FortiCarrier MMS profiles

MMS profiles

Since MMS profiles can be used by more than one security policy, you can configure one profile for the traffic types handled by a set of security policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

If the security policy requires authentication, do not select the MMS profile in the security policy. This type of profile is specific to the authenticating user group. For details on configuring the profile associated with the user group, see User Groups in the Authentication guide.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate protection profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.

Once you have configured the MMS profile, you can then apply the profile to MMS traffic by applying it to a security policy.

MMS profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS profile.

The MMS Profile page contains options for each of the following:

l MMS scanning l MMS Bulk Email Filtering Detection l MMS Address Translation l MMS Notifications l DLP Archive l Logging

MMS profile configuration settings

The following are MMS profile configuration settings in Security Profiles > MMS Profile.

MMS Profile page

Lists each individual MMS profile that you created. On this page, you can edit, delete or create an MMS profile.

Creates a new MMS profile. When you select Create New, you are

Create New automatically redirected to the New MMS Profile page.

Edit                                        Modifies settings within an MMS profile. When you select Edit, you are automatically redirected to the Edit MMS Profile.
Removes an MMS profile from the list on the MMS Profile page.

To remove multiple MMS profiles from within the list, on the MMS Profile page, in each of the rows of the profiles you want removed, select the

Delete check box and then select Delete.

To remove all MMS profiles from the list, on the MMS Profile page, select the check box in the check box column, and then select Delete.

Name                                     The name of the MMS profile.
Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is avialable within the Object Usage window:

View the list page for these objects – automatically redirects you to the Ref. list page where the object is referenced at.

Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.

New MMS Profile page

Provides settings for configuring an MMS profile. This page also provides settings for configuring DLP archives and logging.

Profile Name                          Enter a name for the profile.
Comments                             Enter a description about the profile. This is optional.
MMS Scanning                       Configure MMS Scanning options.
MMS Bulk Email Filtering          Configure MMS Bulk Email options. Detection
MMS Address Translation       Configure MMS Address Translation options.
MMS Notifications                   Configure MMS Notification options.
DLP Archive                           Configure DLP archive option.
Logging                                 Configure logging options.

MMS scanning options

You can configure MMS scanning protection profile options to apply virus scanning, file filtering, content filtering, carrier endpoint blocking, and other scanning to MMS messages transmitted using the MM1, MM3, MM4 and MM7 protocols.

The following are the MMS Scanning options that are available within an MMS profile. You can create an MMS profile in Security Profiles > MMS Profile or edit an existing one. You must expand MMS Scanning to access the following options.

MMS Scanning section of the New MMS Profile page
Monitor Only                              Select to cause the unit to record log messages when MMS scanning

options find a virus, match a file name, or match content using any of the other MMS scanning options. Select this option to be able to report on viruses and other problems in MMS traffic without affecting users.

Tip: Select Remove Blocked if you want the unit to actually remove content intercepted by MMS scanning options.

Select to scan attachments in MMS traffic for viruses.

Since MM1 and MM7 use HTTP, the oversize limits for HTTP and the

HTTP antivirus port configuration also applies to MM1 and MM7

Virus Scan                                  scanning.

MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port configuration also applies to MM3 and MM4 scanning.

Scan MM1 message retrieval Select to scan message retrievals that use MM1. If you enable Virus Scan for all MMS interfaces, messages are also scanned while being sent. In this case, you can disable MM1 message retrieval scanning to improve performance.
Select to remove blocked content from each protocol and replace it with the replacement message.

Select Constant if the unit is to preserve the length of the message

Remove Blocked when removing blocked content, as may occur when billing is affected by the length of the message.

Tip: If you only want to monitor blocked content, select Monitor Only.

Content Filter                              Select to filter messages based on matching the content of the message with the words or patterns in the selected web content filter list.

For information about adding a web content filter list, see the FortiGate CLI Reference.

Select to add Carrier Endpoint Filtering in this MMS profile. Select

Carrier Endpoint Block the carrier endpoint filter list to apply it to the profile.

MMS Scanning section of the New MMS Profile page
MMS Content Checksum Select to add MMS Content Checksum in this MMS profile. Select the MMS content checksum list to apply it to the profile.
Select to pass fragmented MM3 and MM4 messages. Fragmented

Pass Fragmented Messages MMS messages cannot be scanned for viruses. If you do not select these options, fragmented MM3 and MM4 message are blocked.

Comfort Clients                           Select client comforting for MM1 and MM7 sessions.

Since MM1 and MM7 messages use HTTP, MM1 and MM7 client comforting operates like HTTP client comforting.

Select server comforting for each protocol.

Comfort Servers                          Similar to client comforting, you can use server comforting to prevent server connection timeouts that can occur while waiting for the unit to buffer and scan large POST requests from slow clients.

Interval (1-900  Enter the time in seconds before client and server comforting starts seconds)           after the download has begun, and the time between sending

subsequent data.

Amount (1-10240

The number of bytes sent by client or server comforting at each interval. bytes)

Oversized MMS Message             Select Block or Pass for files and email messages exceeding configured thresholds for each protocol.

The oversize threshold refers to the final size of the message, including attachments, after encoding by the client. Clients can use a variety of encoding types; some result in larger file sizes than the original attachment. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the oversize threshold.

Enter the oversized file threshold and select KB or MB. If a file is larger than the threshold the file is passed or blocked depending on the

Threshold (1KB – 800

Oversized MMS Message setting. The web-based manager displays

MB) the allowed threshold range. The threshold maximum is 10% of the unit’s RAM.

This entry was posted in FortiCarrier on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.