Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiOS Carrier

MMS profile scanning options

This section describes the options available in MMS profiles to configure scanning options for each of the MMS protocols. The following MMS profile CLI options are described.

config firewall mms-profile

edit <name>

set comment <sting>

set replacemsg-group

set mmsbwordthreshold <threshold>

set mm1comfortinterval <interval>

set mm7comfortinterval <interval>

set mm1comfortamount <amount>

set mm7comfortamount <amount>

set mm1-addr-hdr <string>

set mm7-addr-hdr <string>

set mm1-addr-source {cookie | http-header}

set mm7-addr-source {cookie | http-header}

set mm1-convert-hex {disable | enable}

set mm7-convert-hex {disable | enable}

set carrier-endpoint-prefix {disable | enable}

set remove-blocked-const-length {disable | enable}

set mm1 {avmonitor oversize scan bannedword chunkedbypass clientcomfort servercomfort carrier-endpoint-bwl remove-blocked mms-checksum}

set mm1-retrieve-scan {disable | enable}

set mm3 {avmonitor oversize scan bannedword fragmail splice carrier-endpoint-bwl remove-blocked mms-checksum}

set mm4 {avmonitor oversize scan bannedword fragmail splice carrier-endpoint-bwl remove-blocked mms-checksum}

set mm7 {avmonitor oversize scan bannedword chunkedbypass clientcomfort servercomfort carrier-endpoint-bwl remove-blocked mms-checksum}

set mm1oversizelimit <limit>

set mm3oversizelimit <limit>

set mm4oversizelimit <limit>

set mm7oversizelimit <limit>

set mm1-retr-dupe {disable | enable}

set carrierendpointbwltable <index>

set avnotificationtable <index>

set mms-checksum-table <index>

set bwordtable <index>

end

 

Note

The same MMS scanning options can be applied to each protocol except that:

  • chunkedbypass, clientcomfort, and servercomfort can be applied to MM1 and MM7 only.
  • fragmail and splice can be applied to MM3 and MM4 only.

Option

Description

avmonitor Record log messages when MMS scanning finds a virus, matches a file name, or matches content using any of the other MMS scanning options. Select this option to be able to report on viruses and other problems in MMS traffic without affecting users.
oversize Block oversized files or emails in MMS traffic. If this option is not selected, oversize files are passed through without being scanned. Use mm1oversizelimit <size>, mm3oversizelimit <size>, mm4oversizelimit <size>, and mm7oversizelimit <size> to set the oversized file threshold in Kbytes. The range is 1 to 819200 Kbytes and the default is 10240 Kbytes. The oversize limit refers to the final size of the message, including attachments, after encoding by the client. Clients can use a variety of encoding types; some result in larger file sizes than the original attachment. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the oversize threshold.
scan Scan attachments in MMS traffic for viruses.Since MM1 and MM7 use HTTP, the oversize limits for HTTP and the HTTP antivirus port configuration also applies to MM1 and MM7 scanning.MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port configuration also applies to MM3 and MM4 scanning.You can enable or disable mm1-retrieve-scan (enabled by default) to enable or disable scanning MM1 retrieve configuration messages.You can enable mm1-retr-dupe (disabled by default) to prevent scanning of duplicate MM1 retrieval messages. Disabling mm1-retr-dupe can improve performance.Use the avnotificationtable <index> option to select an antivirus notification table. Use the config antivirus notification command to create an antivirus notification table.
bannedword Filter messages based on matching the content of the message with the words or patterns in a selected web content filter list. Use bwordtable <index> to add a web content filter list to the MMS profile. Use the config webfilter content command to add a web content filter list. Use the mmsbwordthreshold <number> option to set the number of banned words that content blocking must find before FortiOS Carrier considers the content to have too many banned words. The rang is 0 to 2147483647 and the default is 10.
chunkedbypass Pass chunked MM1 and MM7 massages. Chunked content cannot be scanned for viruses. If you do not select chunkedbypass, FortiOS Carrier blocks chunked MM1 and MM7 messages. Chunking is a mechanism in version 1.1 of HTTP that allows a web server to start sending chunks of dynamically generated output in response to a request before knowing the actual size of the content.
fragmail Pass fragmented MM3 and MM4 messages. Fragmented messages cannot be scanned for viruses. If you do not select fragmail, FortiOS Carrier blocks fragmented MM3 and MM4 messages.
{clientcomfort | servercomfort} Enable client comforting and server comforting for MM1 and MM7 sessions. You can use client and server comforting to prevent client and server connection timeouts that can occur while waiting for FortiOS Carrier to buffer and scan large requests from slow servers or clients.Use mm1comfortinterval <time> and mm7comfortinterval <time> to control the time in seconds before client and server comforting starts after a download has begun, and the time between sending subsequent data. The range is 1 to 900 seconds and the default is 10 seconds.Use mm1comfortamount <bytes> and mm7comfortamount <bytes> to control the number of bytes sent by client or server comforting at each interval. The range is 1 to 65535 bytes and the default is 1 byte.
carrier-endpoint-bwl Add carrier endpoint content filtering. Use carrierendpointbwltable to select a carrier endpoint content filter list to add to the MMS profile. Use the config firewall carrier-endpoint-bwl command to add carrier endpoint content filter lists.
remove-blocked Remove content intercepted by MMS scanning options and replace it with the appropriate replacement message.Enable remove-blocked-const-length to preserve the message size when removing blocked content. Use this option if billing is affected by message size.
mms-checksum Add MMS content checksums to an MMS profile. Use mms-checksum-table to select the MMS content checksum list to apply to the profile. Use the config antivirus mms-checksum command to add MMS checksums. Use the config antivirus mms-checksum to create checksum lists.
replacemsg-group <index> Specify the replacement messages group to apply to traffic processed by this MMS profile.
{mm1-addr-hdr | mm7-addr-hdr} <string> Specify the MM1 or MM7 header field that this MMS profile looks in for user addresses. Use a text string to specify the field name. For both options, the default is x-up-calling-line-id.
{mm1-addr-source | mm7-addr-source} {cookie | http-header} Specify whether the MMS profile finds MM1 and MM7 source addresses in the HTTP header (http-header) or from cookies (cookie). The default is http-header.
{mm1-convert-hex | mm7-convert-hex} {disable | enable} Enable or disable converting MM1 or MM7 user addresses from hex strings to digital IP addresses. This option is disabled by default.

