Category Archives: FortiMail

Configuring RAID

Configuring RAID

Go to System > RAID to configure a redundant array of independent disks (RAID) for the FortiMail hard disks that are used to store logs and email.

Most FortiMail models can be configured to use RAID with their hard disks. The default RAID level should give good results, but you can modify the configuration to suit your individual requirements for enhanced performance and reliability. For more information, see “Configuring RAID for FortiMail 400B/400C/5002B models” on page 299 or “Configuring RAID on FortiMail 1000D/2000A/2000B/3000C/3000D/4000A models” on page 301.

You can configure the RAID levels for the local disk partitions used for storing email files or log files (in the case of FortiMail-400/400B/400C), depending on your requirements for performance, resiliency, and cost.

RAID events can be logged and reported with alert email. These events include disk full and disk failure notices. For more information, see “About FortiMail logging” on page 665, and “Configuring alert email” on page 682.

About RAID levels

Supported RAID levels vary by FortiMail model.

FortiMail 400B, 400C, and 5002B models use software RAID controllers which support RAID levels 0 or 1. You can configure the log disk with a RAID level that is different from the email disk.

FortiMail 1000D, 2000A, 2000B, 3000C, 3000D and 4000A models use hardware RAID controllers that require that the log disk and mail disk use the same RAID level.

FortiMail 100C, 200D, and 5001A models do not support RAID.

The available RAID levels depend on the number of hard drives installed in the FortiMail unit and different FortiMail models come with different number of factory-installed hard drives. You can added more hard drives if required. For details, see “Replacing a RAID disk” on page 304.

The following tables describe RAID levels supported by each FortiMail model.

Table 30:FortiMail supported RAID levels

Number of Installed Hard Drives Available RAID Levels Default RAID Level
1 0 0
2 0, 1 1
3 0, 1 + hot spare, 5 5
4 5 + hot spare, 10 10
5 5 + hot spare, 10 + hot spares 10 + hot spares
6 10, 50 10
7 or more 10, 10 + hot spares, 50, 50 + hot spares 50 + hot spares

Hot spares

FortiMail models with a hardware RAID controller have a hot spare RAID option. This feature consists of one or more disks that are pre-installed with the other disks in the unit. The hot spare disk is idle until an active hard disk in the RAID fails. Then the RAID immediately puts the hot spare disk into service and starts to rebuild the data from the failed disk onto it. This rebuilding may take up to several hours depending on system load and amount of data stored on the RAID, but the RAID continues without interruption during the process.

The hot spare feature has one or more extra hard disks installed with the RAID. A RAID 10 configuration requires two disks per RAID 1, and has only one hot spare disk. A RAID 50 configuration requires three disks per RAID 5, and can have up to two hot spare disks.

Configuring RAID for FortiMail 400B/400C/5002B models

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view and configure RAID levels

  1. Go to System > RAID > RAID System.

Figure 124:RAID System tab (FortiMail-400)

GUI item Description
Device Displays the name of the RAID unit. This indicates whether it is used for log message data or for mailboxes, mail queues, and other email-related data.

This is hard-coded and not configurable.

Unit Displays the internal mount point of the RAID unit. This is hard-coded and not configurable.
Level Displays the RAID level that indicates whether it is configured for optimal speed, failure tolerance, or both. For more information on RAID levels, see “About RAID levels” on page 298.
Resync Action Displays the status of the RAID device.

•      idle: The RAID is idle, with no data being written to or read from the RAID disks.

•      dirty: Data is currently buffered, waiting to be written to disk.

•      clean: No data is currently buffered, waiting to be written to the RAID unit.

•      errors: Errors were detected on the RAID unit.

•      no-errors: No errors were detected on the RAID unit.

•      dirty no-errors: Data is currently buffered, waiting to be written to the RAID unit, and there are currently no detected RAID errors. For a FortiMail unit in active use, this is the expected setting.

•      clean no-errors: No data is currently buffered, waiting to be written to the RAID unit, and there are currently no RAID errors. For a FortiMail unit with an unmounted array that is not in active use, this is the expected setting.

Resync Status If the RAID unit is not synchronized and you have clicked Click here to check array to cause it to rebuild itself, such as after a hard disk is replaced in the RAID unit, a progress bar indicates rebuild progress.

The progress bar appears only when Click here to check array has been clicked and the status of the RAID is not clean no-errors.

Speed Displays the average speed in kilobytes (KB) per second of the data transfer for the resynchronization. This is affected by the disk being in use during the resynchronization.
GUI item Description
Apply

(button)

Click to save changes.
Refresh

(button)

Click to manually initiate the tab’s display to refresh itself with current information.
ID/Port Indicates the identifier of each hard disk visible to the RAID controller.
Part of Unit Indicates the RAID unit to which the hard disk belongs, if any.

