Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Protocols and actions

Protocols and actions

In an email filtering profile, there are sections for SMTP, POP3, and IMAP protocols. In each section, you can set an action to either discard, tag, or pass the log for that protocol.

CLI Example:

config smtp set log enable set action tag

end

Actions available for each protocol:

Protocol Available action
SMTP Pass: Allow spam email to pass through.
Tag: Tag spam email with configured text in the subject or header.
Discard: Discards (blocks) spam email.
POP3 & IMAP MAPI: Pass: Allow spam email to pass through.
Tag: Tag spam email with configured text in the subject or header.
Pass: Allow spam email to pass through.
Discard: Discards (blocks) spam email.

MAPI email filtering

MAPI is a proprietary protocol from Microsoft. It uses HTTPS to encapsulate email requests and responses between Microsoft Outlook clients and Microsoft Exchange servers. The configuration of MAPI email filters are only possible through the CLI.

To configure the MAPI email filter in the CLI:

config emailfilter profile edit “myMapiFilter” set spam-filtering enable

set options spamfsip spamfssubmit spamfsurl spamfsphish config mapi set log enable set action “discard or pass”

end

next

end

Email – File-type based filters

File-type based filters

File-type based email filters can be used to filter out emails which are undesired due to a file-type attachment that the network admin qualifies as non-compatible with their business environment. The admin can define the undesired filetypes within the email filter profile and can associate an action to be taken for each file-type (for example: block or log).

To configure file-type email filtering in the CLI:

config emailfilter profile edit “myEmailFileFilter” config file-filter config entries edit “compressedFiles” set action block set file-type “7z” “rar” “zip”

next

end

end

set spam-filtering enable

next end

To configure file-type email filtering in the GUI:

  1. Go to Security Profiles > Email Filter.
  2. Enable File Filter.
  3. Customize which files are scanned (Log/Scan Archived Contents) or click Create New to add a new entry.

Email – FortiGuard-based filters

FortiGuard-based filters

FortiGate consults FortiGuard servers to help identify the spammers IP address or emails, known phishing URLs, known spam URLs, known spam email checksums, etc. FortiGuard servers have maintained databases that contain black lists which are fed from Fortinet sensors and labs distributed all over the world.

To configure the FortiGuard filters in the CLI:

config emailfilter profile edit “myEmailFilterProfile” set spam-filtering enable

set options spamfsip spamfssubmit spamfschksum spamfsurl spamrbl spamhdrcheck spamfsphish next

end

To configure the FortiGuard filters in the GUI:

  1. Go to Security Profiles > Email Filter.
  2. In the FortiGuard Spam Filtering Spam Filtering section, you can enable or disable the following filters:
    • IP Address Check l URL Check
    • Detect Phising URLs in Email l Email Checksum Check
    • Spam Submission

Email – Local-based filters

Local-based filters

To configure the local-based AntiSpam filter in the CLI: config emailfilter bwl

FGT-300D-SPAM (bwl) # edit 1 new entry ‘1’ added

FGT-300D-SPAM (1) # set name myBWL

FGT-300D-SPAM (1) # config entries config entries

edit 1

set status enable set type ip set action spam set addr-type ipv4 set ip4-subnet 10.1.100.0 255.255.255.0

next

end

config emailfilter profile edit “myLocalEmailFilter” set spam-filtering enable set options spambwl spamhelodns spamraddrdns config smtp

set action tag

end set spam-bwl-table 1

next

end config firewall policy

edit 1 …..

set inspection-mode proxy set emailfilter-profile “myLocalEmailFilter”

next end

To configure the local-based AntiSpam filter in the GUI:

  1. Go to Security Profiles > Email Filter.
  2. Click Create or select an existing profile and click Edit.
  3. In the Firewall policy, create or edit a rule.
  4. Set the inspection-mode to Proxy-based.
  5. Enable the Email Filter option and select the profile previously created.
  6. Set SSL Inspection to a profile that has deep SSL inspection enabled.
    • Deep inspection is required if you intend to filter SMTP, POP3, IMAP, or any SSL/TLS encapsulated protocol.
    • Below is an example of a profile with deep SSL inspection enabled.

To configure bannedwords in the CLI:

config emailfilter bword edit 1 set name “banned” config entries

edit 1 set pattern “undesired_word”

next

end

next

end

config emailfilter profile edit “myBannedWordsProfile” config file-filter set status disable

end set spam-filtering enable set options bannedword set spam-bword-table 1

next

end

Email – Filtering types

Filtering types

Local-based:

  • BWL, black orwhite list: These lists can be made from emails or IP subnets to forbid OR allow them to sending/receiving emails.

When referring to the IP address or email listed under a black or white list, email refers to the “From:” address, and IP refers to the IP address of the source of the email. In an SMTP case, the IP refers to the client’s IP address, while in a POP3 and IMAP case, it refers to the server’s IP address.

