FortiCarrier MMS DLP archiving

MMS DLP archiving

You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the

FortiGuard Analysis and Management service. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiOS Carrier configuration. The FortiGuard Analysis and Management server becomes available when you subscribe to the FortiGuard Analysis and Management Service.

You can configure full DLP archiving and summary DLP archiving. Full DLP archiving includes all content, for example, full email DLP archiving includes complete email messages and attachments. Summary DLP archiving includes just the meta data about the content, for example, email message summary records include only the email header.

You can archive MM1, MM3, MM4, and MM7 content.

Configuring MMS DLP archiving

Select DLP archive options to archive MM1, MM3, MM4, and MM7 sessions. For each protocol you can archive just session metadata (Summary), or metadata and a copy of the associated file or message (Full).

In addition to MMS protection profile DLP archive options you can:

  • Archive MM1 and MM7 message floods l Archive MM1 and MM7 duplicate messages
  • Select DLP archiving for carrier endpoint patterns in a Carrier Endpoint List and select the Carrier Endpoint Block option in the MMS Scanning section of an MMS Protection Profile

FortiOS Carrier only allows one sixteenth of its memory for transferring content archive files. For example, for Carrier-enabled FortiGate units with 128 MB RAM, only 8 MB of memory is used when transferring content archive files. Best practices dictate to not enable full content archiving if antivirus scanning is also configured because of these memory constraints.

To configure MMS DLP archiving – web-based manager
  1. Go to Security Profiles > MMS Profile.
  2. Select Create New or select the Edit icon beside an existing profile.
  3. Expand MMS Bulk AntiSpam Detection > Content Archive.
  4. Complete the fields as described in DLP Archive options.
  5. Select OK.

Viewing DLP archives

You can view DLP archives from the Carrier-enabled FortiGate unit web-based manager. Archives are historical logs that are stored on a log device that supports archiving, such as a FortiAnalyzer unit.

These logs are accessed from either Log & Report > DLP Archive or if you subscribed to the FortiCloud service, you can view log archives from there.

The DLP Archive menu is only visible if one of the following is true.

  • You have configured the FortiGate unit for remote logging and archiving to a FortiAnalyzer unit.
  • You have subscribed to FortiCloud.

The following tabs are available when you are viewing DLP archives for one of these protocols.

  • E-mail to view POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS, and spam email archives. l Web to view HTTP and HTTPS archives. l FTP to view FTP archives.
  • IM to view AIM, ICQ, MSN, and Yahoo! archives. l MMS to view MMS archives. l VoIP to view session control (SIP, SIMPLE and SCCP) archives.

If you need to view log archives in Raw format, select Raw beside the Column Settings icon.

 

This entry was posted in FortiCarrier on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.