FortiCarrier DLP Archive options

DLP Archive options

Select DLP archive options to archive MM1, MM3, MM4, and MM7 sessions. In addition to the MMS profile’s DLP archive options, you can:

  • Archive MM1 and MM7 message floods l Archive MM1 and MM7 duplicate messages
  • Select DLP archiving for carrier endpoint patterns in a Carrier Endpoint List and select the Carrier Endpoint Block option in the MMS Scanning section of an MMS Profile

The unit only allows one sixteenth of its memory for transferring content archive files. For example, for units with 128 MB RAM, only 8 MB of memory is used when transferring content archive files. Best practices dictate to not enable full content archiving if antivirus scanning is also configured because of these memory constraints.

DLP Archive
Display DLP metainformation on the system dashboard Select each required protocol to display the content archive summary in the Log and Archive Statistics dashboard widget on the System Dashboard.
DLP Archive
Archive to

FortiAnalyzer/FortiGuard

Select the type of archiving that you want for the protocol (MM1, MM3, MM4, and MM7). You can choose from Full, Summary or None.

None — Do not send content archives.

Summary — Send content archive metadata only. Includes information such as date and time, source and destination, request and response size, and scan result.

Full — Send content archive both metadata and copies of files or messages.

In some cases, FortiOS Carrier may not archive content, or may make only a partial content archive, regardless of your selected option. This behavior varies by prerequisites for each protocol.

This option is available only if a FortiAnalyzer unit or FortiGuard Analysis and Management Service is configured.

Logging

You can enable logging in an MMS profile to write event log messages when the MMS profile options that you have enabled perform an action. For example, if you enable MMS antivirus protection, you could also use the MMS profile logging options to write an event log message every time a virus is detected.

You must first configure how the unit stores log messages so that you can then record these logs messages. For more information, see the FortiOS Handbook Logging and Reporting guide.

Logging
MMS-Antivirus If antivirus settings are enabled for this MMS profile, select the following options to record Antivirus Log messages.
Viruses Record a log message when this MMS profile detects a virus.
Blocked Files Record a log message when antivirus file filtering enabled in this MMS profile blocks a file.
Oversized Files/Emails Record a log message when this MMS profile encounters an oversized file or email message. Oversized files and email messages cannot be scanned for viruses.
MMS Scanning If MMS scanning settings are enabled for this MMS profile, select the following options to record Email Filter Log messages.
Notification Messages Select to log the number of MMS notification messages sent.

 

MMS Content Checksum

Logging
Bulk Messages Select to log MMS Bulk AntiSpam events. You must also select which protocols to write log messages for in the MMS bulk email filtering part of the MMS profile.
Carrier Endpoint Filter Block Select to log MMS carrier endpoint filter events, such as MSISDN filtering.
MMS Content Checksum Select to log MMS content checksum activity.
Content Block Select to log content blocking events.

FortiCarrier MMS Notifications

MMS Notifications

MMS notifications are messages that a unit sends when an MMS profile matches content in an MM1, MM3, MM4 or MM7 session. For example, the MMS profile detects a virus or uses content blocking to block a web page, text message or email. You can send notifications to the sender of the message using same protocol and the addressing headers in the original message. You can also configure MMS notifications to send notification messages to another destination (such as a system administrator) using the MM1, MM3, MM4 or MM7 protocol.

You need to enable one or more Notification Types or you can add an Antivirus Notification List to enable sending notifications,.

You can also use MMS notifications options to configure how often notifications are sent. The unit sends notification messages immediately for the first event, then at a configurable interval if events continue to occur. If the interval does not coincide with the window of time during which notices may be sent, the unit waits to send the notice in the next available window. Subsequent notices contain a count of the number of events that have occurred since the previous notification.

There are separate notifications for each notification type, including virus events. Virus event notifications include the virus name. Up to three viruses are tracked for each user at a time. If a fourth virus is found, one of the existing tracked viruses is removed from the list.

The notifications are MM1 m-send-req messages sent from the unit directly to the MMSC for delivery to the client. The host name of the MMSC, the URL to which m-send-req messages are sent, and the port must be specified.

 

MMS Notification
Antivirus Notification List Optionally select an antivirus notification list to select a list of virus names to send notifications for. The unit sends a notification message whenever a virus name or prefix in the antivirus notification list matches the name of a virus detected in a session scanned by the MMS protection profile. Select Disabled if you do not want to use a notification list.

Instead of selecting a notification list you can configure the Virus ScanNotification Type to send notifications for all viruses.

Message Protocol In each column, select the protocol used to send notification messages. You can use a different protocol to send the notification message than the protocol on which the violation was sent. The MMS Notifications options change depending on the message protocol that you select.

If you select a different message protocol, you must also enter the User Domain. If selecting MM7 you must also enter the Message Type.

Message Type Select the MM7 message type to use if sending notifications using MM7. Options include deliver.REQ and submit.REQ
Detect Server Details Select to use the information in the headers of the original message to set the address of the notification message. If you do not select this option, you can enter the required addressing information manually.