 

MMS profile scanning options

This section describes the options available in MMS profiles to configure scanning options for each of the MMS protocols. The following MMS profile CLI options are described.

config firewall mms-profile

edit <name>

set comment <sting>

set replacemsg-group

set mmsbwordthreshold <threshold>

set mm1comfortinterval <interval>

set mm7comfortinterval <interval>

set mm1comfortamount <amount>

set mm7comfortamount <amount>

set mm1-addr-hdr <string>

set mm7-addr-hdr <string>

set mm1-addr-source {cookie | http-header}

set mm7-addr-source {cookie | http-header}

set mm1-convert-hex {disable | enable}

set mm7-convert-hex {disable | enable}

set carrier-endpoint-prefix {disable | enable}

set remove-blocked-const-length {disable | enable}

set mm1 {avmonitor oversize scan bannedword chunkedbypass clientcomfort servercomfort carrier-endpoint-bwl remove-blocked mms-checksum}

set mm1-retrieve-scan {disable | enable}

set mm3 {avmonitor oversize scan bannedword fragmail splice carrier-endpoint-bwl remove-blocked mms-checksum}

set mm4 {avmonitor oversize scan bannedword fragmail splice carrier-endpoint-bwl remove-blocked mms-checksum}

set mm7 {avmonitor oversize scan bannedword chunkedbypass clientcomfort servercomfort carrier-endpoint-bwl remove-blocked mms-checksum}

set mm1oversizelimit <limit>

set mm3oversizelimit <limit>

set mm4oversizelimit <limit>

set mm7oversizelimit <limit>

set mm1-retr-dupe {disable | enable}

set carrierendpointbwltable <index>

set avnotificationtable <index>

set mms-checksum-table <index>

set bwordtable <index>

end

 

Note

The same MMS scanning options can be applied to each protocol except that:

  • chunkedbypass, clientcomfort, and servercomfort can be applied to MM1 and MM7 only.
  • fragmail and splice can be applied to MM3 and MM4 only.

