    What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…

    Reply
    1. Mike Post author

      Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.

      Reply
  3. Dormond

    Hello,
    Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.

    Reply
  4. Laurent

    Hello,

    Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.