You cannot select Detect Server Details if you are sending notification messages using a different message protocol.

If you select Detect Server Details, you cannot change the Port where the notification is being sent.

Hostname Enter the FQDN or the IP address of the server where the notifications will be sent.
URL Enter the URL of the server. For example if the notificaiton is going to www.example.com/home/alerts , the URL is /home/alerts.

This option is available only when Message Protocol is mm1 or mm7.

Port Enter the port number of the server.

You cannot change the Port if Detect Server Details is enabled.

 

MMS Notification
Username Enter the user name required for sending messages using this server

(optional).

This option is available only when Message Protocol is mm7.

Password Enter the password required for sending messages using this server

(optional).

This option is available only when Message Protocol is mm7.

VASP ID Enter the value-added-service-provider (VASP) ID to be used when sending a notification message. If a VAS is not offered by the mobile provider, it is offered by a third party or a VAS provider or content provider (CP).

This option is available only when Message Protocol is mm7.

VAS ID Enter the value-added-service (VAS) ID to be used when sending a notification message. A VAS is generally any service beyond voice calls and fax.

This option is available only when Message Protocol is mm7.

All Notification Types In each column, select notification for all MMS event types for that MMS protocol, then enter the amount of time and select the time unit for notice intervals.

Alternatively, expand All Notification Types, and then select notification for individual MMS event types for each MMS protocol. Then enter the amount of time and select the time unit for notice intervals.

Not all event types are available for all MMS protocols.

Content Filter In each column, select to notify when messages are blocked by the content filter, then enter the amount of time and select the time unit for notice intervals.
File Block In each column, select to notify when messages are blocked by file block, then enter the amount of time and select the time unit for notice intervals.
Carrier Endpoint Block In each column, select to notify when messages are blocked, then enter the amount of time and select the time unit for notice intervals.
Flood In each column, select to notify when message flood events occur, then enter the amount of time and select the time unit for notice intervals.
MMS Notification
Duplicate In each column, select to notify when duplicate message events occur, then enter the amount of time and select the time unit for notice intervals.
MMS Content Checksum In each column, select to notify when the content within an MMS message is scanned and banned because of the checksum value that was matched.
Virus Scan In each column, select to notify when the content within an MMS message is scanned for viruses.
Notifications Per Second Limit For each MMS protocol, enter the number of notifications to send per second. If you enter zero(0), the notification rate is not limited.
Day of Week For each MMS protocol, select the days of the week the unit is allowed to send notifications.
Window Start Time For each MMS protocol, select the time of day to begin the message alert window. By default, the message window starts at 00:00. You can change this if you want to start the message window later in the day.

When configured, notification outside this window will not be sent.

Window Duration For each MMS protocol, select the time of day at which to end the message alert window. By default, the message window ends at 00:24. You can change this if you want to end the message window earlier in the day.

When configured, notification outside this window will not be sent

FortiCarrier MMS Address Translation options

MMS Address Translation options

The sender’s carrier endpoint is used to provide logging and reporting details to the mobile operator and to identify the sender of infected content.

When MMS messages are transmitted, the From field may or may not contain the sender’s address. When the address is not included, the sender information will not be present in the logs and the unit will not be able to notify the user if the message is blocked unless the sender’s address is made available elsewhere in the request.

The unit can extract the sender’s address from an extended HTTP header field in the HTTP request. This field must be added to the HTTP request before it is received by the unit. If this field is present, it will be used instead of the sender’s address in the MMS message for logging and notification. If this header field is present when a message is retrieved, it will be used instead of the To address in the message. If this header field is not present the content of the To header field is used instead.

Alternatively, the unit can extract the sender’s address from a cookie.

You can configure MMS address translation to extract the sender’s carrier endpoint so that it can be added to log and notification messages. You can configure MMS address translation settings to extract carrier endpoints from HTTP header fields or from cookies. You can also configure MMS address translation to add an endpoint prefix to the extracted carrier endpoints. For more information, see Dynamic Profiles and Endpoints in the Authentication guide.

MMS Address Translation
Sender Address Source Select to extract the sender’s address from the HTTP Header Field or a Cookie. You must also specify the identifier that contains the carrier endpoint.
Sender Address Identifier Enter the sender address identifier that includes the carrier endpoint. The default identifier is x-up-calling-line-id.

If the Sender Address Source is HTTP Header Field, the address and its identifier in the HTTP request header takes the format:

<Sender Address Identifier>: <MSISDN_value>

Where the <MSISDN_value> is the carrier endpoint. For example, the HTTP header might contain:

x-up-calling-line-id: 6044301297

where x-up-calling-line-id would be the Sender Address

Identifier.

