Viewing DLP archived messages

Viewing DLP archived messages

If DLP Archive is a selected message flood action, the messages that exceed the threshold are saved to the MMS DLP archive. The default behavior is to save all of the offending messages, but you can configure the DLP archive setting to save only the first message that exceeds the threshold. This still provides a sample of the offending messages without requiring as requiring as much storage.

 

To select only the first message in a flood for DLP archiving – web-based manager

1. Go to Security Profiles > Carrier > MMS Profile.

2. Edit an existing MMS Profile.

3. Expand the MMS Bulk Email Filtering Detection section, the Message Flood subsection, and the desired

Flood Threshold subsection.

4. Next to DLP Archive, select First message only from the dropdown menu.

5. Select OK.

 

Order of operations: flood checking before duplicate checking

Although duplicate checking involves only examination and comparison of message contents and not the sender or recipient, and flood checking involves only totalling the number of messages sent by each subscriber regardless of the message content, there are times when a selection of messages exceed both flood and duplicate thresholds.

The Carrier-enabled FortiGate unit checks for message floods before checking for duplicate messages. Flood checking is less resource-intensive and if the flood threshold invokes a Block action, the blocked messages are stopped before duplicate checking occurs. This saves both time and FortiOS Carrier system resources.

The duplicate scanner will only scan content. It will not scan headers. Content must be exactly the same. If there is any difference at all in the content, it will not be con- sidered a duplicate.

 

Bypassing message flood protection based on user’s carrier endpoints

You can use carrier endpoint filtering to exempt MMS sessions from message flood protection. Carrier endpoint filtering matches carrier endpoints in MMS sessions with carrier endpoint patterns.

If you add a carrier endpoint pattern to a filter list and set the action to exempt from mass MMS, all messages from matching carrier endpoints bypass message flood protection. This allows legitimate bulk messages, such as system outage notifications, to be delivered without triggering message flood protection.

For more information on carrier endpoints, see the User Authentication chapter of the FortiOS Handbook.

 

Configuring message flood detection

To have the Carrier-enabled FortiGate unit check for message floods, you must first configure the flood threshold in an MMS profile, select the MMS profile in a security policy. All the traffic examined by the security policy will be checked for message floods according to the threshold values you set in the MMS profile.

 

Configure the MMS profile – web-based manager

1. Go to Firewall Objects > MMS Profile.

2. If you are editing an MMS profile, select the Edit icon of the MMS profile.

If you are creating a new MMS profile, select Create New and enter a profile name.

3. Expand MMS Bulk Email Filtering Detection.

4. Expand Message Flood.

5. Expand Flood Threshold 1.

6. Select the Enable check box for MM1 messages, MM4 messages, or both.

7. In the Message Flood Window field, enter the length of time the Carrier-enabled FortiGate unit will keep track of the number of messages each subscriber sends.

If the Carrier-enabled FortiGate unit detects the quantity of messages specified in the Message Flood Limit sent during the number of minutes specified in the Message Flood Window, a message flood is in progress.

8. In the Message Flood Limit field, enter the number of messages required to trigger the flood.

9. In the Message Flood Block Time field, enter the length of time a user will be blocked from sending messages after causing the message flood.

10. Select the message flood actions the Carrier-enabled FortiGate unit will take when the message flood is detected.

11. Select OK.

 

Configure the security policy – web-based manager

1. Go to Policy.

2. Select the Edit icon of the security policy that controls the traffic in which you want to detect message floods.

3. Select the MMS Profile check box to enable the use of a protection profile.

4. Select the MMS protection profile from the list.

5. Select OK.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.