Category Archives: FortiCarrier

FortiCarrier Order of operations: flood checking before duplicate checking

Order of operations: flood checking before duplicate checking

Although duplicate checking involves only examination and comparison of message contents and not the sender or recipient, and flood checking involves only totaling the number of messages sent by each subscriber regardless of the message content, there are times when a selection of messages exceed both flood and duplicate thresholds.

The Carrier-enabled FortiGate unit checks for message floods before checking for duplicate messages. Flood checking is less resource-intensive and if the flood threshold invokes a Block action, the blocked messages are stopped before duplicate checking occurs. This saves both time and FortiOS Carrier system resources.

The duplicate scanner will only scan content. It will not scan headers. Content must be exactly the same. If there is any difference at all in the content, it will not be considered a duplicate.

FortiCarrier Message flood protection

Message flood protection

The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse.

Overview

Flood protection for MM1 messages prevents your subscribers from sending too many messages to your MMSC. Configuring flood protection for MM4 messages prevents another service provider from sending too many messages from the same subscriber to your MMSC.

MM1 and MM4 flood protection

The FortiOS Carrier unit keeps track of the number of messages each subscriber sends for the length of time you specify. If the number of messages a subscriber sends exceeds the threshold, a configured action is taken. Possible actions are logging the flood, blocking or intercepting messages in the flood, archiving the flood messages, and sending an alert message to inform the administrator that the flood is occurring.

You can create three different thresholds to take different levels of action at different levels of activity.

With this highly configurable system, you can prevent subscribers from sending more messages than you determine is acceptable, or monitor anyone who exceeds the thresholds.

Setting message flood thresholds

A message flood occurs when a single subscriber sends a volume of messages that exceeds the flood threshold you set. The threshold defines the maximum number of messages allowed, the period during which the subscriber sent messages are considered, and the length of time the sender is restricted from sending messages after a flood is detected.

If a subscriber exceeds the message flood threshold and is blocked from sending more messages, any further attempts to send messages will re-start the block period. You must also enable logging for MMS Scanning > Bulk Messages in the Logging section of the MMS protection profile.

Example

For example, for the first threshold you may determine that any subscriber who sends more than 100 MM1 messages in an hour (60 minutes) will have all messages blocked for half an hour (30 minutes).

Using this example, if the subscriber exceeds the flood threshold, they are blocked from sending message for 30 minutes. If the subscriber tries to send any message after 15 minutes, the message will be blocked and the block period will be reset again to 30 minutes. The block period must expire with no attempts to send a message. Only then will the subscriber be allowed to send more messages.

To configure MM1 message flood threshold – web-based manager
  1. Go to Security Profiles > MMS Profile.
  2. Select Create New.
  3. Enter MM1 flood for Profile Name.
  4. Expand MMS Bulk Email Filtering Detection.
  5. Enter the following information, and select OK.
MM1 (first column)
Enable Enable
Message Flood Window 60 minutes
Message Flood Limit 100
Message Flood Block Time 30 minutes
Message Flood Action Block
To configure MM1 message flood threshold – CLI

config firewall mms-profile edit profile_name config flood mm1 set status1 enable set window1 60

set limit1 100 set action1 block set block-time1 30

end

end

The threshold values that you set for your network will depend on factors such as how busy your network is and the kinds of problems that your network and your subscribers encounter. For example, if your network is not too busy you may want to set message flood thresholds relatively high so that only an exceptional situation will exceed a flood threshold. Then you can use log messages and archived MMS messages to determine what caused the flood.

If your subscribers are experiencing problems with viruses that send excessive amounts of messages, you may want to set thresholds lower and enable blocking to catch problems as quickly as possible and block access to keep the problem from spreading.

Flood actions

When the Carrier-enabled FortiGate unit detects a message flood, it can take any combination of the five actions that you can configure for the flood threshold. For detailed options, see Message Flood.

Notifying administrators of floods

You can configure alert notifications for message floods by selecting the Alert Notification message flood action.

The FortiOS Carrier unit sends alert notifications to administrators using the MM1, MM3, MM4, or MM7 content interface. To send an alert notification you must configure addresses and other settings required for the content interface.

For example, to send notifications using the MM1 content interface you must configure a source MSISDN, hostname, URL, and port to which to send the notification. You can also configure schedules for when to send the notifications.

Finally you can add multiple MSISDN numbers to the MMS protection profile and set which flood thresholds to send to each MSISDN.

Example — three flood threshold levels with different actions for each threshold

You can set up to three threshold levels to take different actions at different levels of activity.

The first example threshold records log messages when a subscriber’s handset displays erratic behavior by sending multiple messages using MM1 at a relatively low threshold. The erratic behavior could indicate a problem with the subscriber’s handset. For example, you may have determined for your network that if a subscriber sends more the 45 messages in 30 minutes that you want to record log messages as a possible indication or erratic behavior.

From the web-based manager in an MMS profile set message Flood Threshold 1 to:

Enable Selected
Message Flood Window 30 minutes
Message Flood Limit 45
Message Flood Action Log

From the CLI:

config firewall mms-profile edit profile_name config flood mm1 set status1 enable set window1 30 set limit1 45 set action1 log

end

end

Set a second higher threshold to take additional actions when a subscriber sends more that 100 messages in 30 minutes. Set the actions for this threshold to log the flood, archive the message that triggered the second threshold, and block the sender for 15 minutes.