To be usable by the FortiMail unit, you must add the hard disk to a RAID unit.

Status Indicates the hardware viability of the hard disk.
Size Indicates the capacity of the hard disk, in gigabytes (GB).
Delete

(button)

Click to unmount a hard disk before swapping it.

After replacing the disk, add it to a RAID unit, then click Re-scan.

Back up data on the disk before beginning this procedure. Changing the device’s RAID level temporarily suspends all mail processing and erases all data on the hard disk. For more information on creating a backup, see “Backup and restore” on page 218.

  1. In the Level column, click the row corresponding to the RAID device whose RAID level you want to change.

The Level field changes to a drop-down menu.

  1. Select RAID level 0 or 1.
  2. Click Apply.

A warning message appears.

  1. Click Yes to confirm the change.

Configuring RAID on FortiMail 1000D/2000A/2000B/3000C/3000D/4000A models

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure RAID

  1. Go to System > RAID > RAID System.

Figure 125:RAID System tab (FortiMail-2000A/2000B/3000C/4000A)

GUI item Description
Model Displays the model of the hardware RAID controller.
Driver Displays the version of the RAID controller’s driver software.
Firmware Displays the version of the RAID controller’s firmware.
Set RAID level Select the RAID level, then click Change.

For more information about RAID levels, see “About RAID levels” on page 298.

Change

(button)

From Set RAID level, select the RAID style, then click this button to apply the RAID level.
Re-scan (button) Click to rebuild the RAID unit with disks that are currently a member of it, or detect newly added hard disks, and start a diagnostic check.

List of RAID units in the array

Unit Indicates the identifier of the RAID unit, such as u0.
Type Indicates the RAID level currently in use.

For more information, see “About RAID levels” on page 298. To change the RAID level, use Set RAID level.

GUI item Description
Status Indicates the status of the RAID unit.

•      OK: The RAID unit is operating normally.

•      Warning: The RAID controller is currently performing a background task (rebuilding, migrating, or initializing the RAID unit).

Caution: Do not remove hard disks while this status is displayed. Removing active hard disks can cause hardware damage.

•      Error: The RAID unit is degraded or inoperable. Causes vary, such as when too many hard disks in the unit fail and the RAID unit no longer has the minimum number of disks required to operate in your selected RAID level. To correct such a situation, replace the failed hard disks.

•      No Units: No RAID units are available.

Note: If both Error and Warning conditions exist, the status appears as Error.

Size Indicates the total disk space, in gigabytes (GB), available for the RAID unit.

Available space varies by your RAID level selection. Due to some space being consumed to store data required by RAID, available storage space will not equal the sum of the capacities of hard disks in the unit.

Ignore ECC Click turn on to ignore the Error Correcting Code (ECC). This option is off by default.

Ignoring the ECC can speed up building the RAID, but the RAID will not be as fault-tolerant.

This option is not available on FortiMail-2000B/3000C models.

List of hard disks in the array

ID/Port Indicates the identifier of each hard disk visible to the RAID controller.
Part of Unit Indicates the RAID unit to which the hard disk belongs, if any.

To be usable by the FortiMail unit, you must add the hard disk to a RAID unit.

Status Indicates the hardware viability of the hard disk.

•      OK: The hard disk is operating normally.

•      UNKNOWN: The viability of the hard disk is not known. Causes vary, such as the hard disk not being a member of a RAID unit. In such a case, the RAID controller does not monitor its current status.

Size Indicates the capacity of the hard disk, in gigabytes (GB).
Delete

(button)

Click to unmount a hard disk before swapping it.

After replacing the disk, add it to a RAID unit, then click Re-scan.

To change RAID levels

Back up data on the disk before beginning this procedure. Changing the device’s RAID level temporarily suspends all mail processing and erases all data on the hard disk. For more information on creating a backup, see “Backup and restore” on page 218.

  1. Go to System > RAID > RAID System.
  2. From Set RAID level, select a RAID level.
  3. Click Change.

The FortiMail unit changes the RAID level and reboots.

Replacing a RAID disk

When replacing a disk in the RAID array, the new disk must have the same or greater storage capacity than the existing disks in the array. If the new disk has a larger capacity than the other disks in the array, only the amount equal to the smallest hard disk will be used. For example, if the RAID has 400 GB disks, and you replace one with a 500 GB disk, to be consistent with the other disks, only 400 GB of the new disk will be used.

FortiMail units support hot swap; shutting down the FortiMail unit during hard disk replacement is not required.

To replace a disk in the array

  1. Go to System > RAID > RAID System.
  2. In the row corresponding to the hard disk that you want to replace (for example, p4), select the hard disk and click Delete.

The RAID controller removes the hard disk from the list.

  1. Protect the FortiMail unit from static electricity by using measures such as applying an antistatic wrist strap.
  2. Physically remove the hard disk that corresponds to the one you removed in the web UI from its drive bay on the FortiMail unit.

