Fortinet black logo

CLI Reference

system replacemsg alertmail

system replacemsg alertmail

The FortiGate unit adds the alert mail replacement messages listed to alert email messages sent to administrators.

Alert mail replacement messages are text messages.

These are HTML messages with HTTP headers.

config system replacemsg alertmail
    edit {msg-type}
    # Replacement messages.
        set msg-type {string}   Message type. size[28]
        set buffer {string}   Message string. size[32768]
        set header {none | http | 8bit}   Header flag.
                none  No header type.
                http  HTTP
                8bit  8 bit.
        set format {none | text | html | wml}   Format flag.
                none  No format type.
                text  Text format.
                html  HTML format.
                wml   WML format
    next
end

Additional information

The following section is for those options that require additional explanation.

buffer <message>

Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.

alertmail message types

alertmail-block

Virus detected must be enabled for alert email. Antivirus File Filter must be enabled in an antivirus profile, and it must block a file that matches an entry in a selected file filter list.

alertmail-crit-event

Whenever a critical level event log message is generated, this replacement message is sent unless you configure alert email to enable Send alert email for logs based on severity and set the Minimum log level to Alert or Emergency.

alertmail-disk-full

Disk usage must be enabled, and disk usage reaches the percent full amount configured for alert email.

alertmail-nids-event

Intrusion detected must be enabled for alert email. When an IPS Sensor or a DoS Sensor detects an attack, this replacement message will be sent.

alertmail-virus

Virus detected must be enabled for alert email. Virus Scan must be enabled in an antivirus profile and detect a virus.

Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.

%%FILE%%

The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.

%%VIRUS%%

The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages.

%%URL%%

The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.

%%CRITICAL_EVENT%%

Added to alert email critical event email messages. %%CRITICAL_EVENT%% is replaced with the critical event

message that triggered the alert email.

%%PROTOCOL%%

The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.

%%SOURCE_IP%%

IP address of the email server that sent the email containing the virus.

%%DEST_IP%%

IP address of the user’s computer that attempted to download the message from which the file was removed.

%%EMAIL_FROM%%

The email address of the sender of the message from which the file was removed.

%%EMAIL_TO%%

The email address of the intended receiver of the message from which the file was removed.

%%NIDS_EVENT%%

The IPS attack message. %%NIDS_EVENT%% is added to alert email intrusion messages.

system replacemsg alertmail

The FortiGate unit adds the alert mail replacement messages listed to alert email messages sent to administrators.

Alert mail replacement messages are text messages.

These are HTML messages with HTTP headers.

config system replacemsg alertmail
    edit {msg-type}
    # Replacement messages.
        set msg-type {string}   Message type. size[28]
        set buffer {string}   Message string. size[32768]
        set header {none | http | 8bit}   Header flag.
                none  No header type.
                http  HTTP
                8bit  8 bit.
        set format {none | text | html | wml}   Format flag.
                none  No format type.
                text  Text format.
                html  HTML format.
                wml   WML format
    next
end

Additional information

The following section is for those options that require additional explanation.

buffer <message>

Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.

alertmail message types

alertmail-block

Virus detected must be enabled for alert email. Antivirus File Filter must be enabled in an antivirus profile, and it must block a file that matches an entry in a selected file filter list.

alertmail-crit-event

Whenever a critical level event log message is generated, this replacement message is sent unless you configure alert email to enable Send alert email for logs based on severity and set the Minimum log level to Alert or Emergency.

alertmail-disk-full

Disk usage must be enabled, and disk usage reaches the percent full amount configured for alert email.

alertmail-nids-event

Intrusion detected must be enabled for alert email. When an IPS Sensor or a DoS Sensor detects an attack, this replacement message will be sent.

alertmail-virus

Virus detected must be enabled for alert email. Virus Scan must be enabled in an antivirus profile and detect a virus.

Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.

%%FILE%%

The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.

%%VIRUS%%

The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages.

%%URL%%

The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.

%%CRITICAL_EVENT%%

Added to alert email critical event email messages. %%CRITICAL_EVENT%% is replaced with the critical event

message that triggered the alert email.

%%PROTOCOL%%

The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.

%%SOURCE_IP%%

IP address of the email server that sent the email containing the virus.

%%DEST_IP%%

IP address of the user’s computer that attempted to download the message from which the file was removed.

%%EMAIL_FROM%%

The email address of the sender of the message from which the file was removed.

%%EMAIL_TO%%

The email address of the intended receiver of the message from which the file was removed.

%%NIDS_EVENT%%

The IPS attack message. %%NIDS_EVENT%% is added to alert email intrusion messages.