  • Bannedwords: The admin can define a list of banned words. Emails that contain any of these banned words are considered as spam.
  • DNS check: With spamhelodns and spamraddrdns, the FortiGate performs a standard DNS check on the machine name used in the helo SMTP message, and/or the return-to field to determine if these names belong to a registered domain. The FortiGate does not check the FortiGuard service during these operations. FortiGuard-based:
  • FortiGuard based options: FortiGate consults FortiGuard servers to help identify the spammers IP address or emails, known phishing URLs, known spam URLs, known spam email checksums, etc. Protocol tuning:
  • Protocol tuning: In a profile, there are sections for SMTP, POP3, and IMAP. In each section, you can set an action to either discard, tag, or pass the log for that protocol. Webmail:
  • Webmail detector: The email filter can also be configured to detect and log emails sent via Gmail and MSNHotmail. Although these two interfaces do not use the standard email protocols (SMTP, POP3, or IMAP) and instead use HTTPS, the email filter can still be configured to detect the emails sent and passed through the

FortiGate. File-type:

  • File-type based filtering: This can include emails which are undesired due to a file-type attachment that the network admin qualifies as non-compatible with their business environment. The admin can define the undesired file-types within the email filter profile and can associate an action to be taken for each file-type (for example: block or log).

Email filtering

Email filtering

The FortiGate Email Filter can be configured to do AntiSpam and file-type based filtering. To enable email filtering, create a profile using either the CLI or GUI, then use this profile in the firewall policy.

To configure the email filter profile in the CLI:

config emailfilter profile edit “ProfileName” set options ?  
bannedword Content block.
spambwl Black/white list.
spamfsip Email IP address FortiGuard AntiSpam black list check.
spamfssubmit Add FortiGuard AntiSpam spam submission text.
spamfschksum Email checksum FortiGuard AntiSpam check.
spamfsurl Email content URL FortiGuard AntiSpam check.
spamhelodns Email helo/ehlo domain DNS check.
spamraddrdns Email return address DNS check.
spamrbl Email DNSBL & ORBL check.
spamhdrcheck Email mime header check.
spamfsphish Email content phishing URL FortiGuard AntiSpam check.

These options can be reorganized according to the source of the decision:

  • Local options: The FortiGate qualifies the email based on local conditions like BWL, bannedwords, or DNS checks (with the use of FortiGuard service).
bannedword Content block.
spambwl Black/white list.
spamhelodns Email helo/ehlo domain DNS check.
spamraddrdns Email return address DNS check.
spamhdrcheck Email mime header check.
  • FortiGuard-based options: The FortiGate qualifies the email based on score or verdict returned from the FortiGuard service.
spamfsip Email IP address FortiGuard AntiSpam black list check.
spamfssubmit Add FortiGuard AntiSpam spam submission text.
spamfschksum Email checksum FortiGuard AntiSpam check.
spamfsurl Email content URL FortiGuard AntiSpam check.
spamfsphish Email content phishing URL FortiGuard AntiSpam check.
  • Third-party options: The FortiGate qualifies the email based on information from a third-party source (like ORB list). spamrbl Email DNSBL & ORBL check.

Local and FortiGuard black/white lists can be enabled and combined in a single profile. When combined, the Local black/white list has a higher priority than the FortiGuard’s black list during a decision making process.

For example: If a client’s IP address is black listed in FortiGuard servers, but the admin wants to override this decision and allow the IP to pass through the filter, they can define the IP address or subnet in a BWL with the clear action. Because the information coming from the Local BWL has a higher priority than the FortiGuard service, the email will be considered clean.

Use FortiGate as a DNS server

Use FortiGate as a DNS server

You can configure and use FortiGate as a DNS server in your network. When you enable DNS Service on a specific interface, FortiGate will listen for DNS Service on that interface.

Depending on the configuration, DNS Service on FortiGate can work in three modes: Recursive, Non-Recursive, or Forward to System DNS (server). For details on how to configure DNS Service on FortiGate, see the FortiGate System Configuration Guide.

You can apply a DNS Filter profile to Recursive Mode and Forward to System DNS Mode. This is the same as FortiGate working as a transparent DNS Proxy for DNS relay traffic.

To configure DNS Service on FortiGate using GUI:

  1. Go to Network > DNS Servers.
  2. In the DNS Service on Interface, click Create New and select an Interface.

The Recursive and Non-Recursive Mode is available only after you configure the DNS database.

To configure DNS Service on FortiGate using CLI:

config system dns-server edit “port10”  <<<==== Enable DNS Serive on Interface set mode forward-only

set dnsfilter-profile “demo”  <<<==== apply DNS Filter Profile for the service

next

end

Sample configuration

In this example, FortiGate port 10 is enabled as a DNS Service with the DNS Filter profile “demo”. Suppose port 10 has an IP address 10.1.100.5 and DNS Filter profile “demo” is set to block category 52 (Information Technology), then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query. For example:

# dig @10.1.100.5 www.fortinet.com <<<====Specify FortiGate interface address as DNS Server

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52809 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; www.fortinet.com.           IN     A

;; ANSWER SECTION:

www.fortinet.com.      60     IN    A     208.91.112.55  <<<==== DNS Filter profile will filter the relay DNS traffic based on profile configuration. It blocked with redirect portal IP

;; Received 50 B

;; Time 2019-04-08 14:36:34 PDT

;; From 10.1.100.5@53(UDP) in 13.6 ms