If the Sender Address Source is Cookie, the address and its identifier in the HTTP request header’s Cookie field takes the format of attribute-value pairs:

Cookie: id=<cookie-id>;

<Sender Address Identifier>=<MSISDN Value>

For example, the HTTP request headers might contain:

Cookie: id=0123jf!a;x-up-calling-lineid=6044301297

where x-up-calling-line-id would be the Sender Address

Identifier.

Convert Sender Address From / To HEX Select to convert the sender address from ASCII to hexadecimal or from hexadecimal to ASCII. This is required by some applications.
Add Carrier Endpoint Prefix for Logging / Notification Select the following to enable adding endpoint prefixes for logging and notification.
MMS Address Translation
Enable Select to enable adding the country code to the extracted carrier endpoint, such as the MSISDN, for logging and notification purposes. You can limit the number length for the test numbers used for internal monitoring without a country code.
Prefix Enter a carrier endpoint prefix to be added to all carrier endpoints. Use the prefix to add extra information to the carrier endpoint in the log entry.
Minimum Length Enter the minimum length of the country code information being added. If this and Maximum Length are set to zero (0), length is not limited.
Maximum Length Enter the maximum length of the country code information being added. If this and Minimum Length are set to zero (0), length is not limited.

FortiCarrier MMS Bulk Anti-Spam Detection options

MMS Bulk Anti-Spam Detection options

You can use the MMS bulk email filtering options to detect and filter MM1 and MM4 message floods and duplicate messages. You can configure three thresholds that define a flood of message activity and three thresholds that define excessive duplicate messages. The configuration of each threshold includes the response actions for the threshold.

The configurable thresholds for each of the flood and duplicate sensors and must be enabled in sequence. For example, you can enable Flood Threshold 1 and Flood Threshold 2, but you cannot disable Flood Threshold 1 and enable Flood Threshold 2.

You can also add MSISDN to the bulk email filtering configuration and select a subset of the bulk email filtering options to applied to these individual MSISDNs.

You must first select MM1 and/or MM4 to detect excessive message duplicates. If excessive message duplicates are detected, the unit will perform the Duplicate Message Action for the specified duration.

You can configure three duplicate message thresholds and enable them with separate values and actions. They are labeled Duplicate Threshold 1 through 3 and must be enabled in sequence. For example, you can enable Duplicate Threshold 1 and Duplicate Threshold 2, but you cannot disable Duplicate Threshold 1 and enable Duplicate Threshold 2.

When traffic accepted by a security policy that contains an MMS profile with duplicate message configured receives MM1 or MM4 duplicate messages that match a threshold configured in the MMS protection profile, the unit performs the duplicate message action configured for the matching threshold.

You can configure three message flood thresholds and enable them with separate values and actions. They are labeled Flood Threshold 1 through 3 and must be enabled in sequence. For example, you can enable Flood Threshold 1 and Flood Threshold 2, but you cannot disable Flood Threshold 1 and enable Flood Threshold 2.

When traffic accepted by a security policy that contains an MMS protection profile with message flooding configured experiences MM1 or MM4 message flooding that matches a threshold configured in the MMS profile, the unit performs the message flood action configured for the matching threshold.

MMS Bulk Anti-Spam Detection

This section of the New MMS Profile page contains numerous sections where you can configure specific settings for flood threshold, duplicate threshold and recipient MSISDNs.

Message Flood

The message flood settings for each flood threshold. Expand each to configure settings for a threshold.

Flood Threshold 1                     Expand to reveal the flood threshold settings for Flood Threshold 1. The settings for Flood Threshold 1 are the same for Flood Threshold 2 and 3.
               Enable                          Select to apply Flood Threshold 1 to the MSISDN exception.
               Message Flood             Enter the period of time during which a message flood will be detected if

Window                         the Message Flood Limit is exceeded. The message flood window can be 1 to 2880 minutes (48 hours).

Enter the number of messages which signifies a message flood if

Message Flood Limit exceeded within the Message Flood Window.

Message Flood Block    Enter the amount of time during which the unit performs the Message Time     Flood Action after a message flood is detected.

 

                  Message Flood              Select one or more actions that the unit is to perform when a message

Action                           flood is detected.

   Flood Threshold 2                    Expand to configure settings for Flood Threshold 2 or 3 respectively.

Flood Threshold 3

Duplicate Message

The duplicate message threshold settings. Expand each to configure settings for a threshold.

   MM1 Retrieve Duplicate            Select to scan MM1 mm1-retr messages for duplicates. By default,

Enable                                     mm1-retr messages are not scanned for duplicates as they may often

be the same without necessarily being bulk or spam.

Select to enable the selected duplicate message threshold and to make

Enable the rest of the options available for configuration.

Duplicate Message        Enter the period of time during which excessive message duplicates will Window be detected if the Duplicate message Limit it exceeded. The duplicate message window can be 1 to 2880 minutes (48 hours).
Duplicate Message        Enter the number of messages which signifies excessive message Limit duplicates if exceeded within the Duplicate Message Window.
Duplicate Message Enter the amount of time during which the unit will perform the Duplicate Block Time Message Action after a message flood is detected.
Duplicate Message        Select one or more actions that the unit is to perform when excessive Action   message duplication is detected.
   Duplicate Threshold 2              Expand to configure settings for Duplicate Threshold 2 or 3 respectively.