From the web-based manager in an MMS profile set message Flood Threshold 2 to:

Enable Selected
Message Flood Window 30 minutes
Message Flood Limit 100
Message Block Time 15 minutes
Message Flood Action Log, DLP archive First message only, Block

From the CLI:

config firewall mms-profile edit profile_name config flood mm1 set status2 enable set window2 30 set limit2 100

set action2 block log archive-first set block-time2 15

end

end

Set the third and highest threshold to block the subscriber for an extended period and sand an administrator alert if the subscriber sends more than 200 messages in 30 minutes. Set the actions for this threshold to block the sender for four hours (240 minutes), log the flood, archive the message that triggered the third threshold, and send an alert to the administrator.

From the web-based manager in an MMS profile set message Flood Threshold 3 to:

Enable Selected
Message Flood Window 30 minutes
Message Flood Limit 200
Message Block Time 240 minutes
Message Flood Action Log, Block, Alert Notification

Because you have selected the Alert Notification action you must also configure alert notification settings. For this example, the source MSISDN is 5551234—telephone number 555-1234. When administrators receive MMS messages from this MSIDSN they can assume a message flood has been detected.

In this example, alert notifications are sent by the FortiOS Carrier unit to the MMSC using MM1. The host name of the MMSC is mmscexample, the MMSC URL is /, and the port used by the MMSC is 80. In this example, the alert notification window starts at 8:00am and extends for eight hours on weekdays (Monday-Friday) and the minimum interval between message flood notifications is two hours.

Source MSISDN 5551234
Message Protocol MM1
Hostname mmscexample
URL /
Port 80
Notifications Per Second Limit 0
Window Start Time 8:00
Window Duration 8:00
Day of Week Mon, Tue, Wed, Thu, Fri, Sat
Interval 2 hours

From the CLI:

config firewall mms-profile edit profile_name config notification alert-flood-1 set alert-src-msisdn 5551234 set msg-protocol mm1 set mmsc-hostname mmscexample

set mmsc-url / set mmsc-port 80 set rate-limit 0 set tod-window-start 8:00 set tod-window-duration 8:00

set days-allowed monday tuesday wednesday thursday friday set alert-int 2 set alert-int-mode hours

end

You must also add the MSISDNs of the administrators to be notified of the message flood. In this example, the administrator flood threshold 3 alert notifications are sent to one administrator with MSISDN 5554321.

To add administrator’s MSISDNs for flood threshold 3 from the web-based manager when configuring a protection profile, select MMS Bulk Email Filtering Detection > Recipient MSISDN > Create New.

MSISDN 5554321
Flood Level 3 Select

From the CLI:

config firewall mms-profile edit profile_name config notif-msisdn edit 5554321 set threshold flood-thresh-3

end

end

Notifying message flood senders and receivers

The FortiOS Carrier unit does not send notifications to the sender or receiver that cause a message flood. If the sender or receiver is an attacker and is explicitly informed that they have exceeded a message threshold, the attacker may try to determine the exact threshold value by trial and error and then find a way around flood protection. For this reason, no notification is set to the sender or receiver.

However, FortiOS Carrier does have replacement messages for sending reply confirmations to MM1 senders and receivers and for MM4 senders for blocked messages identified as message floods. For information about how FortiOS Carrier responds when message flood detection blocks a message, see and MMS duplicate messages and message floods.

Responses to MM1 senders and receivers

When the FortiOS Carrier unit identifies an MM1 message sent by a sender to an MMSC as a flood message and blocks it, the FortiOS Carrier unit returns a message submission confirmation (m-send.conf) to the sender — otherwise the sender’s handset would keep retrying the message. The m-send.conf message is sent only when the MM1 message flood action is set to Block. For other message flood actions the message is actually delivered to the MMSC and the MMSC sends the m-send.conf message.

You can customize the m-send.conf message by editing the MM1 send-conf flood message MM1 replacement message (from the CLI the mm1-send-conf-flood replacement message). You can customize the response status and message text for this message. The default response status is “Content not accepted”. To hide the fact that FortiOS Carrier is responding to a flood, you can change the response status to “Success”. The default message text informs the sender that the message was blocked. You could change this to something more generic.

For example, the following command sets the submission confirmation response status to “Success” and changes the message text to “Message Sent OK”:

config system replacemsg mm1 mm1-send-conf-flood set rsp-status ok set rsp-text “Message Sent OK”

end

When the FortiOS Carrier unit identifies an MM1 message received by a receiver from an MMSC as a flood message and blocks it, the FortiOS Carrier unit returns a message retrieval confirmation (m-retrieve.conf) to the sender (otherwise the sender’s handset would keep retrying the message). The m-retrieve.conf message is sent only when the MM1 message flood action is set to Block. For other message flood actions the message is actually delivered to the receiver, so the MMSC sends the m-retrieve.conf message.

You can customize the m-retrive.conf message by editing the MM1 retrieve-conf flood message MM1 replacement message (from the CLI the mm1-retr-conf-flood replacement message). You can customize the class, subject, and message text for this message.

