Fortinet black logo

Administration Guide

Configuring content profiles and content action profiles

Configuring content profiles and content action profiles

The Content sub-menu lets you configure content profiles for incoming and outgoing content-based scanning. The available options vary depending on the chosen directionality.

This topic includes:

Configuring content profiles

The Content tab lets you create content profiles, which you can use to match email based upon its subject line, message body, and attachments.

Unlike antispam profiles, which deal primarily with spam, content profiles match any other type of email.

You can use content profiles to apply content-based encryption to email, or to restrict prohibited content, such as words or phrases, file names, and file attachments that are not permitted by your network usage policy. You can apply content profiles to email that you want to protect and email that you want to prevent.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see About administrator account permissions and domains.

To view and configure content profiles
  1. Go to Profile > Content > Content.
  2. GUI item

    Description

    Clone

    (button)

    Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.

    Domain

    (drop-down list)

    Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.

    Profile Name

    Displays the name of the profile.

    Domain Name

    (column)

    Displays either System or the name of a domain.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

  3. Either click New to add a profile or double-click a profile to modify it.
  4. A multisection dialog appears.

  5. For a new profile, select System in the Domain list to see profiles that apply to the entire FortiMail unit or the name of a protected domain.
  6. For a new profile, enter its name. The profile name is editable later.
  7. In Action, select a content action profile to use. For details, see Configuring content action profiles.
  8. Configure the following sections as needed:
  • Click Create or OK to save the entire content profile.
  • Configuring attachment scan rules

    The attachment scan rules define what actions will be taken if the specified files types are found in email attachments.

    Before you can configure the scan rule, you must configure the file filters. See Configuring file filters.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Click the arrow to expand the Attachment Scan Rules section.
    4. Click New to add a rule:

    GUI item

    Description

    Enabled

    Select to enable the rule.

    File filter

    Select the file filter. See Configuring file filters.

    Operator

    Select Is or Is Not. If Is is selected, the below action will be taken. If Is Not is selected, the below action will not be taken. You can use the Is Not option to whitelist some attachment types. For example, if you want to reject all file types except for the PDF files, you can specify that PDF Is Not Reject.

    Action

    Specify the action. Or click New to create a new action profile.

    Configuring scan options

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Scan Options and configure the following:

    GUI item

    Description

    Bypass scan on SMTP authentication

    Enable to omit content profile scanning if the SMTP session is authenticated.

    Detect fragmented email

    Enable to detect and block fragmented email.

    Some mail user agents, such as Outlook, can fragment big emails into multiple sub-messages. This is used to bypass oversize limits/scanning.

    Detect password protected Office/PDF document

    Enable to apply the block action configured in the content action profile if an attached MS Office, OpenOffice, or PDF document is password-protected, and therefore cannot be decompressed in order to scan its contents.

    Attempt to decrypt Office/PDF document

    Enable to decrypt the MS Office, OpenOffice, or PDF attachments using the predefined or user-defined passwords. For details, see Configuring file password.

    Detect embedded component

    Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector.

    Enable to scan files that are encapsulated within the document itself for MIME types such as Microsoft Office, Microsoft Visio, OpenOffice.org , and PDF documents.

    Defer delivery of message on policy match

    Enable to defer mail delivery from specific senders configured in policy to conserve peak time bandwidth at the expense of sending low priority, bandwidth consuming traffic at scheduled times. For example, you can apply this function to senders of marketing campaign emails or mass mailing.

    For information on policy, see How to use policies.

    For information on scheduling deferred delivery, see Configuring mail server settings.

    Defer delivery of messages larger than

    Enter the file size limit over which the FortiMail unit will defer processing large email messages. If not enabled, large messages are not deferred.

    For information on scheduling deferred delivery, see Configuring mail server settings.

    Maximum number of attachment

    Specify how many attachments are allowed in one email message. The valid range is between 1 and 100. The default value is 10.

    Maximum size

    You can specify the actions to take against the email (either the message itself or the attachments) that exceeds the specified maximum size.

    Adult image analysis

    If you have purchase the adult image scan license, you can enable it to scan for adult images.