Duplicate Threshold 3

Recipient MSISDN

The recipient Mobile Subscriber Integrated Services Digital Network Number (MSISDN) settings for each recipient MSISDN. When you select Create New, you are automatically redirected to the New MSISDN page.

You need to save the profile before you can add MSISDNs.

   Recipient MSISDN                     The recipient MSISDN.
   Flood Threshold 1                    Check to enable Flood Threshold 1 settings for this MSISDN.
   Flood Threshold 2                    Check to enable Flood Threshold 2 settings for this MSISDN.
   Flood Threshold 3                    Check to enable Flood Threshold 3 settings for this MSISDN..
Duplicate Threshold 1 Check to enable Duplicate Threshold 1 settings for this MSISDN.
Duplicate Threshold 2 Check to enable Duplicate Threshold 2 settings for this MSISDN..
Duplicate Threshold 3 Check to enable Duplicate Threshold 3 settings for this MSISDN..
Edit Modifies the settings of a Recipient MSISDN in the Recipient MSISDN list. When you select Edit, you are automatically redirected to the New MSISDN page.
Delete Removes a Recipient MSISDN in the Recipient MSISDN list within the Recipient MSISDN section of the page.
New MSISDN page
Create New Creates a new Recipient MSISDN. When you select Create New, you are automatically redirected to the New MSISDN page.
Recipient MSISDN Enter a name for the recipient MSISDN.
Flood Threshold 1 Select to apply Flood Threshold 1 to the MSISDN exception.
Flood Threshold 2 Select to apply Flood Threshold 2 to the MSISDN exception.
Flood Threshold 3 Select to apply Flood Threshold 3 to the MSISDN exception.
Duplicate Threshold 1 Select to apply Duplicate Threshold 1 to the MSISDN exception.
Duplicate Threshold 2 Select to apply Duplicate Threshold 2 to the MSISDN exception.
Duplicate Threshold 3 Select to apply Duplicate Threshold 3 to the MSISDN exception.

FortiCarrier MMS profiles

MMS profiles

Since MMS profiles can be used by more than one security policy, you can configure one profile for the traffic types handled by a set of security policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

If the security policy requires authentication, do not select the MMS profile in the security policy. This type of profile is specific to the authenticating user group. For details on configuring the profile associated with the user group, see User Groups in the Authentication guide.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate protection profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.

Once you have configured the MMS profile, you can then apply the profile to MMS traffic by applying it to a security policy.

MMS profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS profile.

The MMS Profile page contains options for each of the following:

l MMS scanning l MMS Bulk Email Filtering Detection l MMS Address Translation l MMS Notifications l DLP Archive l Logging

MMS profile configuration settings

The following are MMS profile configuration settings in Security Profiles > MMS Profile.

MMS Profile page

Lists each individual MMS profile that you created. On this page, you can edit, delete or create an MMS profile.

Creates a new MMS profile. When you select Create New, you are

Create New automatically redirected to the New MMS Profile page.

Edit                                        Modifies settings within an MMS profile. When you select Edit, you are automatically redirected to the Edit MMS Profile.
Removes an MMS profile from the list on the MMS Profile page.

To remove multiple MMS profiles from within the list, on the MMS Profile page, in each of the rows of the profiles you want removed, select the

Delete check box and then select Delete.

To remove all MMS profiles from the list, on the MMS Profile page, select the check box in the check box column, and then select Delete.

Name                                     The name of the MMS profile.
Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is avialable within the Object Usage window:

View the list page for these objects – automatically redirects you to the Ref. list page where the object is referenced at.

Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.

New MMS Profile page

Provides settings for configuring an MMS profile. This page also provides settings for configuring DLP archives and logging.

Profile Name                          Enter a name for the profile.
Comments                             Enter a description about the profile. This is optional.
MMS Scanning                       Configure MMS Scanning options.
MMS Bulk Email Filtering          Configure MMS Bulk Email options. Detection
MMS Address Translation       Configure MMS Address Translation options.
MMS Notifications                   Configure MMS Notification options.
DLP Archive                           Configure DLP archive option.
Logging                                 Configure logging options.

MMS scanning options

You can configure MMS scanning protection profile options to apply virus scanning, file filtering, content filtering, carrier endpoint blocking, and other scanning to MMS messages transmitted using the MM1, MM3, MM4 and MM7 protocols.

The following are the MMS Scanning options that are available within an MMS profile. You can create an MMS profile in Security Profiles > MMS Profile or edit an existing one. You must expand MMS Scanning to access the following options.