For example, you could use the following command make the response more generic:

config system replacemsg mm1 mm1-retr-conf-flood set subject “Message blocked”

set message “Message temporarily blocked by carrier”

end

Forward responses for MM4 message floods

When the FortiOS Carrier unit identifies an MM4 message as a flood message and blocks it, the FortiOS Carrier unit returns a message forward response (MM4_forward.res) to the forwarding MMSC (otherwise the forwarding MMSC would keep retrying the message). The MM4_forward.res message is sent only when the MM4 message flood action is set to Block and the MM4-forward.req message requested a response. For more information, see and MMS duplicate messages and message floods.

You can customize the MM4_forward.res message by editing the MM4 flood message MM4 replacement message (from the CLI the mm4-flood replacement message). You can customize the response status and message text for this message. The default response status is “Content not accepted” (err-content-notaccept). To hide the fact that the FortiOS Carrier unit is responding to a flood, you can change the response status to “Success”. The default message text informs the sender that the message was blocked. You could change this to something more generic.

For example, the following command sets the submission confirmation response status to “Success” and changes the message text to “Message Sent OK” for the MM4 message forward response

config system replacemsg mm4 mm4-flood set rsp-status ok

set rsp-text “Message Forwarded OK”

end

Viewing DLP archived messages

If DLP Archive is a selected message flood action, the messages that exceed the threshold are saved to the MMS DLP archive. The default behavior is to save all of the offending messages, but you can configure the DLP archive setting to save only the first message that exceeds the threshold. This still provides a sample of the offending messages without requiring as requiring as much storage.

To select only the first message in a flood for DLP archiving – web-based manager

  1. Go to Security Profiles > MMS Profile.
  2. Edit an existing MMS Profile.
  3. Expand the MMS Bulk Email Filtering Detection section, the Message Flood subsection, and the desired Flood Threshold
  4. Next to DLP Archive, select First message only from the drop down menu.
  5. Select OK.

FortiCarrier Message Flood

Message Flood

The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse. A message flood occurs when a single subscriber sends a volume of messages that exceed the flood threshold that you set. The threshold defines the maximum number of messages allowed, the period during which the subscriber sent messages are considered, and the length of time the sender is restricted from sending messages after a flood is detected. For example, for the first threshold you may determine that any subscriber who sends more than 100 MM1 messages in an hour (60 minutes) will have all outgoing messages blocked for 30 minutes.

Action Description
Log Add a log entry indicating that a message flood has occurred. You must also enable logging by going to Security Profiles > MMS Profile, <applicable profile> > Logging > MMS Scanning > Bulk Messages, and toggling on the checkbox.
DLP Archive Save the first message to exceed the flood threshold, or all the messages that exceed the flood threshold, in the DLP archive. DLP archiving flood messages may not always produce useful results. Since different messages can be causing the flood, reviewing the archived messages may not be a good indication of what is causing the problem since the messages could be completely random.
All messages All the messages that exceed the flood threshold will be saved in the DLP archive.
First message only Save only the first message to exceed the flood threshold in the DLP archive. Other messages in the flood are not saved. For message floods this may not produce much useful information since a legitimate message could trigger the flood threshold.
Intercept Messages that exceed the flood threshold are passed to the recipients, but if quarantine is enabled for intercepted messages, a copy of each message will also quarantined for later examination. If the quarantine of intercepted messages is disabled, the Intercept action has no effect.
Block Messages that exceed the flood threshold are blocked and will not be delivered to the message recipients. If quarantine is enabled for blocked messages, a copy of each message will quarantined for later examination.
Alert Notification If the flood threshold is exceeded, the Carrier-enabled FortiGate unit will send an MMS flood notification message.

In the web-based manager when Alert Notification is selected it displays the fields to configure the notification.

Flood

Flood protection for MM1 messages prevents your subscribers from sending too many messages to your MMSC. Configuring flood protection for MM4 messages prevents another service provider from sending too many messages from the same subscriber to your MMSC.

Message flood configuration settings

The following are message flood configuration settings in Security Profiles > Message Flood.

Message Flood

Lists the large amount of messages that are being sent to you from outside sources.

Removes messages from the list.

To remove multiple messages from within the list, on the Message Flood page, in each row of the messages you want removed, select the check box

Delete and then select Delete.

To remove all messages from the list, on the Message Flood page, select the check box in the check box column and then select Delete.

Remove All Entries                 Removes all messages from the list.
Protocol                                 Sorts/filters by the protocol used.
MMS Profile                           Sorts/filters by the MMS profile that is used.
Sender                                   Sorts/filters by the sender’s email address.
Level                                     Sorts/filters by he level of severity of the message.
The count column can be up or down and these settings can be turned off

Count by selecting beside the column’s name.

Window Size (minutes)            The time in minutes.
The time in seconds and in minutes. The timer column can be up or down

Timer (minutes:seconds) and these settings turned off by selecting beside the column’s name.

Page Controls                        Use to navigate through the list.

Duplicate Message

Duplicate message protection for MM1 messages prevents multiple subscribers from sending duplicate messages to your MMSC. Duplicate message protection for MM4 messages prevents another service provider from sending duplicate messages from the same subscriber to your MMSC.