    You can also configure the scan sensitivity and image sizes under Security > Other > Adult Image Analysis. For details, see Configuring adult image analysis.

    Configuring content disarm and reconstruction (CDR)

    HTML contents in email body and attachments may contain potentially hazardous tags and attributes (such as hyperlinks and scripts). MS Office and PDF attachments may contain potentially hazardous macros, active scripts, and other active contents.

    FortiMail provides the capability to remove or neutralize the potentially hazardous contents and reconstruct the email messages and attachment files.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Expand Content Disarm and Reconstruction and configure the following:

    GUI item

    Description

    Action

    Either use the default action or specify an action.

    HTML content

    Enable to detect hypertext markup language (HTML) tags in the content type text/html parts of the email messages.

    • Convert HTML to text: convert the HTML content to text only content.
    • Sanitize HTML content: produce new HTML content by removing the potentially hazardous tags and attributes (such as hyperlinks and scripts) and only preserving the safe and essential tags (such as formatting tags).
    • Remove URIs: remove the URIs in email message. To define which URI category to remove URIs from, click View settings (see Configuring FortiGuard URI click protection service).
    • Click Protection: Rewrite the URI and in case the user clicks on the URI, scan the URI and then take the configured actions (see Configuring FortiGuard URI click protection service).
    • FortiIsolator: Redirect the user to FortiIsolator so that the user will be browsing through FortiIsolator. For information about FortiIsolator, see Configuring FortiGuard URI click protection service.
    • Click Protection + FortiIsolator: Rewrite the URI and when the user clicks on the URI, the URI will be redirecte to FortiMail for scanning. If the URI is malicious, the URL will be bocked; if the URI is clean, the URI is rewritten to point to the FortiIsolator, and the user will browse through FortiIsolator.

    Text content

    Enable to detect URIs in the content type text/plain parts of the email messages.

    • Remove URIs: Removes URIs in the text parts of email messages. To view the URI click protection and FortiIsolator settings, click View settings (see Configuring FortiGuard URI click protection service).
    • Click Protection: Rewrite the URI, and in case the user clicks on the URI, scan the URI and then take the configured actions (see Configuring FortiGuard URI click protection service).
    • FortiIsolator: Redirect the user to FortiIsolator so that the user will be browsing through FortiIsolator. For information about FortiIsolator, see Configuring FortiGuard URI click protection service.
    • Click Protection + FortiIsolator: Rewrite the URI and when the user clicks on the URI, the URI will be redirecte to FortiMail for scanning. If the URI is malicious, the URL will be bocked; if the URI is clean, the URI is rewritten to point to the FortiIsolator, and the user will browse through FortiIsolator.

    MS Office

    Enable to disarm and reconstruct the MS Office attachments. This also includes the .zip files that are compressed once.

    PDF

    Enable to disarm and reconstruct the PDF attachments. This also includes the .zip files that are compressed once.

    Configuring archive handling

    For email with archive attachments, you can decide what to do with them. Currently, FortiMail supports ZIP, PKZIP, GZIP, BZIP, TAR, RAR, JAR, CAB, 7Z, and EGG for content inspection.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Expand Archive Handling and configure the following:

    Check Archive Content

    Enable to determine which action to perform with the archive attachments.

    • blocking password protected archives if you have selected Detect Password Protected Archive
    • blocking archives that could not be successfully decompressed if you have selected Detect on Failure to Decompress
    • passing/blocking by comparing the depth of nested archives with the nesting depth threshold configured in Max Level of Compression

    By default, archives with less than 10 levels of compression will be blocked if they cannot be successfully decompressed or are password-protected.

    Depending on the nesting depth threshold and the attachment’s depth of nested archives, the FortiMail unit may also consider the file types of files within the archive when determining which action to perform. For details, see the section below.

    If disabled, the FortiMail unit will perform the Block/Pass action solely based upon whether an email contains an archive. It will disregard the depth of nesting, password protection, successful decompression, and the file types of contents within the archive.