MMS Scanning section of the New MMS Profile page
Monitor Only                              Select to cause the unit to record log messages when MMS scanning

options find a virus, match a file name, or match content using any of the other MMS scanning options. Select this option to be able to report on viruses and other problems in MMS traffic without affecting users.

Tip: Select Remove Blocked if you want the unit to actually remove content intercepted by MMS scanning options.

Select to scan attachments in MMS traffic for viruses.

Since MM1 and MM7 use HTTP, the oversize limits for HTTP and the

HTTP antivirus port configuration also applies to MM1 and MM7

Virus Scan                                  scanning.

MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port configuration also applies to MM3 and MM4 scanning.

Scan MM1 message retrieval Select to scan message retrievals that use MM1. If you enable Virus Scan for all MMS interfaces, messages are also scanned while being sent. In this case, you can disable MM1 message retrieval scanning to improve performance.
Select to remove blocked content from each protocol and replace it with the replacement message.

Select Constant if the unit is to preserve the length of the message

Remove Blocked when removing blocked content, as may occur when billing is affected by the length of the message.

Tip: If you only want to monitor blocked content, select Monitor Only.

Content Filter                              Select to filter messages based on matching the content of the message with the words or patterns in the selected web content filter list.

For information about adding a web content filter list, see the FortiGate CLI Reference.

Select to add Carrier Endpoint Filtering in this MMS profile. Select

Carrier Endpoint Block the carrier endpoint filter list to apply it to the profile.

MMS Scanning section of the New MMS Profile page
MMS Content Checksum Select to add MMS Content Checksum in this MMS profile. Select the MMS content checksum list to apply it to the profile.
Select to pass fragmented MM3 and MM4 messages. Fragmented

Pass Fragmented Messages MMS messages cannot be scanned for viruses. If you do not select these options, fragmented MM3 and MM4 message are blocked.

Comfort Clients                           Select client comforting for MM1 and MM7 sessions.

Since MM1 and MM7 messages use HTTP, MM1 and MM7 client comforting operates like HTTP client comforting.

Select server comforting for each protocol.

Comfort Servers                          Similar to client comforting, you can use server comforting to prevent server connection timeouts that can occur while waiting for the unit to buffer and scan large POST requests from slow clients.

Interval (1-900  Enter the time in seconds before client and server comforting starts seconds)           after the download has begun, and the time between sending

subsequent data.

Amount (1-10240

The number of bytes sent by client or server comforting at each interval. bytes)

Oversized MMS Message             Select Block or Pass for files and email messages exceeding configured thresholds for each protocol.

The oversize threshold refers to the final size of the message, including attachments, after encoding by the client. Clients can use a variety of encoding types; some result in larger file sizes than the original attachment. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the oversize threshold.

Enter the oversized file threshold and select KB or MB. If a file is larger than the threshold the file is passed or blocked depending on the

Threshold (1KB – 800

Oversized MMS Message setting. The web-based manager displays

MB) the allowed threshold range. The threshold maximum is 10% of the unit’s RAM.

FortiCarrier MMS Concepts

MMS Concepts

MMS background

MMS is a common method for mobile users to send and receive multimedia content. A Carrier network supports MMS across its network. This makes up the MMS Service Provider Network (MSPN).

Messages can be sent or received between the MMSC and a number of other services including the Internet, content providers, or other carriers. Each of these different service connections uses different MMS formats including MM1 and MM7 messages (essentially HTTP format), and MM3 and MM4 messages (SMTP formatted). These different formats reflect the different purposes and content for each type of MMS message.

MMS content interfaces

MMS content interfaces

MMS messages are sent from devices and servers to other devices and servers using MMS content interfaces

There are eight interfaces defined for the MMS standard, referred to as MM1 through MM8. The most important of these interfaces for the transfer of data is the MM1 interface, as this defines how mobile users communicate from the mobile network to the Multimedia Message Service Center (MMSC). MMS content to be monitored and controlled comes from these mobile users and is going to the provider network.

Other MMS content interfaces that connect a service provider network to other external sources can pose threats as well. MM3 handles communication between the Internet and the MMSC and is a possible source of viruses and other content problems from the Internet. MM4 handles communication between different content provider MMSCs. Filtering MM4 content protects the service provider network from content sent from foreign service providers and their subscribers. Finally MM7 is used for communication between content providers and the MMSC. Filtering MM3 content can also keep harmful content off of the service provider network.

MMS content interfaces

Type Transaction Similar to
MM 1 Handset to MMSC HTTP
MM 3 Between MMSC and Internet SMTP
MM 4 Between Operator MMSCs SMTP
MM 7 Content Providers to MMSC HTTP and SOAP

How MMS content interfaces are applied

As shown below, the sender’s mobile device encodes the MMS content in a form similar to MIME email message (MMS MIME content formats are defined by the MMS Message Encapsulation specification). The encoded message is then forwarded to the service provider’s MMSC. Communication between the sending device and the MMSC uses the MM1 content interface. The MM1 content interface establishes a connection and sends an MM1 send request (m-send.req) message that contains the MMS message. The MMSC processes this request and sends back an MM1 send confirmation (m-send.conf) HTTP response indicating the status of the message — accepted or an error occurred, for example.