The unit keeps track of the sent messages. If the same message appears more often than the threshold value that you have configured, action is taken. Possible actions are logging the duplicate messages, blocking or intercepting them, archiving, and sending an alert to inform an administrator that duplicate messages are occurring.

Duplicate message configuration settings

View duplicate messages in Security Profiles > Duplicate Message.

Duplicate Message

Lists duplicates of messages that were sent to you.

Removes a message from the list.

To remove multiple duplicate messages from within the list, on the

Message Flood page, in each row of the messages you want removed,

Delete select the check box and then select Delete.

To remove all duplicate messages from the list, on the Message Flood page, select the check box in the check box column and then select Delete.

Page Controls                        Use to navigate through the list.
Remove All Entries                 Removes all duplicate messages from the list.
Protocol                                 Sorts/filters by the protocol used.
MMS Profile                            Sorts/filters by the MMS profile that logs the detection.
Checksum                              Sorts/filters by the checksum of the MMS message.
Level                                     Sorts/filters by he level of severity of the message.
Count                                    Displays the number of messages in the last window of time.
The period of time during which a message flood will be detected if the

Window Size (minutes)

Message Flood Limit is exceeded.

Timer (minutes:seconds)        Either the time left in the window if the message is unflagged, or the time until the message will be unflagged if it is already flagged.

Carrier Endpoint Filter Lists

A carrier endpoint filter list contains carrier endpoint patterns. A pattern can match one carrier endpoint or can use wildcards or regular expressions to match multiple carrier endpoints. For each pattern, you select the action that the unit takes on a message when the pattern matches a carrier endpoint in the message. Actions include blocking the message, exempting the message from MMS scanning, and exempting the message from all scanning. You can also configure the pattern to intercept the message and content archive the message to a FortiAnalyzer unit.

Flood

Carrier endpoint filter lists configuration settings

The following are Carrier endpoint filter list configuration settings in Security Profiles > Carrier Endpoint Filter Lists.

Carrier Endpoint Filter Lists

Lists all the endpoint filters that you created. On this page, you can edit, delete or create a new endpoint filter list.

Creates a new endpoint filter list. When you select Create New, you are

Create New                               automatically redirected to the New List page. You must enter a name to

go to the Carrier Endpoint Filter Lists Settings page.

Edit                                           Modifies settings within an endpoint filter list in the list.
Removes an endpoint filter in the list.

To remove multiple endpoint filter lists from within the list, on the Carrier

Endpoint Filter List page, in each of the rows of the endpoint filter lists

Delete                                       you want removed, select the check box and then select Delete.

To remove all endpoint filter lists from the list, on the Carrier Endpoint Filter List page, select the check box in the check box column and then select Delete.

Name                                         The name of the endpoint filter.
The number of carrier endpoint patterns in each carrier endpoint filter

# Entries

list.

MMS Profiles                             The MMS profile that the carrier endpoint filter list is added to.
Comments                                 A description about the endpoint filter.

 

Ref.                                           Displays the number of times the object is referenced to other objects.

For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus > Profiles), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is available within the Object Usage window:

•             View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

•             Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

•             View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.

Carrier Endpoint Filter Lists Settings

Provides settings for configuring an endpoint filter.

Name                                        The name you entered on the New List page, after selecting Create

New on the Carrier Endpoint Filter page.

A description about the endpoint filter. You can add one here if you did

Comments not enter one on the New List page.

Create New Creates a new endpoint filter list. When you select Create New, you are automatically redirected to the New Entry page.
Edit                                           Select to modify the settings of a pattern in the list.
Delete                                        Select to remove a pattern in the list.
Enable                                       Enables a disabled pattern in the list.
Disable                                      Disables a pattern in the list.
Removes all patterns in the list on the Carrier Endpoint Filter Lists

Remove All Entries

Settings page.

Enable                                      Indicates whether or not the pattern is enabled.

 

Pattern Enter or change the pattern that FortiOS Carrier uses to match with carrier endpoints. The pattern can be a single carrier endpoint or consist of wildcards or Perl regular expressions that will match more than one carrier endpoint. Set Pattern Type to correspond to the pattern that you want to use.
Action Select the action taken by FortiOS Carrier for messages from a carrier endpoint that matches the carrier endpoint pattern:
Pattern Type The type of pattern chosen.
New Entry page
Pattern Enter or change the pattern that FortiOS Carrier uses to match with carrier endpoints. The pattern can be a single carrier endpoint or consist of wildcards or Perl regular expressions that will match more than one carrier endpoint. Set Pattern Type to correspond to the pattern that you want to use.
Action(s) Select the action taken by FortiOS Carrier for messages from a carrier endpoint that matches the carrier endpoint pattern:

Action(s) can be:

l None l Block l Exempt from mass MMS l Exempt from all scanning

Content Archive MMS messages from the carrier endpoint are delivered, the message content is DLP archived according to MMS DLP archive settings.

Content archiving is also called DLP archiving.

Pattern Type Select a pattern type as one of Single Carrier Endpoint, Wildcard or Regular Expression.

Wildcard and Regular Expression will match multiple patterns where Single Carrier Endpoint matches only one.

Enable Select to enable this carrier endpoint filter pattern.

FortiCarrier MMS Content Checksum

MMS Content Checksum

The MMS Content Checksum menu allows you to configure content checksum lists.