    Detect on Failure to Decompress

    Enable to apply the block action configured in the content action profile if an attached archive cannot be successfully decompressed, such as if the compression algorithm is unknown, and therefore cannot be decompressed in order to scan its contents.

    This option is available only if Check Archive Content is enabled.

    Detect Password Protected Archive

    Enable to apply the block action configured in the content action profile if an attached archive is password-protected, and therefore cannot be decompressed in order to scan its contents.

    This option is available only if Check Archive Content is enabled.

    Attempt to decrypt archive

    Enable to decrypt and scan the archives, using the passwords configured in Configuring password decryption options. If fails, the email will be passed.

    This option is available only if Check Archive Content is enabled.

    Max Level of Compression

    Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit uses one of the following methods to determine if it should block or pass the email.

    • Max Level of Compression is 0, or attachment’s depth of nesting equals or is less than Max Level of Compression: If the attachment contains a file that matches one of the other MIME file types, perform the action configured for that file type, either block or pass.
    • Attachment’s depth of nesting is greater than Max Level of Compression: Apply the block action, unless you have deselected the check box for Max Level of Compression, in which case it will pass the MIME file type content filter. Block actions are specified in the content action profile.

    The specified compression value is always considered if Check Archive Content is enabled, but has an effect only if the threshold is exceeded.

    This option is available only if Check Archive Content is enabled.

    Configuring password decryption options

    For password-protected PDF and archive attachments, if you want to decrypt and scan them, you can specify what kind of passwords you want to use to decrypt the files.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Expand File Password Decryption Options.
    4. Specify the type of passwords to use:
    • Words in email content: use the words before and after the keywords as the passwords. Number of words to try: specify how many words before and after the keywords to use. For example, in the email content, there is such a sentence: “To open the document, please use password 123456. If you cannot open it, please contact us.” If you specify to use two words before and after the keyword, “please”, “use” (two words before the keyword “password”), “123456”, and “If” (two words after the keyword “password”) will be used as one by one as the password to decrypt the attachments.
    • Built-in password list: Enable this option to use the predefined passwords.
    • User-defined password list: Enable this option to use the passwords defined under Profile > Content > File Password. For details, see Configuring file password.

    Configuring content monitor and filtering

    The monitor profile uses the dictionary profile to determine matching email messages, and the actions that will be performed if a match is found.

    You can also select to scan MS Office, PDF, or archived email attachments.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    To configure a content monitor profile
    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Content Monitor and Filtering.
    4. GUI item

      Description

      Move

      (button)

      Mark a check box to select a content monitor profile, then click this button. Choose Up or Down from the pop-up menu.

      Content monitor profiles are evaluated for a match in order of their appearance in this list. Usually, content monitor profiles should be ordered from most specific to most general, and from accepting or quarantining to rejecting.

      Delete

      (button)

      Mark a check box to select a content monitor profile, then click this button to remove it.

      Note: Deletion does not take effect immediately; it occurs when you save the content profile.

    5. Click New for a new monitor profile or double-click an existing profile to modify it.
    6. A dialog appears.

    7. Configure the following:
    8. GUI item

      Description

      Enable

      Enable to use the content monitor to inspect email for matching email and perform the configured action.

      Dictionary

      Select either Profile or Group, then select the name of a dictionary profile or group from the drop-down list next to it.

      If no profile or group exists, click New to create one, or select an existing profile or group and click Edit to modify it. A dialog appears.

      For information on creating and editing dictionary profiles and groups, see Configuring dictionary profiles.

      Minimum score

      Displays the number of times that an email must match the dictionary profile before it will receive the action configured in Action. Note that the score value is based on individual dictionary profile matches, not the dictionary group matches.

      Action

      Displays action that the FortiMail unit will perform if the content of the email message matches words or patterns from the dictionary profile.

      If no action exists, click New to create one, or select an existing action and click Edit to modify it. A dialog appears.

      For information on action profiles, see Configuring content action profiles.