MM1 transactions between senders and receivers and the MMSC

If the recipient is on another carrier, the MMSC forwards the message to the recipient’s carrier. This forwarding uses the MM4 content interface for forwarding content between operator MMSCs (see the figure below).

Before the MMSC can forward the message to the final recipient, it must first determine if the receiver’s handset can receive MMS messages using the MM1 content interface. If the recipient can use the MM1 content interface, the content is extracted and sent to a temporary storage server with an HTTP front-end.

To retrieve the message, the receiver’s handset establishes a connection with the MMSC. An HTTP get request is then sent from the recipient to the MMSC. This message contains the URL where the content of the message is stored. The MMSC responds with a retrieve confirmation (m-retrieve.conf) HTTP response that contains the message.

MM4 messages sent between operator MMSCs

                                                                               Receiving Operator

MMSC                                                                                                        MMSC

This causes the receiver’s handset to retrieve the content from the embedded URL. Several messages are exchanged to indicate status of the delivery attempt. Before delivering content, some MMSCs also include a content adaptation service that attempts to modify the multimedia content into a format suitable for the recipient’s handset.

If the receiver’s handset is not MM1 capable, the message can be delivered to a web based service and the receiver can view the content from a normal Internet browser. The URL for the content can be sent to the receiver in an SMS text message. Using this method, non-MM1 capable recipients can still receive MMS content.

The method for determining whether a handset is MMS capable is not specified by the standards. A database is usually maintained by the operator, and in it each mobile phone number is marked as being associated with a legacy handset or not. It can be a bit hit and miss since customers can change their handset at will and this database is not usually updated dynamically.

Email and web-based gateways from MMSC to the Internet use the MM3 content interface. On the receiving side, the content servers can typically receive service requests both from WAP and normal HTTP browsers, so delivery via the web is simple. For sending from external sources to handsets, most carriers allow MIME encoded message to be sent to the receiver’s phone number with a special domain.

How FortiOS Carrier processes MMS messages

MMS messages can be vectors for propagating undesirable content such as spam and viruses. FortiOS Carrier can scan MMS messages sent using the MM1, MM3, MM4, and MM7 content interfaces. You can configure FortiOS Carrier to scan MMS messages for spam and viruses by configuring and adding MMS protection profiles and adding the MMS protection profiles to security policies. You can also use MMS protection profiles to apply content blocking, carrier endpoint filtering, MMS address translation, sending MMS notifications, DLP archiving of MMS messages, and logging of MMS message activity.

FortiOS Carrier MMS processing

FortiOS Carrier can send MMS messages to senders informing those senders that their devices are infected. FortiOS Carrier can also send MMS notifications to administrators to inform them of suspicious activity on their networks.

For message floods and duplicate messages, FortiOS Carrier does not send notifications to message senders but does send notifications to administrators and sends messages to sender handsets to complete MM1 and MM4 sessions.

Where MMS messaging uses the TCP/IP set of protocols, SMS text messaging uses the Signaling System Number 7 (SS7) set of protocols, which is not supported by FortiOS.

FortiOS Carrier and MMS content scanning

The following section applies to MMS content scanning, including virus scanning, file filtering, content spam filtering, carrier endpoint filtering, and MMS content checksum filtering.

MM1 Content Scanning

During MM1 content scanning a message is first transmitted from the sender, establishing a connection with the MMSC. FortiOS Carrier intercepts this connection and acts as the endpoint. FortiOS Carrier then establishes its own connection to the MMSC. Once connected, the client transmits its m-send.req HTTP post request to FortiOS Carrier which scans it according to the MMS protection profile settings. If the content is clean, the message is forwarded to the MMSC. The MMSC returns m-send.conf HTTP response through FortiOS Carrier to the sender.

If FortiOS Carrier blocks the message (for example because a virus was found, see the figure below), FortiOS Carrier resets the connection to the MMSC and sends m-send.conf HTTP response back to the sender. The response message can be customized using replacement messages. FortiOS Carrier then terminates the connection. Sending back an m-send.conf message prevents the sender from trying to send the message again.

 

MM1                            message sent by sender (blocking m.send.req messages)

FortiOS Carrier also sends m-send.rec notifications messages to the MMSC that are then forwarded to the sender to notify them of blocked messages.

Filtering message retrieval

FortiOS Carrier intercepts the connection to the MMSC, and the m-retrieve.conf HTTP response from the MMSC is scanned according to the MMS content scanning settings. If the content is clean, the response is forwarded back to the client. If the content is blocked, FortiOS Carrier drops the connection to the MMSC. It then builds an m-retrieve.conf message from the associated replacement message and transmits this back to the client.

FortiOS Carrier also sends m-send.rec notifications messages to the MMSC that are then forwarded to the receiver to notify them of blocked messages.