On a FortiMail-2000A or FortiMail-4000A, press in the tab, then pull the drive handle to remove the dive. On a FortiMail-2000B or FortiMail-3000C, press the button to eject the drive.

To locate the correct hard disk to remove on a FortiMail-2000A, refer to the following diagram.

Drive 1 (p0) Drive 4 (p3)
Drive 2 (p1) Drive 5 (p4)
Drive 3 (p2) Drive 6 (p5)

To locate the correct hard disk to remove on a FortiMail-2000B or 3000C, refer to the following diagram.

Drive 1 (p0) Drive 3 (p2) Drive 5 (p4)
Drive 2 (p1) Drive 4 (p3) Drive 6 (p5)

To locate the correct hard disk to remove on a FortiMail-4000A, look for the failed disk. (Disk drive locations vary by the RAID controller model.)

  1. Replace the hard disk with a new hard disk, inserting it into its drive bay on the FortiMail unit.
  2. Click Re-scan.

The RAID controller will scan for available hard disks and should locate the new hard disk. Depending on the RAID level, the FortiMail unit may either automatically add the new hard disk to the RAID unit or allocate it as a spare that will be automatically added to the array if one of the hard disks in the array fails.

The FortiMail unit rebuilds the RAID array with the new hard disk. Time required varies by the size of the array.

Configuring Administrator Accounts and Access Profiles

Configuring administrator accounts and access profiles

The Administrator submenu configures administrator accounts and access profiles.

This topic includes:

  • About administrator account permissions and domains
  • Configuring administrator accounts
  • Configuring access profiles

About administrator account permissions and domains

Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.

Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.

The domain to which an administrator is assigned is one of:

  • System

The administrator can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. Every administrator’s permissions are restricted only by their access profile.

  • a protected domain

The administrator can only access areas that are specifically assigned to that protected domain. With a few exceptions, the administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by the administrator’s access profile. The administrator cannot access the CLI, nor the basic mode of the web UI. (For more information on the display modes of the GUI, see “Basic mode versus advanced mode” on page 24.)

There are exceptions. Domain administrators can configure IP-based policies, the global black list, the global white list, the blacklist action, and the global Bayesian database. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles.

Table 28:Areas of the GUI that domain administrators cannot access

Maintenance
Monitor except for the Personal quarantine tab
System except for the Administrator tab
Mail Settings except for the domain, its subdomains, and associated domains
User > User > PKI User
Policy > Access Control > Receive

Policy > Access Control > Delivery

Profile > Authentication
AntiSpam except for AntiSpam > Bayesian > User and AntiSpam > Black/White List
Email Archiving
Log and Report

Access profiles assign either read, read/write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an administrator access profile, see “Configuring access profiles” on page 297.

Table 29:Areas of control in access profiles

Access control area name Grants access to

(For each config command, there is an equivalent get/show command, unless otherwise noted.

config access requires write permission. get/show access requires read permission.)

In the web UI In the CLI
Black/White List black-whit e-lis t Monitor > Endpoint Reputation > Auto Blacklist

Maintenance > AntiSpam > Black/White List Maintenance AntiSpam > Black/White List …

 N/A
Quarantine quarantine Monitor > Quarantine …

AntiSpam > Quarantine > Quarantine Report

AntiSpam > Quarantine > System Quarantine Setting

AntiSpam > Quarantine > Control Account

config antispam quarantine-report config mailsetting systemquarantine
Policy policy Monitor > Mail Queue …

Monitor > Greylist …

Monitor > Sender Reputation > Display

Mail Settings > Domains > Domains

Mail Settings > Proxies > Proxies User > User …

Policy …

Profile

AntiSpam > Greylist …

AntiSpam > Bounce Verification > Settings AntiSpam > Endpoint Reputation …

AntiSpam > Bayesian …

config antispam greylist exempt config antispam bounce-verification key config antispam settings config domain

config mailsetting proxy-smtp config policy … config profile … config user …

Table 29:Areas of control in access profiles

Archive archive Email Archiving

Monitor > Archive

config archive
Greylist greylist Monitor > Greylist …

AntiSpam > Greylist …

config antispam greylist… get antispam greylist …
Others others Monitor > System Status …

Monitor > Archive > Email Archives Monitor > Log …

Monitor > Report …

Maintenanceexcept the Black/White List Maintenance tab

System

Mail Settings > Settings

Mail Settings > Address Book > Address Book

User > User Alias > User Alias User > Address Map > Address Map Email Archiving

Log and Report

config archive … config log …

config mailsetting relayserver config mailsetting storage config report config system … config user alias config user map diagnose … execute …

get system status

About the “admin” account

Unlike other administrator accounts whose access profile is super_admin_prof and domain is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. Its name, permissions, and assignment to the System domain cannot be changed.