Configure MMS content checksum lists in Security Profiles > MMS Content Checksum using the following table.

MMS Content Checksum

Lists each individual content checksum list that you created. On this page, you can edit, delete or create a content checksum list.

Creates a new MMS content checksum list. When you select Create New, you are automatically redirected to the New List. This page provides a

Create New name field and comment field. You must enter a name to go to MMS Content Checksum Settings page.

Edit                                        Modifies settings to a MMS content checksum. When you select Edit, you are automatically redirected to the MMS Content Checksum Settings page.
Removes an MMS content checksum from the page.

To remove multiple content checksum lists from within the list, on the MMS

Content Checksum page, in each of the rows of the content checksum lists

Delete                                    you want removed, select the check box and then select Delete.

To remove all content checksum lists from list, on the MMS Content Checksum page, select the check box in the check box column and then select Delete.

Name                                     The name of the MMS content checksum list that you created.
# Entries                                  The number of checksums that are included in the content checksum list.
Notification List

Lists all the notification lists that you created. On this page you can edit, delete or create a new notification list.

Creates a new notification list. When you select Create New, you are

Create New                            automatically redirected to the New List page. You must enter a name to

go to the Notification List Settings page.

Notification List

MMS Profiles The MMS profile or profiles that have the MMS content checksum list applied. For example if two different MMS profiles use this content checksum list, they will both be listed here.
Comments A description given to the MMS content checksum.
Ref. Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > AntiVirus > Profiles), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is available within the Object Usage window:

•               View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

•               Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

•               View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.

Notification List

The Notification List menu allows you to configure a list of viruses. This virus list provides a list for scanning viruses in MMS messages. You can use one virus list in multiple MMS profiles, and configure multiple virus lists.

Notification list configuration settings

The following are notification list configuration settings in Security Profiles > Notification List.

Notification List

Edit                                        Modifies settings within the notification list. When you select Edit, you are automatically redirected to the Notification List Settings page.
Removes a notification list from the list on the Notification List page.

To remove multiple notification lists from within the list, on the Notification

List page, in each of the rows of the notification lists you want removed,

Delete select the check box and then select Delete.

To remove all notification lists from the list, on the Notification List page, select the check box in the check box column and then select Delete.

Name                                     The name of the MMS content checksum list that you created.
# Entries                                 The number of checksums that are included in that content checksum list.
MMS Profiles                          The MMS profile or profiles that are associated with
Comments                              A description given to the MMS notification list.
Ref.                                        Displays the number of times the object is referenced to other objects. For

example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus > Profiles), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is available within the Object Usage window:

View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.

Notification List Settings

Provides settings for configuring a notification list, which is a list of viruses and is used for scanning viruses in MMS messages. This list is called the Antivirus Notification List in an MMS profile.

Notification List

Name If editing the name of a notification list, enter the new name in this field. You must select OK to save the change.
Comments If you want to enter a comment, enter the comment in the field. You must select OK to save the change.
Create New Creates a notification entry in the list. When you select Create New, you are automatically redirected to the New Entry page.
Edit Modifies settings within a notification list. When you select Edit, you are automatically redirected to the Edit Entry page.
Delete Removes a notification entry from the list on the page.

To remove multiple notification entries from within the list, on the Notification List Settings page, in each of the rows of the entries you want removed, select the check box and then select Delete.

To remove all notification entries from the list, on the Notification List Settings page, select the check box in the check box column and then select Delete.

Enable Enables a notification entry that is disabled.
Disable Disables a notification entry so that it is not active and available for use, but it is not deleted.
Remove All Entries Removes all notification entries that are listed on the Notification List Settings page.
Enable Displays whether or not the checksum is enabled.
Virus Name/Profile The name of the virus that was added to the list.
Entry Type The type of match that will be used to match the virus stated in the notification list to the actual virus that is found.
New Entry page
Virus Name/Profile Enter the virus name.
Entry Type Select the type of match that will be used to match the virus stated in the notification list to the actual virus that is found.
Enable Select to enable the virus in the list.

 

FortiCarrier DLP Archive options

DLP Archive options

Select DLP archive options to archive MM1, MM3, MM4, and MM7 sessions. In addition to the MMS profile’s DLP archive options, you can:

  • Archive MM1 and MM7 message floods l Archive MM1 and MM7 duplicate messages
  • Select DLP archiving for carrier endpoint patterns in a Carrier Endpoint List and select the Carrier Endpoint Block option in the MMS Scanning section of an MMS Profile

The unit only allows one sixteenth of its memory for transferring content archive files. For example, for units with 128 MB RAM, only 8 MB of memory is used when transferring content archive files. Best practices dictate to not enable full content archiving if antivirus scanning is also configured because of these memory constraints.

DLP Archive
Display DLP metainformation on the system dashboard Select each required protocol to display the content archive summary in the Log and Archive Statistics dashboard widget on the System Dashboard.
DLP Archive
Archive to

FortiAnalyzer/FortiGuard

Select the type of archiving that you want for the protocol (MM1, MM3, MM4, and MM7). You can choose from Full, Summary or None.

None — Do not send content archives.

Summary — Send content archive metadata only. Includes information such as date and time, source and destination, request and response size, and scan result.

Full — Send content archive both metadata and copies of files or messages.