MM1                                             received by receiver (blocking m.retrieve.conf messages)

Filtering MM3 and MM4 messages works in an similar way to MM1 (see the figures below). FortiOS Carrier intercepts connections to the MMSC, and scans messages as configured. When messages are blocked, FortiOS Carrier closes sessions as required, sends confirmation messages to the sender, notifies administrators, and notifies senders and receivers of messages.

MM3                                                    from a sender on the Internet to an MMSC

  1. Open TCP session
  2. Send full email message
  3. Content blocked
  4. Send 550 Error and replacement message
  5. MM3 notification message

Sent once per notification period, regardless of how many messages are blocked

 

         MM4                                                     between operator MMSCs

  1. Open TCP session
  2. Send full MM4-forward.req message
  3. m-retrieve.conf mesage
  4. Content blocked
  5. Send 250 response

         MM7                                                     between a VASP and an MMSC

Sending VASP FortiOS Carrier Receiving

MMSC

FortiOS Carrier and MMS duplicate messages and message floods

FortiOS Carrier detects duplicate messages and message floods for the MM1 and MM4 interfaces. How FortiOS Carrier detects and responds to duplicate messages and message floods is different from how FortiOS Carrier detects and responds to viruses and other MMS scanning protection measures.

For message floods and duplicate messages, the sender does not receive notifications about floods or duplicate messages, as if the sender is an attacker they can gain useful information about flood and duplicate thresholds. Plus, duplicate messages and message floods are usually a result of a large amount of messaging activity and filtering of these messages is designed to reduce the amount of unwanted messaging traffic. Adding to the traffic by sending notifications to senders and receivers could result in an increase in message traffic.

You can create up to three thresholds for detecting duplicate messages and message floods. For each threshold you can configure the FortiOS Carrier unit to respond by logging the activity, archiving or quarantining the messages, notifying administrators of the activity, and by blocking the messages. In many cases you may only want to configure blocking for higher activity thresholds, and to just monitor and send administrator notifications at lower activity thresholds.

When a block threshold is reached for MM1 messages, FortiOS Carrier sends m-send.conf or m-retrieve.conf messages to the originator of the activity. These messages are sent to end the MM1 sessions, otherwise the originator would continue to re-send the blocked message. When a block threshold is reached for MM4, FortiOS Carrier sends a MM4-forward.res message to close the MM4 session. An MM4 message is sent only if initiated by the originating MM4-forward.req message.

MM1 message flood and duplicate message blocking of sent messages

MM1 message flood and duplicate message blocking of received messages

MMS protection

MM4 message flood and duplicate message blocking

  1. Open TCP session
  2. Send full MM4-forward.req message Without ‘.’ on single line
  1. Reset TCP session

MMS protection profiles

An MMS protection profile is a group of settings that you can apply to an MMS session matched by a security policy.

MMS protection profiles are easy to configure and can be used by more than one security policy. You can configure a single MMS protection profile for the different traffic types handled by a set of security policies that require identical protection levels and types. This eliminates the need to repeatedly configure those same MMS protection profile settings for each individual security policy.

Bypassing MMS protection profile filtering based on carrier endpoints

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need only moderate protection. You would configure two separate MMS protection profiles to provide the different levels of protection: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.

Once you have configured the MMS Protection Profile, you need to add it to a security policy to apply the profile to MMS traffic.

Bypassing MMS protection profile filtering based on carrier endpoints

You can use carrier endpoint filtering to exempt MMS sessions from MMS protection profile filtering. Carrier endpoint filtering matches carrier endpoints in MMS sessions with carrier endpoint patterns. If you add a carrier endpoint pattern to a filter list and set the action to exempt from all scanning, all messages from matching carrier endpoints bypass MMS protection profile filtering. See Bypassing message flood protection based on user’s carrier endpoints.

Applying MMS protection profiles to MMS traffic

To apply an MMS protection profile you must first create the MMS protection profile and then add the MMS protection profile to a security policy by enabling the Carrier security profile. The MMS protection profile then applies itself to the traffic accepted by that security policy.

MMS protection profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS protection profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS protection profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS protection profile.

To add an MMS protection profile to a security policy

  1. Go to Security Profiles > MMS Profile.
  2. Select Create New to add an MMS protection profile.
  3. Configure as needed, and save.
  4. Go to Policy & Objects > IPv4 Policy.
  5. Select Create New to add a security policy, or select an existing policy and Edit to add the MMS profile.
  6. Configure the security policy as required.
  7. Enable MMS Profile, and select the MMS profile to add to the security policy.
  8. Select OK.

 

Overview of FortiOS Carrier features

Overview of FortiOS Carrier features

FortiOS Carrier specific features include Multimedia messaging service (MMS) protection, and GPRS Tunneling Protocol (GTP) protection.