Option

Description

avmonitor Record log messages when MMS scanning finds a virus, matches a file name, or matches content using any of the other MMS scanning options. Select this option to be able to report on viruses and other problems in MMS traffic without affecting users.
oversize Block oversized files or emails in MMS traffic. If this option is not selected, oversize files are passed through without being scanned. Use mm1oversizelimit <size>, mm3oversizelimit <size>, mm4oversizelimit <size>, and mm7oversizelimit <size> to set the oversized file threshold in Kbytes. The range is 1 to 819200 Kbytes and the default is 10240 Kbytes. The oversize limit refers to the final size of the message, including attachments, after encoding by the client. Clients can use a variety of encoding types; some result in larger file sizes than the original attachment. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the oversize threshold.
scan Scan attachments in MMS traffic for viruses.Since MM1 and MM7 use HTTP, the oversize limits for HTTP and the HTTP antivirus port configuration also applies to MM1 and MM7 scanning.MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port configuration also applies to MM3 and MM4 scanning.You can enable or disable mm1-retrieve-scan (enabled by default) to enable or disable scanning MM1 retrieve configuration messages.You can enable mm1-retr-dupe (disabled by default) to prevent scanning of duplicate MM1 retrieval messages. Disabling mm1-retr-dupe can improve performance.Use the avnotificationtable <index> option to select an antivirus notification table. Use the config antivirus notification command to create an antivirus notification table.
bannedword Filter messages based on matching the content of the message with the words or patterns in a selected web content filter list. Use bwordtable <index> to add a web content filter list to the MMS profile. Use the config webfilter content command to add a web content filter list. Use the mmsbwordthreshold <number> option to set the number of banned words that content blocking must find before FortiOS Carrier considers the content to have too many banned words. The rang is 0 to 2147483647 and the default is 10.
chunkedbypass Pass chunked MM1 and MM7 massages. Chunked content cannot be scanned for viruses. If you do not select chunkedbypass, FortiOS Carrier blocks chunked MM1 and MM7 messages. Chunking is a mechanism in version 1.1 of HTTP that allows a web server to start sending chunks of dynamically generated output in response to a request before knowing the actual size of the content.
fragmail Pass fragmented MM3 and MM4 messages. Fragmented messages cannot be scanned for viruses. If you do not select fragmail, FortiOS Carrier blocks fragmented MM3 and MM4 messages.
{clientcomfort | servercomfort} Enable client comforting and server comforting for MM1 and MM7 sessions. You can use client and server comforting to prevent client and server connection timeouts that can occur while waiting for FortiOS Carrier to buffer and scan large requests from slow servers or clients.Use mm1comfortinterval <time> and mm7comfortinterval <time> to control the time in seconds before client and server comforting starts after a download has begun, and the time between sending subsequent data. The range is 1 to 900 seconds and the default is 10 seconds.Use mm1comfortamount <bytes> and mm7comfortamount <bytes> to control the number of bytes sent by client or server comforting at each interval. The range is 1 to 65535 bytes and the default is 1 byte.
carrier-endpoint-bwl Add carrier endpoint content filtering. Use carrierendpointbwltable to select a carrier endpoint content filter list to add to the MMS profile. Use the config firewall carrier-endpoint-bwl command to add carrier endpoint content filter lists.
remove-blocked Remove content intercepted by MMS scanning options and replace it with the appropriate replacement message.Enable remove-blocked-const-length to preserve the message size when removing blocked content. Use this option if billing is affected by message size.
mms-checksum Add MMS content checksums to an MMS profile. Use mms-checksum-table to select the MMS content checksum list to apply to the profile. Use the config antivirus mms-checksum command to add MMS checksums. Use the config antivirus mms-checksum to create checksum lists.
replacemsg-group <index> Specify the replacement messages group to apply to traffic processed by this MMS profile.
{mm1-addr-hdr | mm7-addr-hdr} <string> Specify the MM1 or MM7 header field that this MMS profile looks in for user addresses. Use a text string to specify the field name. For both options, the default is x-up-calling-line-id.
{mm1-addr-source | mm7-addr-source} {cookie | http-header} Specify whether the MMS profile finds MM1 and MM7 source addresses in the HTTP header (http-header) or from cookies (cookie). The default is http-header.
{mm1-convert-hex | mm7-convert-hex} {disable | enable} Enable or disable converting MM1 or MM7 user addresses from hex strings to digital IP addresses. This option is disabled by default.