In some cases, FortiOS Carrier may not archive content, or may make only a partial content archive, regardless of your selected option. This behavior varies by prerequisites for each protocol.

This option is available only if a FortiAnalyzer unit or FortiGuard Analysis and Management Service is configured.

Logging

You can enable logging in an MMS profile to write event log messages when the MMS profile options that you have enabled perform an action. For example, if you enable MMS antivirus protection, you could also use the MMS profile logging options to write an event log message every time a virus is detected.

You must first configure how the unit stores log messages so that you can then record these logs messages. For more information, see the FortiOS Handbook Logging and Reporting guide.

Logging
MMS-Antivirus If antivirus settings are enabled for this MMS profile, select the following options to record Antivirus Log messages.
Viruses Record a log message when this MMS profile detects a virus.
Blocked Files Record a log message when antivirus file filtering enabled in this MMS profile blocks a file.
Oversized Files/Emails Record a log message when this MMS profile encounters an oversized file or email message. Oversized files and email messages cannot be scanned for viruses.
MMS Scanning If MMS scanning settings are enabled for this MMS profile, select the following options to record Email Filter Log messages.
Notification Messages Select to log the number of MMS notification messages sent.

 

MMS Content Checksum

Logging
Bulk Messages Select to log MMS Bulk AntiSpam events. You must also select which protocols to write log messages for in the MMS bulk email filtering part of the MMS profile.
Carrier Endpoint Filter Block Select to log MMS carrier endpoint filter events, such as MSISDN filtering.
MMS Content Checksum Select to log MMS content checksum activity.
Content Block Select to log content blocking events.

FortiCarrier MMS Notifications

MMS Notifications

MMS notifications are messages that a unit sends when an MMS profile matches content in an MM1, MM3, MM4 or MM7 session. For example, the MMS profile detects a virus or uses content blocking to block a web page, text message or email. You can send notifications to the sender of the message using same protocol and the addressing headers in the original message. You can also configure MMS notifications to send notification messages to another destination (such as a system administrator) using the MM1, MM3, MM4 or MM7 protocol.

You need to enable one or more Notification Types or you can add an Antivirus Notification List to enable sending notifications,.

You can also use MMS notifications options to configure how often notifications are sent. The unit sends notification messages immediately for the first event, then at a configurable interval if events continue to occur. If the interval does not coincide with the window of time during which notices may be sent, the unit waits to send the notice in the next available window. Subsequent notices contain a count of the number of events that have occurred since the previous notification.

There are separate notifications for each notification type, including virus events. Virus event notifications include the virus name. Up to three viruses are tracked for each user at a time. If a fourth virus is found, one of the existing tracked viruses is removed from the list.

The notifications are MM1 m-send-req messages sent from the unit directly to the MMSC for delivery to the client. The host name of the MMSC, the URL to which m-send-req messages are sent, and the port must be specified.

 

MMS Notification
Antivirus Notification List Optionally select an antivirus notification list to select a list of virus names to send notifications for. The unit sends a notification message whenever a virus name or prefix in the antivirus notification list matches the name of a virus detected in a session scanned by the MMS protection profile. Select Disabled if you do not want to use a notification list.

Instead of selecting a notification list you can configure the Virus ScanNotification Type to send notifications for all viruses.

Message Protocol In each column, select the protocol used to send notification messages. You can use a different protocol to send the notification message than the protocol on which the violation was sent. The MMS Notifications options change depending on the message protocol that you select.

If you select a different message protocol, you must also enter the User Domain. If selecting MM7 you must also enter the Message Type.

Message Type Select the MM7 message type to use if sending notifications using MM7. Options include deliver.REQ and submit.REQ
Detect Server Details Select to use the information in the headers of the original message to set the address of the notification message. If you do not select this option, you can enter the required addressing information manually.

You cannot select Detect Server Details if you are sending notification messages using a different message protocol.

If you select Detect Server Details, you cannot change the Port where the notification is being sent.

Hostname Enter the FQDN or the IP address of the server where the notifications will be sent.
URL Enter the URL of the server. For example if the notificaiton is going to www.example.com/home/alerts , the URL is /home/alerts.

This option is available only when Message Protocol is mm1 or mm7.

Port Enter the port number of the server.

You cannot change the Port if Detect Server Details is enabled.

 

MMS Notification
Username Enter the user name required for sending messages using this server

(optional).

This option is available only when Message Protocol is mm7.

Password Enter the password required for sending messages using this server

(optional).

This option is available only when Message Protocol is mm7.

VASP ID Enter the value-added-service-provider (VASP) ID to be used when sending a notification message. If a VAS is not offered by the mobile provider, it is offered by a third party or a VAS provider or content provider (CP).

This option is available only when Message Protocol is mm7.

VAS ID Enter the value-added-service (VAS) ID to be used when sending a notification message. A VAS is generally any service beyond voice calls and fax.

This option is available only when Message Protocol is mm7.

All Notification Types In each column, select notification for all MMS event types for that MMS protocol, then enter the amount of time and select the time unit for notice intervals.

Alternatively, expand All Notification Types, and then select notification for individual MMS event types for each MMS protocol. Then enter the amount of time and select the time unit for notice intervals.

Not all event types are available for all MMS protocols.