All FortiGate units, carrier-enabled or not, are capable of handling Stream Control Transmission Protocol (SCTP) traffic, which is a protocol designed for and primarily used in Carrier networks.

This section includes:

Overview

FortiOS Carrier provides all the features found on FortiGate units plus added features specific to carrier networks:

MMS and GTP.

MMS

MMS is a standard for sending messages that include multimedia content between mobile phones. MMS is also popular as a method of delivering news and entertainment content including videos, pictures, and text. Carrier networks include four different MMS types of messages — MM1, MM3, MM4, and MM7.

GTP

The GPRS Tunneling Protocol (GTP) runs on GPRS carrier networks. GPRS is a GSM packet radio standard. It provides more efficient usage of the radio interface so that mobile devices can share the same radio channel. FortiOS supports GTPv1 and GTPv2.

GPRS provides direct connections to the Internet (TCP/IP) and X.25 networks for point-to-point services (connection-less/connection oriented) and point-to-multipoint services (broadcast).

GPRS currently supports data rates from 9.6 kbps to more than 100 kbps, and it is best suited for burst forms of traffic. GPRS involves both radio and wired components. The mobile phone sends the message to a base station unit (radio based) that converts the message from radio to wired, and sends the message to the carrier network and eventually the Internet (wired carrier network). See GTP.

What’s New in FortiOS 5.6 for FortiCarrier

What’s New in FortiOS 5.6

New features added in 5.6.1

GTP enhancement and GTP Performance Improvement. (423332)

The GTP changes in 5.6.1 take place in the following categories:

New GTP features and functionality enhancements.

  • GTP message filter enhancements, including: l Unknown message white list l GTPv1 and GTPv2 profile separation l Message adoption.
  • GTP IE white list.
  • Global APN rate limit, including: l sending back REJECT message with back-off timer l “APN congestion” cause value
  • GTP half-open, half-close configurable timer.

GTP performance improvements.

  • Implemented RCU on GTP-U running path. i.e, no locking needed to look up tunnel state when processing GTP-U.

Note the RCU is only applied on GTPv1 and GTPv2 tunnels. It is not used for GTPv0 tunnels, due to the fact that (1) GTPv0 traffic is relatively minor compared with GTPv1 and GTPv2, and (2) GTPv0 tunnel indexing is totally different from GTPv1 and GTPv2. GTPv0 tunnel is indexed by [IMSI, NSAPI]. GTPv1 and GTPv2 tunnel is indexed by [IP, TEID]

  • Localized CPU memory usage on GTP-U running path.
  • GTP-C: changed some GTP tables from RB tree to hash table, including l GTP request tables, and GTPv0 tunnel tables. l Testing showed, when handling millions of entries adding/deleting, hash table performance was much better.
  • 3.2 Hash table is compatible with RCU API, so we can apply RCU on these GTP-C tables later for further performance improvements.
  • GTP-C, improved GTP path management logic, so that GTP path will time out sooner when there are no tunnels linked to it

CLI Changes:

New Diagnose commands: diagnose firewall gtp

New features added in 5.6.1                                                                                            What’s New in FortiOS 5.6

Option Description
hash-stat-tunnel GTP tunnel hash statistics.
hash-stat-v0tunnel GTPv0 tunnel hash statistics.
hash-stat-path GTP path hash statistics.
hash-stat-req GTP request hash statistics.
vd-apn-shaper APN shaper on VDOM level.
ie-white-list-v0v1 IE white list for GTPv0 or v1.
ie-white-list-v2 IE white list for GTPv2.

diagnose firewall gtp vd-apn-shaper

Option Description
list List

diagnose firewall gtp ie-white-list-v0v1

Option Description
list List

diagnose firewall gtp ie-white-list-v2

Option Description
list List

config gtp apn-shaperapn-shaper

Option Description
apn APN to match. Leave empty to match ANY.

“apn” field can be empty, it matches ANY apn. when configured, it is used to set a limit for any apn which is not explicitly listed; Also, if configured, such an entry should be the last entry, as it is first-match rule.

rate-limit Rate limit in packets/s (0 – 1000000, 0 means unlimited).

What’s New in FortiOS 5.6                                                                                            New features added in 5.6.1

Option Description
action Action. [drop | reject]

There is no back-off timer in GTPv0, therefor the reject action is not available for V0

back-off-time Back off time in seconds (10 – 360).

back-off-time visible when action is

“reject”

Changed commands:

Under command firewall gtp, config message-filter is replaced by set message-filterv0v1

Example:

config firewall gtp edit <name> set message-filter-v0v1

New fields have been added to the config firewall gtp command context

Option Description
half-open-timeout Half-open tunnel timeout (in seconds).
half-close-timeout Half-close tunnel timeout (in seconds).

Example:

config firewall gtp edit <name> set half-open-timeout 10 set half-close-timeout 10 Models affected by change

l FortiGate 3700D l FortiGate 3700DX l FortiGate 3800D Overview   Overview of FortiOS Carrier features