The admin administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without having to enter the existing password. As such, it is the only account that can reset another administrator’s password if the existing password is unknown or forgotten. (Other administrators can change an administrator’s password if they know the current password.

About the “remote_wildcard” account

In previous FortiMail releases (older than v5.1), when you add remote RADIUS or LDAP accounts to FortiMail for account authentication purpose, you must add them one by one on FortiMail. Starting from FortiMail v5.1, you can use the wildcard to add RADIUS accounts (LDAP accounts will be supported in future releases) all at once.

To achieve this, you can enable the preconfigured “remote_wildcard” account and specify which RADIUS profile to use. Then every account on the RADIUS server will be able to log on to FortiMail.

To add all accounts on a RADIUS server to FortiMail

  1. Go to System > Administrator > Administrator.
  2. Double click the built-in “remote_wildcard” account.
  3. Configure the following and click OK.
GUI item Description
Enable Select it to enable the wildcard account.
Administrator The default name is remote_wildcard and it is not editable.
Domain Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.

For more information on protected domain assignments, see “About administrator account permissions and domains” on page 290.

Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.

Note: If you enable domain override in the RADIUS profile, this setting will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. For details, see “Configuring authentication profiles” on page 542.

Access profile Select the name of an access profile that determines which functional areas the administrator account may view or affect.

Click New to create a new profile or Edit to modify the selected profile. For details, see “Configuring access profiles” on page 297.

Note: If you enable remote access override in the RADIUS profile, this access profile will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. For details, see “Configuring authentication profiles” on page 542.

Authentication type For the v5.1 release, only RADIUS is supported. For details, see “Configuring authentication profiles” on page 542.
GUI item Description
Trusted hosts Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.

If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.

Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.

Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.

Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces” on page 248.

Language Select this administrator account’s preference for the display language of the web UI.
Theme Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect.

The administrator may switch the theme at any time during a session by clicking Next Theme.

Configuring administrator accounts

The Administrator tab displays a list of the FortiMail unit’s administrator accounts and the trusted host IP addresses administrators use to log in (if configured).

By default, FortiMail units have a single administrator account, admin. For more granular control over administrative access, you can create additional administrator accounts that are restricted to a specific protected domain and with restricted permissions. For more information, see “About administrator account permissions and domains” on page 290.

Depending on the permission and assigned domain of your account, this list may not display all administrator accounts. For more information, see “About administrator account permissions and domains” on page 290.

If you configured a system quarantine administrator account, this account does not appear in the list of standard FortiMail administrator accounts. For more information on the system quarantine administrator account, see “Configuring the system quarantine administrator account and disk quota” on page 611.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Others category.

For details, see “About administrator account permissions and domains” on page 290.

To configure administrator accounts

  1. Go to System > Administrator > Administrator.
  2. Either click New to add an account or double-click an account to modify it.

A dialog appears.

Figure 121:New Administrator dialog

  1. Configure the following and then click Create:
GUI item Description
Enable Select it to enable the new account. If disabled, the account will not be able to access FortiMail.
Administrator Enter the name for this administrator account.

The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), hyphens ( – ), and underscores ( _ ). Other special characters and spaces are not allowed.

Domain Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.

For more information on protected domain assignments, see “About administrator account permissions and domains” on page 290.

Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.

Access profile Select the name of an access profile that determines which functional areas the administrator account may view or affect.

Click New to create a new profile or Edit to modify the selected profile.

For details, see “Configuring access profiles” on page 297.

 

GUI item Description
Authentication type Select the local or remote type of authentication that the administrator will use:

•      Local

•      RADIUS

•      PKI

•      LDAP

Note: RADIUS, LDAP and PKI authentication require that you first configure a RADIUS authentication profile, LDAP authentication profile, or PKI user. For more information, see “Configuring authentication profiles” on page 542 and “Configuring PKI authentication” on page 435.

Password If you select Local as the authentication type, enter a secure password for this administrator account.

The password can contain any character except spaces.

This field does not appear if Authentication type is not Local or RADIUS+Local.

Confirm password Enter this account’s password again to confirm it.

This field does not appear if Authentication type is not Local or RADIUS+Local.

LDAP profile If you choose to use LDAP authentication, select an LDAP profile you want to use.
RADIUS profile If you choose to use RADIUS or RADIUS + Local authentication, select a RADIUS profile you want to use.
PKI profile If you choose to use PKI authentication, select a PKI profile you want to use.
Trusted hosts Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.

If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.

Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.

Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.

Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces” on page 248.

GUI item Description
Language Select this administrator account’s preference for the display language of the web UI.
Theme Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect.

The administrator may switch the theme at any time during a session by clicking Next Theme.

Configuring System Settings

Configuring system settings

The System menu lets you administrator accounts, and configure network settings, system time, SNMP, RAID, high availability (HA), certificates, and more.