Content Filter In each column, select to notify when messages are blocked by the content filter, then enter the amount of time and select the time unit for notice intervals.
File Block In each column, select to notify when messages are blocked by file block, then enter the amount of time and select the time unit for notice intervals.
Carrier Endpoint Block In each column, select to notify when messages are blocked, then enter the amount of time and select the time unit for notice intervals.
Flood In each column, select to notify when message flood events occur, then enter the amount of time and select the time unit for notice intervals.
MMS Notification
Duplicate In each column, select to notify when duplicate message events occur, then enter the amount of time and select the time unit for notice intervals.
MMS Content Checksum In each column, select to notify when the content within an MMS message is scanned and banned because of the checksum value that was matched.
Virus Scan In each column, select to notify when the content within an MMS message is scanned for viruses.
Notifications Per Second Limit For each MMS protocol, enter the number of notifications to send per second. If you enter zero(0), the notification rate is not limited.
Day of Week For each MMS protocol, select the days of the week the unit is allowed to send notifications.
Window Start Time For each MMS protocol, select the time of day to begin the message alert window. By default, the message window starts at 00:00. You can change this if you want to start the message window later in the day.

When configured, notification outside this window will not be sent.

Window Duration For each MMS protocol, select the time of day at which to end the message alert window. By default, the message window ends at 00:24. You can change this if you want to end the message window earlier in the day.

When configured, notification outside this window will not be sent

FortiCarrier MMS Address Translation options

MMS Address Translation options

The sender’s carrier endpoint is used to provide logging and reporting details to the mobile operator and to identify the sender of infected content.

When MMS messages are transmitted, the From field may or may not contain the sender’s address. When the address is not included, the sender information will not be present in the logs and the unit will not be able to notify the user if the message is blocked unless the sender’s address is made available elsewhere in the request.

The unit can extract the sender’s address from an extended HTTP header field in the HTTP request. This field must be added to the HTTP request before it is received by the unit. If this field is present, it will be used instead of the sender’s address in the MMS message for logging and notification. If this header field is present when a message is retrieved, it will be used instead of the To address in the message. If this header field is not present the content of the To header field is used instead.

Alternatively, the unit can extract the sender’s address from a cookie.

You can configure MMS address translation to extract the sender’s carrier endpoint so that it can be added to log and notification messages. You can configure MMS address translation settings to extract carrier endpoints from HTTP header fields or from cookies. You can also configure MMS address translation to add an endpoint prefix to the extracted carrier endpoints. For more information, see Dynamic Profiles and Endpoints in the Authentication guide.

MMS Address Translation
Sender Address Source Select to extract the sender’s address from the HTTP Header Field or a Cookie. You must also specify the identifier that contains the carrier endpoint.
Sender Address Identifier Enter the sender address identifier that includes the carrier endpoint. The default identifier is x-up-calling-line-id.

If the Sender Address Source is HTTP Header Field, the address and its identifier in the HTTP request header takes the format:

<Sender Address Identifier>: <MSISDN_value>

Where the <MSISDN_value> is the carrier endpoint. For example, the HTTP header might contain:

x-up-calling-line-id: 6044301297

where x-up-calling-line-id would be the Sender Address

Identifier.

If the Sender Address Source is Cookie, the address and its identifier in the HTTP request header’s Cookie field takes the format of attribute-value pairs:

Cookie: id=<cookie-id>;

<Sender Address Identifier>=<MSISDN Value>

For example, the HTTP request headers might contain:

Cookie: id=0123jf!a;x-up-calling-lineid=6044301297

where x-up-calling-line-id would be the Sender Address

Identifier.

Convert Sender Address From / To HEX Select to convert the sender address from ASCII to hexadecimal or from hexadecimal to ASCII. This is required by some applications.
Add Carrier Endpoint Prefix for Logging / Notification Select the following to enable adding endpoint prefixes for logging and notification.
MMS Address Translation
Enable Select to enable adding the country code to the extracted carrier endpoint, such as the MSISDN, for logging and notification purposes. You can limit the number length for the test numbers used for internal monitoring without a country code.
Prefix Enter a carrier endpoint prefix to be added to all carrier endpoints. Use the prefix to add extra information to the carrier endpoint in the log entry.
Minimum Length Enter the minimum length of the country code information being added. If this and Maximum Length are set to zero (0), length is not limited.
Maximum Length Enter the maximum length of the country code information being added. If this and Minimum Length are set to zero (0), length is not limited.

FortiCarrier MMS Bulk Anti-Spam Detection options

MMS Bulk Anti-Spam Detection options

You can use the MMS bulk email filtering options to detect and filter MM1 and MM4 message floods and duplicate messages. You can configure three thresholds that define a flood of message activity and three thresholds that define excessive duplicate messages. The configuration of each threshold includes the response actions for the threshold.

The configurable thresholds for each of the flood and duplicate sensors and must be enabled in sequence. For example, you can enable Flood Threshold 1 and Flood Threshold 2, but you cannot disable Flood Threshold 1 and enable Flood Threshold 2.

You can also add MSISDN to the bulk email filtering configuration and select a subset of the bulk email filtering options to applied to these individual MSISDNs.

You must first select MM1 and/or MM4 to detect excessive message duplicates. If excessive message duplicates are detected, the unit will perform the Duplicate Message Action for the specified duration.