      Scan Condition

      Specify the content type to scan:

      • PDF files
      • Microsoft Office files
      • Archived PDF and MS Office files. If you select this option, you can also use the following CLI commands to specify the maximum levels to decompress and the maximum file size to decompress:

      config mailsetting mail-scan-options

      set decompress-max-level <level_1-16>

      set decompress-max-size <size_in_MB>

      end

    9. Click Create or OK on the Content Monitor Profile dialog to save and close it.

    Configuring file filters

    File filters are used in the attachment scan rules (see Configuring attachment scan rules. File filters defines the email attachment file types and file extensions to be scanned.

    Note

    Wildcards can be used in file filters. For details about wildcard syntax, see Appendix D: Wildcards and regular expressions.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles and content action profiles.

    1. Go to Profile > Content > File Filter.
    2. Click New to create a new filter or double click on an existing filter to edit it.

    GUI item

    Description

    Domain

    The new filter can applied to a domain or system wide.

    Name

    Enter a name for the filter.

    Description

    Optionally enter a description.

    File Type

    Either select from the predefined types and/or specify your own.

    File Extension

    Either select from the predefined extensions and/or specify your own.

    Caution

    Encrypted email content cannot be scanned for spam, viruses, or banned content.

    Note

    Unlike other attachment types, archives may receive an action other than your Block/Pass selection, depending on your configuration in the Scan Conditions (see Action).

    Note

    For each file type, you can use an action profile to overwrite the default action profile used by the content profile. For example, if you want to redirect encrypted email to a third party box (such as a PGP Universal Server) for decryption, You can:

    1. Create a content action profile and enable the Send to alternate host option in the action profile. Enter the PGP server as the alternate host. For details about how create a content action profile, see Configuring content action profiles.
    2. Select to block the encrypted/pgp file type under document/encrypted. “Block” means to apply an action profile.
    3. Select the action profile for the document/encrypted file type. This action profile will overwrite the action profile you select for the entire content profile.

    Configuring file password

    When you configure the content profile, you can choose to decrypt PDF documents (see Configuring scan options) and archived files (see Configuring archive handling. To decrypt the documents, you need passwords. For details, see Configuring password decryption options.

    To configure user-defined passwords
    1. Go to Profile > Content > File Password.
    2. Click New.
    3. Enter the password that will be used to decrypt documents.
    4. Click Create.

    Configuring content action profiles

    The Action tab in the Content submenu lets you define content action profiles. Use these profiles to apply content-based encryption.

    Alternatively, content action profiles can define one or more things that the FortiMail unit should do if the content profile determines that an email contains prohibited words or phrases, file names, or file types.

    For example, you might have configured most content profiles to match prohibited content, and therefore to use a content action profile named quar_profile which quarantines email to the system quarantine for review.

    However, you have decided that email that does not pass the dictionary scan named financial_terms is always prohibited, and should be rejected so that it does not require manual review. To do this, first configure a second action profile, named rejection_profile, which rejects email. You would then override quar_profile specifically for the dictionary-based content scan in each profile by selecting rejection_profile for content that matches financial_terms.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see About administrator account permissions and domains.

    To view and manage the list of content action profiles
    1. Go to Profile > Content > Action.
    2. GUI item

      Description

      Domain

      (drop-down list)

      Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.

      Profile Name

      Displays the name of the profile.

      Domain

      (column)

      Displays either System or a domain name.

      (Green dot in column heading)

      Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

    3. Either click New to add a profile or double-click an existing profile to modify it.
    4. A dialog appears.

    5. Configure the following:
    6. GUI item

      Description

      Domain

      For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.

      Profile name

      For a new profile, enter its name.

      Tag email’s subject line

      Enable and enter the text that will appear in the subject line of the email, such as “[PROHIBITED-CONTENT]”, in the With value field. The FortiMail unit prepends this text to the subject line of the email before forwarding it to the recipient.

      Many email clients can sort incoming email messages into separate mailboxes based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client.

      Insert header

      Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient.

      Many email clients can sort incoming email messages into separate mailboxes based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client.

      Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter:

      X-Content-Filter: Contains banned word.

      If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key.

      Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822.

      Starting from 6.0.1 release, you can add multiple headers by adding them to the header table. You can also insert the predefined variables to the header value.