This section includes:

  • Configuring network settings
  • Configuring system time, configuration options, SNMP, and FortiSandbox
  • Customizing GUI, replacement messages and email templates
  • Configuring administrator accounts and access profiles
  • Configuring RAID
  • Using high availability (HA)
  • Managing certificates
  • Configuring IBE encryption
  • Configuring certificate bindings

Configuring FortiGuard Updates and AntiSPAM Queries

Configuring FortiGuard updates and antispam queries

The Maintenance > FortiGuard > Update tab displays the most recent updates to

FortiGuard Antivirus engines, antivirus definitions, and FortiGuard antispam definitions

(antispam heuristic rules). You can also configure how the FortiMail unit will retrieve updates.

FortiGuard AntiSpam packages for FortiMail units are not the same as those provided to FortiGate units. To support FortiMail’s more full-featured antispam scans, FortiGuard AntiSpam packages for FortiMail contain platform-specific additional updates.

For example, FortiGuard AntiSpam packages for FortiMail contain heuristic antispam rules used by the a heuristic scan. Updates add to, remove from, and re-order the list of heuristic rules so that the current most common methods spammers use are ranked highest in the list. As a result, even if you configure a lower percentage of heuristic rules to be used by that scan, with regular updates, the heuristic scan automatically adjusts to use whichever heuristic rules are currently most effective. This helps to achieve an effective spam catch rate, while both reducing administrative overhead and improving performance by using the least necessary amount of FortiMail system resources.

FortiMail units receive updates from the FortiGuard Distribution Network (FDN), a world-wide network of FortiGuard Distribution Servers (FDS). FortiMail units connect to the FDN by connecting to the FDS nearest to the FortiMail unit by its configured time zone.

In addition to manual update requests, FortiMail units support two kinds of automatic update mechanisms:

  • scheduled updates, by which the FortiMail unit periodically polls the FDN to determine if there are any available updates
  • push updates, by which the FDN notifies FortiMail units when updates become available

For information on configuring scheduled updates, see “Configuring scheduled updates” on page 240. For information on configuring push updates, see “Configuring push updates” on page 241.

You may want to configure both scheduled and push updates. In this way, if the network experiences temporary problems such as connectivity issues that interfere with either method, the other method may still provide your FortiMail unit with updated protection. You can alternatively manually update the FortiMail unit by uploading an update file. For more information on uploading updates, see “License Information widget” on page 176.

For FortiGuard Antispam and FortiGuard Antivirus update connectivity requirements and troubleshooting information, see “Troubleshoot FortiGuard connection issues” on page 707.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view or change the currently installed FortiGuard status

  1. Go to Maintenance > FortiGuard > Update.

Figure 95:Update tab

  1. Configure the following:

 

GUI item Description
FortiGuard Service Status  
Name The name of the updatable item, such as Anti Virus Definition.
Version The version number of the item currently installed on the FortiMail unit.
Expiry Date The expiry date of the license for the item.
Last Update Attempt The date and time when the FortiMail unit last attempted to download an update.
Last Update Status The result of the last update attempt.

•      No updates: Indicates the last update attempt was successful but no new updates are available.

•      Installed updates: Indicates the last update attempt was successful and new updates were installed.

•      Other messages, such as Network Error, indicate that the FortiMail unit could not connect to the FDN, or other error conditions. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.

Included signatures Displays the total number of the virus and spam signatures.
FortiGuard distribution network The result of the previous scheduled update (TCP 443) connection attempt to the FortiGuard Distribution Network (FDN) or, if enabled and configured, the override server.

•      Available: Indicates that the FortiMail unit successfully connected to the FDN.

•      Unavailable: Indicates that the FortiMail unit could not connect to the FDN. For more information, see “Verifying connectivity with FortiGuard services” on page 237.

•      Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN.

To test the connection, click Refresh.

Push update The result of the previous push update (UDP 9443) connection attempt from the FDN.

•      Available: Indicates that the FDN successfully connected to the FortiMail unit to send push updates. For more information, see “Configuring push updates” on page 241.

•      Unavailable: Indicates that the FDN could not connect to the FortiMail unit. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.

•      Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN.

To test the connection, click Refresh.

GUI item Description
Refresh

(button)

Click to test the scheduled (TCP 443) and push (UDP 9443) update connection of the FortiMail unit to the FDN or, if enabled, the IP address configured in Use override server address.

When the test completes, the tab refreshes and results beside FortiGuard distribution network. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect.

Note: This does not test the connection for FortiGuard Antispam rating queries, which occurs over a different connection and must be tested separately. For details, see “Configuring FortiGuard updates and antispam queries” on page 233.

Use override server address Enable to override the default FortiGuard Distribution Server (FDS) to which the FortiMail unit connects for updates, then enter the IP address of the override public or private FDS.

For more information, see “Verifying connectivity with FortiGuard services” on page 237.