You can configure three duplicate message thresholds and enable them with separate values and actions. They are labeled Duplicate Threshold 1 through 3 and must be enabled in sequence. For example, you can enable Duplicate Threshold 1 and Duplicate Threshold 2, but you cannot disable Duplicate Threshold 1 and enable Duplicate Threshold 2.

When traffic accepted by a security policy that contains an MMS profile with duplicate message configured receives MM1 or MM4 duplicate messages that match a threshold configured in the MMS protection profile, the unit performs the duplicate message action configured for the matching threshold.

You can configure three message flood thresholds and enable them with separate values and actions. They are labeled Flood Threshold 1 through 3 and must be enabled in sequence. For example, you can enable Flood Threshold 1 and Flood Threshold 2, but you cannot disable Flood Threshold 1 and enable Flood Threshold 2.

When traffic accepted by a security policy that contains an MMS protection profile with message flooding configured experiences MM1 or MM4 message flooding that matches a threshold configured in the MMS profile, the unit performs the message flood action configured for the matching threshold.

MMS Bulk Anti-Spam Detection

This section of the New MMS Profile page contains numerous sections where you can configure specific settings for flood threshold, duplicate threshold and recipient MSISDNs.

Message Flood

The message flood settings for each flood threshold. Expand each to configure settings for a threshold.

Flood Threshold 1                     Expand to reveal the flood threshold settings for Flood Threshold 1. The settings for Flood Threshold 1 are the same for Flood Threshold 2 and 3.
               Enable                          Select to apply Flood Threshold 1 to the MSISDN exception.
               Message Flood             Enter the period of time during which a message flood will be detected if

Window                         the Message Flood Limit is exceeded. The message flood window can be 1 to 2880 minutes (48 hours).

Enter the number of messages which signifies a message flood if

Message Flood Limit exceeded within the Message Flood Window.

Message Flood Block    Enter the amount of time during which the unit performs the Message Time     Flood Action after a message flood is detected.

 

                  Message Flood              Select one or more actions that the unit is to perform when a message

Action                           flood is detected.

   Flood Threshold 2                    Expand to configure settings for Flood Threshold 2 or 3 respectively.

Flood Threshold 3

Duplicate Message

The duplicate message threshold settings. Expand each to configure settings for a threshold.

   MM1 Retrieve Duplicate            Select to scan MM1 mm1-retr messages for duplicates. By default,

Enable                                     mm1-retr messages are not scanned for duplicates as they may often

be the same without necessarily being bulk or spam.

Select to enable the selected duplicate message threshold and to make

Enable the rest of the options available for configuration.

Duplicate Message        Enter the period of time during which excessive message duplicates will Window be detected if the Duplicate message Limit it exceeded. The duplicate message window can be 1 to 2880 minutes (48 hours).
Duplicate Message        Enter the number of messages which signifies excessive message Limit duplicates if exceeded within the Duplicate Message Window.
Duplicate Message Enter the amount of time during which the unit will perform the Duplicate Block Time Message Action after a message flood is detected.
Duplicate Message        Select one or more actions that the unit is to perform when excessive Action   message duplication is detected.
   Duplicate Threshold 2              Expand to configure settings for Duplicate Threshold 2 or 3 respectively.

Duplicate Threshold 3

Recipient MSISDN

The recipient Mobile Subscriber Integrated Services Digital Network Number (MSISDN) settings for each recipient MSISDN. When you select Create New, you are automatically redirected to the New MSISDN page.

You need to save the profile before you can add MSISDNs.

   Recipient MSISDN                     The recipient MSISDN.
   Flood Threshold 1                    Check to enable Flood Threshold 1 settings for this MSISDN.
   Flood Threshold 2                    Check to enable Flood Threshold 2 settings for this MSISDN.
   Flood Threshold 3                    Check to enable Flood Threshold 3 settings for this MSISDN..
Duplicate Threshold 1 Check to enable Duplicate Threshold 1 settings for this MSISDN.
Duplicate Threshold 2 Check to enable Duplicate Threshold 2 settings for this MSISDN..
Duplicate Threshold 3 Check to enable Duplicate Threshold 3 settings for this MSISDN..
Edit Modifies the settings of a Recipient MSISDN in the Recipient MSISDN list. When you select Edit, you are automatically redirected to the New MSISDN page.
Delete Removes a Recipient MSISDN in the Recipient MSISDN list within the Recipient MSISDN section of the page.
New MSISDN page
Create New Creates a new Recipient MSISDN. When you select Create New, you are automatically redirected to the New MSISDN page.
Recipient MSISDN Enter a name for the recipient MSISDN.
Flood Threshold 1 Select to apply Flood Threshold 1 to the MSISDN exception.
Flood Threshold 2 Select to apply Flood Threshold 2 to the MSISDN exception.
Flood Threshold 3 Select to apply Flood Threshold 3 to the MSISDN exception.
Duplicate Threshold 1 Select to apply Duplicate Threshold 1 to the MSISDN exception.
Duplicate Threshold 2 Select to apply Duplicate Threshold 2 to the MSISDN exception.
Duplicate Threshold 3 Select to apply Duplicate Threshold 3 to the MSISDN exception.