      Insert disclaimer

      Starting from 6.0.1 release, you can insert disclaimer as an action.

      You can modify the default discaimer or add new disclaimers by going to System > Customization > Custom Message > Email Content Resources > Disclaimer insertion message.

      Deliver to alternate host

      Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination.

      You can choose to deliver the original email or the modified email.

      Deliver to original host

      Enable to route the email to the original SMTP server or relay. Note the you can deliver email to both the original and alternate hosts.

      You can choose to deliver the original email or the modified email.

      BCC

      Enable to send a blind carbon copy (BCC) of the email.

      Configure BCC recipient email addresses by entering each one and clicking Create in the BCC area.

      Replace with message

      Enable to replace the email’s contents with a replacement message. Then select a replacement message from the dropdown list. For more information, see Customizing GUI, replacement messages, email templates, and SSO.

      Note: When the action profile is used in a DLP profile, the replace action will fallback to system quarantine action.

      Archive to account

      Enable to send the email to an archiving account. As long as this action is enabled, no matter if the email is delivered or rejected, it will still be archived.

      Click New to create a new archiving account or click Edit to modify an existing account. For details about archiving accounts, see Email archiving workflow.

      Notify with profile

      Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see Configuring notification profiles and Customizing email templates.

      Final action

      Treat as spam

      Enable to perform the Actions selected in the antispam profile of the policy that matches the email. For more information, see Configuring antispam action profiles.

      Reject

      Enable to reject the email and reply to the SMTP client with SMTP reply code 550.

      Discard

      Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.

      Personal quarantine

      For incoming email, enable to redirect the email to the recipient’s personal quarantine. For more information, see Managing the personal quarantines.

      For outgoing email, this action will fallback to the system quarantine.

      You can choose to quarantine the original email or the modified email.

      System quarantine to folder

      Enable to redirect the email to the system quarantine and specify the quarantine folder. For more information, see Managing the system quarantine.

      The two quarantine options are mutually exclusive.

      You can choose to quarantine the original email or the modified email.

      Rewrite recipient email address

      Enable to change the recipient address of any email that matches the content profile.

      Configure rewrites separately for the local-part (the portion of the email address before the '@' symbol, typically a user name) and the domain part (the portion of the email address after the '@' symbol). For each part, select either:

      • None: No change.
      • Prefix: Prepend the part with text that you have entered in the With field.
      • Suffix: Append the part with the text you have entered in the With field.
      • Replace: Substitute the part with the text you have entered in the With field.

      Encrypt with profile

      Enable to apply an encryption profile, then select which encryption profile to use. For details, see Configuring encryption profiles.

      Note that If you select an IBE encryption profile, it will be overridden if either S/MIME or TLS or both are selected in the message delivery rule configuration (Policy > Access control > Delivery > New).

      For information about message delivery rules, see Configuring delivery rules.

    To apply a content action profile, select it in the Action drop-down list of one or more antispam profiles. For details, see Managing antispam profiles.

    See also

    Configuring content profiles

    Configuring content profiles and content action profiles

    The Content sub-menu lets you configure content profiles for incoming and outgoing content-based scanning. The available options vary depending on the chosen directionality.

    This topic includes:

    Configuring content profiles

    The Content tab lets you create content profiles, which you can use to match email based upon its subject line, message body, and attachments.

    Unlike antispam profiles, which deal primarily with spam, content profiles match any other type of email.

    You can use content profiles to apply content-based encryption to email, or to restrict prohibited content, such as words or phrases, file names, and file attachments that are not permitted by your network usage policy. You can apply content profiles to email that you want to protect and email that you want to prevent.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see About administrator account permissions and domains.

    To view and configure content profiles
    1. Go to Profile > Content > Content.
    2. GUI item

      Description

      Clone

      (button)

      Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.

      Domain

      (drop-down list)

      Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.

      Profile Name

      Displays the name of the profile.

      Domain Name

      (column)

      Displays either System or the name of a domain.