Allow push update Enable to allow the FortiMail unit to accept push notifications (UDP 9443). If the FortiMail unit is behind a NAT device, you may also need to enable and configure Use override push IP. For details, see “Configuring push updates” on page 241.

Push notifications only notify the FortiMail unit that an update is available. They do not transmit the update itself. After receiving a push notification, the FortiMail unit then initiates a separate TCP 443 connection, similar to scheduled updates, in order to the FDN to download the update.

Use override push Enable to override the IP address and default port number to which

IP                           the FDN sends push notifications.

  • When enabled, the FortiMail unit notifies the FDN to send push updates to the IP address and port number that you enter (for example, a virtual IP/port forward on a NAT device that will forward push notifications to the FortiMail unit).
  • When disabled, the FortiMail unit notifies the FDN to send push updates to the FortiMail unit’s IP address, using the default port number (UDP 9443). This is useful only if the FortiMail unit has a public network IP address.

For more information, see “Configuring push updates” on page 241.

This option is available only if Allow push update is enabled.

GUI item Description
Scheduled update Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests. When the FortiMail unit requests an update at the scheduled time, results appear in Last Update Status.

•      Every: Select to request to update once every 1 to 23 hours, then select the number of hours between each update request.

•      Daily: Select to request to update once a day, then select the hour of the day to check for updates.

•      Weekly: Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates.

If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour.

Apply

(button)

Click to save configuration changes on this tab and, if you have enabled Allow push update, notify the FDN of the destination IP address and port number for push notifications to this FortiMail unit.
Update Now

(button)

Click to manually initiate a FortiGuard Antivirus and FortiGuard Antispam engine and definition update request. Results will appear in Last Update Status. Time required varies by the availability of updates, size of the updates, and speed of the FortiMail unit’s network connection.

Configuring Centralized Administration

Configuring centralized administration

Maintenance > System > Central Management lets you use a FortiManager unit to manage your FortiMail unit’s configuration and firmware.

The latest FortiManager releases support centralized management of FortiMail v3.0 MR4 and

MR5 releases. For FortiMail v4.0 releases, centralized management will be supported in FortiManager v4.2 and later releases. Refer to FortiManager release notes for details about supported FortiMail versions. For information on configuring a FortiManager unit to manage or provide services to your other Fortinet brand devices, see the FortiManager Administration Guide.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure centralized administration

  1. Go to Maintenance > System > Central Management.

Figure 94:Central Management tab

  1. Configure the following:
GUI item Description
Enable central management Enable to use a FortiManager unit to manage FortiMail configuration revisions and firmware. For details, see “Backing up your configuration using a FortiManager unit” on page 221 and “Restoring the firmware” on page 222.

If the FortiManager unit is not configured to automatically register new devices, you must also add the FortiMail unit to the

FortiManager unit’s device list. For details, see the FortiManager Administration Guide.

IP Enter the IP address of the FortiManager unit.
Allow automatic backup of configuration on logout If enabled, and if the FortiMail unit’s configuration has changed, the FortiMail unit will send a configuration backup to the FortiManager unit when the FortiMail administrator logs out of the web UI.

Alternatively or in addition to this option, configuration backups can also be performed manually. For details, see “Backup and restore” on page 218.

Allow configuration updates initiated by the management server If enabled, the FortiMail unit accepts configuration connections from the FortiManager unit.

Maintaining The System

Maintaining the system

The Maintenance menu contains features for use during scheduled maintenance: updates, backups, restoration, and centralized administration.

Also use it to configure FortiGuard Antispam query connectivity.

  • Backup and restore
  • Configuring centralized administration
  • Configuring FortiGuard updates and antispam queries

Backup and restore

Before installing FortiMail firmware or making significant configuration changes, back up your FortiMail configuration. Backups let you revert to your previous configuration if the new configuration does not function correctly. Backups let you compare changes in configuration.

A complete configuration backup consists of several parts:

  • core configuration file (fml.cfg), including the local certificates
  • Bayesian databases
  • mail queues
  • system, per-domain, and per-user black/white list databases
  • email users’ address books
  • images and language files for customized appearance of the web UI and webmail To access those parts of the web UI, your administrator account’s:
  • Domain must be System
  • access profile must have Read-Write permission to all categories

For details, see “About administrator account permissions and domains” on page 290.

Page 218

In addition, although they are not part of the configuration, you may want to back up the following data:

  • email archives
  • log files
  • generated report files
  • mailboxes

Alternatively, if you only want to back up your core configuration file, you can back up the FortiMail unit’s configuration to a FortiManager unit. For details, see “Backing up your configuration using a FortiManager unit” on page 221.

To back up the configuration file

Although mailboxes and quarantines cannot be downloaded to your management computer, you can configure the FortiMail unit to back up mail data by storing it externally, on a NAS server. For details, see “Selecting the mail data storage location” on page 376.

