Fortinet UTM Features

Configure the tag format

When the spam action is set to Tagged, the Tag Format setting determines what text is used as the tag applied to the message.

To configure the tag format

  1. Go to Security Profiles > Email Filter > Profile

2.

down in the Edit Email Filter Profile title bar.

  1. Select Enable Spam Detection and Filtering.

4.

filter profile.

  1. Select Apply.
  2. The Tag Format row has a field for each traffic type. Note that if the spam action for SMTP traffic is set to discard, the tag format will not be available.Enter the text the FortiGate unit will use as the tag for each traffic type.
  3. Select Apply.

Configure FortiGuard email filters

FortiGuard email filtering techniques us FortiGuard services to detect the presence of spam among your email. A FortiGuard subscription is required to use the FortiGuard email filters. You can enable the following types of FortiGuard email filtering:

FortiGuard IP address checking When you enable FortiGuard IP address checking, your FortiGate unit will submit the IP address of the client to the FortiGuard service for checking. If the IP address exists in the FortiGuard IP address black list, your FortiGate unit will treat the message as spam.
FortiGuard URL checking When you enable FortiGuard URL checking, your FortiGate unit will submit all URLs appearing in the email message body to the FortiGuard service for checking. If a URL exists in the FortiGuard URL black list, your FortiGate unit will treat the message as spam.
FortiGuard phishing

URL detection

When you enable FortiGuard phishing URL detection, your FortiGate unit will submit all URL hyperlinks appearing in the email message body to the FortiGuard service for checking. If a URL exists in the FortiGuard URL phishing list, your FortiGate unit will remove the hyperlink from the message. The URL will remain in place, but it will no longer be a selectable hyperlink.
FortiGuard email checksum checking When you enable FortiGuard email checksum checking, your FortiGate unit will submit a checksum of each email message to the FortiGuard service for checking. If a checksum exists in the FortiGuard checksum black list, your FortiGate unit will treat the message as spam.
FortiGuard spam submission When you enable FortiGuard email checksum checking, your FortiGate unit will append a link to the end of every message detected as spam. This link allows email users to “correct” the FortiGuard service by informing it that the message is not spam.

Carefully consider the use of the Spam submission option on email leaving your network. Users not familiar with the feature may click the link on spam messages because they are curious. This will reduce the accuracy of the feature.

To enable FortiGuard email filtering

  1. Go to Security Profiles > Email Filter > Profile

2.

down in the Edit Email Filter Profile title bar.

  1. Select Enable Spam Detection and Filtering.

4.

filter profile.

  1. Select Apply.
  2. Under the heading FortiGuard Spam Filtering, select one or more of the following options:
  • IP Address Check.
  • URL Check.
  • Detect Phishing URLs in Email.
  • E-mail Checksum Check.
  • Spam Submission.
  1. Select Apply.

Select the edited email filter profile in a security policy, and the traffic controlled by the security policy will be scanned according to the settings you configured. You may select the email filter profile in more than one security policy if required.

Configure local email filters

Local email filtering techniques us your own resources, whether DNS checks or IP address and email address lists that you maintain. You can enable three types of local filtering:

  • Black and white list (BWL) checking (includes email addresses and IP addresses)
  • HELO DNS lookup
  • Return email DNS checking

Enabling IP address and email address black/white list checking

When you email enable black/white list (BWL) checking, your FortiGate unit will perform IP address BWL checking and email address BWL checking.

IP address BWL checking matches client IP addresses with IP addresses in the selected email BWL list and acts according to the action configured for the IP address in the list: allow the message, reject it, or mark it as spam.

Email address BWL checking matches sender email addresses with email addresses in the selected email BWL list acts according to the action configured for the email address in the list: allow the message or mark it as spam.

Before you can enable IP address and email address black/white list spam filtering you must create an email black/white list.

To create an email black/white list

  1. Go to Security Profiles > Email Filter > Email List.
  2. Select Create New.
  3. Enter a name for the BWL list.
  4. Optionally, enter a description or comments about the list.
  5. Select OK to save the list.

 

When a new back/white list is created, it is empty. To perform any actions, you must add IP and email addresses to the list.

To add an IP address to an email black/white list 1. Go to Security Profiles > Email Filter > Email List.

  1. Edit a list.
  2. Select Create New.
  3. Select IP/Netmask.
  4. Enter the IP address or netmask in the IP/netmask field.
  5. Select the action:
  • Mark as Clear: Messages from clients with matching IP addresses will be allowed, bypassing further email filtering.
  • Mark as Reject: Messages from clients with matching IP addresses will be rejected. The FortiGate unit will return a reject message to the client. Mark as Reject only applies to mail delivered by SMTP. If an IP address black/white list is used with POP3 or IMAP mail, addresses configured with the Mark as Reject action will be marked as spam.
  • Mark as Spam: Messages from clients with matching IP addresses will be treated as spam, subject to the action configured in the applicable email filter profile. For more information, see “Configur e the spam action” on page 46.
  1. By default, the address is enabled and the FortiGate unit will perform the action if the address is detected. To disable checking for the address, clear the Enable check box.
  2. Select OK.

To add an email address to an email black/white list

  1. Go to Security Profiles > Email Filter > Email List.
  2. Edit a list.
  3. Select Create New.
  4. Select Email Address.
  5. Enter the email address in the Email Address
  6. If you need to enter a pattern in the Email Address field, select whether to use wildcards or regular expressions to specify the pattern.

Wildcard uses an asterisk (“*”) to match any number of any character. For example, *@example.com will match all addresses ending in @example.com.

Regular expressions use Perl regular expression syntax. See

http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular expressions.

  1. Select the action:
  • Mark as Spam: Messages with matching reply-to email addresses will be treated as spam, subject to the action configured in the applicable email filter profile. For more information, see “Configur e the spam action” on page 46.
  • Mark as Clear: Messages with matching reply-to addresses will be allowed, bypassing further email filtering.
  1. By default, the address is enabled and the FortiGate unit will perform the action if the address is detected. To disable checking for the address, clear the Enable check box.
  2. Select OK to save the address.

To enable IP address black/white list checking

  1. Go to Security Profiles > Email Filter > Profile.
  2. The default email filter profile is presented. To edit another profile, select it from the drop down in the Edit Email Filter Profile title bar.
  3. Select Enable Spam Detection and Filtering and select Apply.
  4. Under the heading Local Spam Filtering, select BWL Check.
  5. Select the IP address black/white list to use from the drop-down list.
  6. Select Apply.

Select the email filter profile in a security policy, and the traffic accepted by the security policy will be scanned according to the settings you configured.

This entry was posted in Fortinet, Fortinet GURU and tagged , , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Fortinet UTM Features

  1. Cyrus Ramirez

    Would X.509 v3 certificates affect network connectivity should you attempt to use URLs instead of IP addresses for the commonName?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.