      (Green dot in column heading)

      Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

    3. Either click New to add a profile or double-click a profile to modify it.
    4. A multisection dialog appears.

    5. For a new profile, select System in the Domain list to see profiles that apply to the entire FortiMail unit or the name of a protected domain.
    6. For a new profile, enter its name. The profile name is editable later.
    7. In Action, select a content action profile to use. For details, see Configuring content action profiles.
    8. Configure the following sections as needed:
  • Click Create or OK to save the entire content profile.
  • Configuring attachment scan rules

    The attachment scan rules define what actions will be taken if the specified files types are found in email attachments.

    Before you can configure the scan rule, you must configure the file filters. See Configuring file filters.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Click the arrow to expand the Attachment Scan Rules section.
    4. Click New to add a rule:

    GUI item

    Description

    Enabled

    Select to enable the rule.

    File filter

    Select the file filter. See Configuring file filters.

    Operator

    Select Is or Is Not. If Is is selected, the below action will be taken. If Is Not is selected, the below action will not be taken. You can use the Is Not option to whitelist some attachment types. For example, if you want to reject all file types except for the PDF files, you can specify that PDF Is Not Reject.

    Action

    Specify the action. Or click New to create a new action profile.

    Configuring scan options

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Scan Options and configure the following:

    GUI item

    Description

    Bypass scan on SMTP authentication

    Enable to omit content profile scanning if the SMTP session is authenticated.

    Detect fragmented email

    Enable to detect and block fragmented email.

    Some mail user agents, such as Outlook, can fragment big emails into multiple sub-messages. This is used to bypass oversize limits/scanning.

    Detect password protected Office/PDF document

    Enable to apply the block action configured in the content action profile if an attached MS Office, OpenOffice, or PDF document is password-protected, and therefore cannot be decompressed in order to scan its contents.

    Attempt to decrypt Office/PDF document

    Enable to decrypt the MS Office, OpenOffice, or PDF attachments using the predefined or user-defined passwords. For details, see Configuring file password.

    Detect embedded component

    Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector.

    Enable to scan files that are encapsulated within the document itself for MIME types such as Microsoft Office, Microsoft Visio, OpenOffice.org , and PDF documents.

    Defer delivery of message on policy match

    Enable to defer mail delivery from specific senders configured in policy to conserve peak time bandwidth at the expense of sending low priority, bandwidth consuming traffic at scheduled times. For example, you can apply this function to senders of marketing campaign emails or mass mailing.

    For information on policy, see How to use policies.

    For information on scheduling deferred delivery, see Configuring mail server settings.

    Defer delivery of messages larger than

    Enter the file size limit over which the FortiMail unit will defer processing large email messages. If not enabled, large messages are not deferred.

    For information on scheduling deferred delivery, see Configuring mail server settings.

    Maximum number of attachment

    Specify how many attachments are allowed in one email message. The valid range is between 1 and 100. The default value is 10.

    Maximum size

    You can specify the actions to take against the email (either the message itself or the attachments) that exceeds the specified maximum size.

    Adult image analysis

    If you have purchase the adult image scan license, you can enable it to scan for adult images.

    You can also configure the scan sensitivity and image sizes under Security > Other > Adult Image Analysis. For details, see Configuring adult image analysis.

    Configuring content disarm and reconstruction (CDR)

    HTML contents in email body and attachments may contain potentially hazardous tags and attributes (such as hyperlinks and scripts). MS Office and PDF attachments may contain potentially hazardous macros, active scripts, and other active contents.

    FortiMail provides the capability to remove or neutralize the potentially hazardous contents and reconstruct the email messages and attachment files.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Expand Content Disarm and Reconstruction and configure the following:

    GUI item

    Description

    Action

    Either use the default action or specify an action.

    HTML content

    Enable to detect hypertext markup language (HTML) tags in the content type text/html parts of the email messages.