  1. Go to Maintenance > System > Configuration.
  2. In the Backup Configuration area:
    • Select Local PC
    • Enable System configuration.
    • Click Backup.

Your management computer downloads the configuration file. Time required varies by the size of the file and the speed of your network connection. You can restore the backup configuration later when required. For details, see “Restoring the configuration” on page 692.

FortiMail v4.0 configuration backing up to a FortiManager unit is supported in FortiManager v4.2 and newer releases. See “Backing up your configuration using a FortiManager unit” on page 221. Also see “Configuring centralized administration” on page 232.

To back up the Bayesian databases

  1. Go to Maintenance > AntiSpam > Database Maintenance.
  2. Click Backup Bayesian database.

Your management computer downloads the database file. Time required varies by the size of the file and the speed of your network connection.

To back up the mail queues

  1. Go to Maintenance > System > Mail Queue.
  2. Click Backup Queue.

Your management computer downloads the database file. Time required varies by the size of the file and the speed of your network connection.

To back up the black/white list database

  1. Go to Maintenance > AntiSpam > Black/White List Maintenance.
  2. Click Export Black/White List.

Your management computer downloads the database file. The time required varies by the size of the file and the speed of your network connection.

To back up email users’ accounts (server mode only)

  1. Go to User > User > User.
  2. Click Export .CSV.

Your management computer downloads the user account spreadsheet file. Time required varies by the size of the file and the speed of your network connection.

To back up the global address book (server mode only)

  1. Go to Mail Settings > Address Book > Contacts.
  2. Click
  3. On the pop-up menu, select CSV.

You are prompted for a location to save the file. Follow the prompts and click Save.

Your management computer downloads the address book spreadsheet file. Time required varies by the size of the file and the speed of your network connection.

To back up customized appearances of the web UI and webmail UI

  1. Go to System > Configuration > Appearance.
  2. In Administration interface, for each image file, save the image to your management computer.

Methods vary by web browser. For example, you might need to click and drag the images into a folder on your management computer in order to save them to that folder. For instructions, see your browser’s documentation.

  1. Click the arrow to expand Webmail interface.
  2. For each webmail language, click the name of the language to select it, then click Download.

Your management computer downloads the language file. Time required varies by the size of the file and the speed of your network connection.

  1. To back up email archivesGo to Maintenance > System > Mail Data.

In addition to downloading email archives to your management computer, you can configure the FortiMail unit to store email archives on an SFTP or FTP server. For details, see “Managing archived email” on page 203 and “Configuring email archiving accounts” on page 656.

  1. Continue using the instructions in “Configuring mailbox backups” on page 227.

Viewing Generated Reports

Viewing generated reports

The Report tab displays the list of reports generated from the report profiles. You can delete, view, and/or download generated reports.

FortiMail units can generate reports automatically, according to the schedule that you configure in the report profile, or manually, when you select a report profile and click Generate. For more information, see “Configuring report profiles and generating reports” on page 676.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view and generate reports

  1. Go to Monitor > Report > Report.

Figure 87:Report tab

GUI item Description
Delete (button) Click to delete the selected item.
Download

(button)

Click to create a PDF version of the report.
Report File Name Lists the name of the generated report, and the date and time at which it was generated.

For example, Report 1-2008-03-31-2112 is a report named Report 1, generated on March 31, 2008 at 9:12 PM.

To view an individual section of the report in HTML format, click + next to the report name to expand the list of HTML files that comprise the report, then double-click one of the file names.

Last Access Time Lists the date and time when the FortiMail unit completed the generated report.
Size Lists the file size of the report in HTML format, in bytes.
  1. To view the report in PDF file format, mark the check box in the corresponding row and click On the pop-up menu, select Download PDF.
  2. To view the report in HTML file format, you can view all sections of the report together, or you can view report sections individually.
  • To view all report sections together, mark the check box in the row corresponding to the report, such as treportprofile-2011-06-27-1039, then click Download and select Download HTML. Your browser downloads a file with an archive (.tgz.gz) file extension to your management computer. To view the report, first extract the report files from the archive, then open the HTML files in your web browser.
  • Each Query Selection in the report becomes a separate HTML file. You can view the report as individual HTML files. In the row corresponding to the report that you want to view, click + next to the report name to expand the list of sections, then double-click the file name of the section that you want to view, such as html. The report appears in a new browser window.

Figure 88:Viewing a generated report (HTML file format, Mail by Sender)

Viewing Log Messages

Viewing log messages

The Log submenu displays locally stored log files. If you configured the FortiMail unit to store log messages locally (that is, to the hard disk), you can view the log messages currently stored in each log file.

Logs stored remotely cannot be viewed from the web UI of the FortiMail unit. If you require the ability to view logs from the web UI, also enable local storage. For details, see “Configuring logging to the hard disk” on page 672.