    • Convert HTML to text: convert the HTML content to text only content.
    • Sanitize HTML content: produce new HTML content by removing the potentially hazardous tags and attributes (such as hyperlinks and scripts) and only preserving the safe and essential tags (such as formatting tags).
    • Remove URIs: remove the URIs in email message. To define which URI category to remove URIs from, click View settings (see Configuring FortiGuard URI click protection service).
    • Click Protection: Rewrite the URI and in case the user clicks on the URI, scan the URI and then take the configured actions (see Configuring FortiGuard URI click protection service).
    • FortiIsolator: Redirect the user to FortiIsolator so that the user will be browsing through FortiIsolator. For information about FortiIsolator, see Configuring FortiGuard URI click protection service.
    • Click Protection + FortiIsolator: Rewrite the URI and when the user clicks on the URI, the URI will be redirecte to FortiMail for scanning. If the URI is malicious, the URL will be bocked; if the URI is clean, the URI is rewritten to point to the FortiIsolator, and the user will browse through FortiIsolator.

    Text content

    Enable to detect URIs in the content type text/plain parts of the email messages.

    • Remove URIs: Removes URIs in the text parts of email messages. To view the URI click protection and FortiIsolator settings, click View settings (see Configuring FortiGuard URI click protection service).
    • Click Protection: Rewrite the URI, and in case the user clicks on the URI, scan the URI and then take the configured actions (see Configuring FortiGuard URI click protection service).
    • FortiIsolator: Redirect the user to FortiIsolator so that the user will be browsing through FortiIsolator. For information about FortiIsolator, see Configuring FortiGuard URI click protection service.
    • Click Protection + FortiIsolator: Rewrite the URI and when the user clicks on the URI, the URI will be redirecte to FortiMail for scanning. If the URI is malicious, the URL will be bocked; if the URI is clean, the URI is rewritten to point to the FortiIsolator, and the user will browse through FortiIsolator.

    MS Office

    Enable to disarm and reconstruct the MS Office attachments. This also includes the .zip files that are compressed once.

    PDF

    Enable to disarm and reconstruct the PDF attachments. This also includes the .zip files that are compressed once.

    Configuring archive handling

    For email with archive attachments, you can decide what to do with them. Currently, FortiMail supports ZIP, PKZIP, GZIP, BZIP, TAR, RAR, JAR, CAB, 7Z, and EGG for content inspection.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Expand Archive Handling and configure the following:

    Check Archive Content

    Enable to determine which action to perform with the archive attachments.

    • blocking password protected archives if you have selected Detect Password Protected Archive
    • blocking archives that could not be successfully decompressed if you have selected Detect on Failure to Decompress
    • passing/blocking by comparing the depth of nested archives with the nesting depth threshold configured in Max Level of Compression

    By default, archives with less than 10 levels of compression will be blocked if they cannot be successfully decompressed or are password-protected.

    Depending on the nesting depth threshold and the attachment’s depth of nested archives, the FortiMail unit may also consider the file types of files within the archive when determining which action to perform. For details, see the section below.

    If disabled, the FortiMail unit will perform the Block/Pass action solely based upon whether an email contains an archive. It will disregard the depth of nesting, password protection, successful decompression, and the file types of contents within the archive.

    Detect on Failure to Decompress

    Enable to apply the block action configured in the content action profile if an attached archive cannot be successfully decompressed, such as if the compression algorithm is unknown, and therefore cannot be decompressed in order to scan its contents.

    This option is available only if Check Archive Content is enabled.

    Detect Password Protected Archive

    Enable to apply the block action configured in the content action profile if an attached archive is password-protected, and therefore cannot be decompressed in order to scan its contents.

    This option is available only if Check Archive Content is enabled.

    Attempt to decrypt archive

    Enable to decrypt and scan the archives, using the passwords configured in Configuring password decryption options. If fails, the email will be passed.

    This option is available only if Check Archive Content is enabled.

    Max Level of Compression

    Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit uses one of the following methods to determine if it should block or pass the email.

    • Max Level of Compression is 0, or attachment’s depth of nesting equals or is less than Max Level of Compression: If the attachment contains a file that matches one of the other MIME file types, perform the action configured for that file type, either block or pass.
    • Attachment’s depth of nesting is greater than Max Level of Compression: Apply the block action, unless you have deselected the check box for Max Level of Compression, in which case it will pass the MIME file type content filter. Block actions are specified in the content action profile.