The Log submenu includes the following tabs, one for each log type:

  • History: Where you can view the log of sent and undelivered SMTP email messages.
  • Event: Where you can view the log of administrator activities and system events.
  • AntiSpam: Where you can view the log of email detected as spam.
  • AntiVirus: Where you can view the log of email detected as infected by a virus.
  • Encryption: Where you can view the log of IBE encryption. For more information about using IBE, see “Configuring IBE encryption” on page 357.

For more information on log types, see “FortiMail log types” on page 667.

Each tab contains a similar display.

The lists are sorted by the time range of the log messages contained in the log file, with the most recent log files appearing near the top of the list.

For example, the current log file would appear at the top of the list, above a rolled log file whose time might range from 2008-05-08 11:59:36 Thu to 2008-05-29 10:44:02 Thu.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view the list of log files and their contents

  1. Go to Monitor > Log.
  2. Click the tab corresponding to the type of log file that you want to view (History, Event, AntiVirus, AntiSpam, or Encryption).

Figure 81:Antispam log tab

GUI item Description
Download

(button)

Click to download the report in one of several formats:

•      Normal Format for a log file that can be viewed with a plain text editor such as Microsoft Notepad.

•      CSV Format for a comma-separated value (.csv) file that can be viewed in a spreadsheet application such as Microsoft Excel or OpenOffice Calc.

•      Compressed Format for a plain text log file like Normal Format, except that it is compressed and stored within a .gz archive.

Search

(button)

Click to search all log files of this type.

Unlike the search when viewing the contents of an individual log file, this search displays results regardless of which log file contains them.

For more information, see “Searching log messages” on page 212.

Start Time Lists the beginning of the log file’s time range.
End Time Lists the end of the log file’s time range.
Size Lists the size of the log file in bytes.
  1. To view messages contained in logs:
    • double-click a log file to display the file’s log messages

To view the current page’s worth of the log messages as an HTML table, right-click and select Export to Table. The table appears in a new tab. To download the table, click and drag to select the whole table, then copy and paste it into a rich text editor such as Microsoft Word or OpenOffice Writer.

  • click a row to select its log file, click Download, then select a format option

Alternatively, to display a set of log messages that may reside in multiple, separate log files:

  • If the log files are of the same type (for example, all antispam logs), click Search. For details, see “Searching log messages” on page 212.
  • If the log messages are of different types but all caused by the same email session ID, you can do a cross-search to find and display all correlating log messages. For details, see “Cross-searching log messages” on page 214.

For descriptions of individual log messages, see the FortiMail Log Message Reference.

Log messages can appear in either raw or formatted views.

  • Raw view displays log messages exactly as they appear in the plain text log file.
  • Formatted view displays log messages in a columnar format. Each log field in a log message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in formatted view, you can customize the log view by hiding, displaying and arranging columns and/or by filtering columns, refining your view to include only those log messages and fields that you want to see.

By default, log messages always appear in columnar format, with one log field per column. However, when viewing this columnar display, you can also view the log message in raw format by hovering your mouse over the index number of the log message, in the # column, as shown in Table .

Figure 82:Log messages

Table 19:Viewing log messages at Monitor > Log

GUI item Description
Level Select the severity level that a log message must equal or exceed in order to appear.

For more information, see “Log message severity levels” on page 668.

Save View (button) Click to save the customized view. Future log message reports appear in this view.
Search

(button)

Click to search the currently displayed log file. For more information, see “Searching log messages” on page 212.

Alternatively, if you want to search all log files of that type. For details, see “Viewing log messages” on page 206.

Back (button) Click to return the view before a search.
Subtype

(event log only)

Select one of the following subtypes that a log message must match in order to appear:

•      ALL: Display all log messages, and do not filter out any subtype.

•      Configuration: Display only log messages containing subtype=config.

•      Admin User: Display only log messages containing subtype=admin.

•      Web Mail: Display only log messages containing subtype=webmail.

•      System: Display only log messages containing subtype=system.

•      HA: Display only log messages containing subtype=ha.

•      Update: Display only log messages containing subtype=update.

•      POP3: Display only log messages containing subtype=pop3.

•      IMAP: Display only log messages containing subtype=imap.

•      SMTP: Display only log messages containing subtype=smtp.

•      OTHERS: Display all lines that have a subtype value that is not any of the above subtypes, from Configuration to SMTP.

This option appears only when displaying the event log. Log subtypes reflect types selected when enabling logging. For details, see “FortiMail log types” on page 667.

When hovering your mouse cursor over a log message, that row is temporarily highlighted; however, this temporary highlight automatically follows the cursor, and will move to a different row if you move your mouse. To create a row highlight that does not move when you move your mouse, click anywhere in the row of the log message.

For information on individual log messages, see the FortiMail Log Message Reference.