    The specified compression value is always considered if Check Archive Content is enabled, but has an effect only if the threshold is exceeded.

    This option is available only if Check Archive Content is enabled.

    Configuring password decryption options

    For password-protected PDF and archive attachments, if you want to decrypt and scan them, you can specify what kind of passwords you want to use to decrypt the files.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Expand File Password Decryption Options.
    4. Specify the type of passwords to use:
    • Words in email content: use the words before and after the keywords as the passwords. Number of words to try: specify how many words before and after the keywords to use. For example, in the email content, there is such a sentence: “To open the document, please use password 123456. If you cannot open it, please contact us.” If you specify to use two words before and after the keyword, “please”, “use” (two words before the keyword “password”), “123456”, and “If” (two words after the keyword “password”) will be used as one by one as the password to decrypt the attachments.
    • Built-in password list: Enable this option to use the predefined passwords.
    • User-defined password list: Enable this option to use the passwords defined under Profile > Content > File Password. For details, see Configuring file password.

    Configuring content monitor and filtering

    The monitor profile uses the dictionary profile to determine matching email messages, and the actions that will be performed if a match is found.

    You can also select to scan MS Office, PDF, or archived email attachments.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

    To configure a content monitor profile
    1. Go to Profile > Content.
    2. Click New to create a new profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Content Monitor and Filtering.
    4. GUI item

      Description

      Move

      (button)

      Mark a check box to select a content monitor profile, then click this button. Choose Up or Down from the pop-up menu.

      Content monitor profiles are evaluated for a match in order of their appearance in this list. Usually, content monitor profiles should be ordered from most specific to most general, and from accepting or quarantining to rejecting.

      Delete

      (button)

      Mark a check box to select a content monitor profile, then click this button to remove it.

      Note: Deletion does not take effect immediately; it occurs when you save the content profile.

    5. Click New for a new monitor profile or double-click an existing profile to modify it.
    6. A dialog appears.

    7. Configure the following:
    8. GUI item

      Description

      Enable

      Enable to use the content monitor to inspect email for matching email and perform the configured action.

      Dictionary

      Select either Profile or Group, then select the name of a dictionary profile or group from the drop-down list next to it.

      If no profile or group exists, click New to create one, or select an existing profile or group and click Edit to modify it. A dialog appears.

      For information on creating and editing dictionary profiles and groups, see Configuring dictionary profiles.

      Minimum score

      Displays the number of times that an email must match the dictionary profile before it will receive the action configured in Action. Note that the score value is based on individual dictionary profile matches, not the dictionary group matches.

      Action

      Displays action that the FortiMail unit will perform if the content of the email message matches words or patterns from the dictionary profile.

      If no action exists, click New to create one, or select an existing action and click Edit to modify it. A dialog appears.

      For information on action profiles, see Configuring content action profiles.

      Scan Condition

      Specify the content type to scan:

      • PDF files
      • Microsoft Office files
      • Archived PDF and MS Office files. If you select this option, you can also use the following CLI commands to specify the maximum levels to decompress and the maximum file size to decompress:

      config mailsetting mail-scan-options

      set decompress-max-level <level_1-16>

      set decompress-max-size <size_in_MB>

      end

    9. Click Create or OK on the Content Monitor Profile dialog to save and close it.

    Configuring file filters

    File filters are used in the attachment scan rules (see Configuring attachment scan rules. File filters defines the email attachment file types and file extensions to be scanned.

    Note

    Wildcards can be used in file filters. For details about wildcard syntax, see Appendix D: Wildcards and regular expressions.

    The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles and content action profiles.

    1. Go to Profile > Content > File Filter.
    2. Click New to create a new filter or double click on an existing filter to edit it.

    GUI item

    Description

    Domain

    The new filter can applied to a domain or system wide.

    Name

    Enter a name for the filter.

    Description

    Optionally enter a description.

    File Type

    Either select from the predefined types and/or specify your own.

    File Extension

    Either select from the predefined extensions and/or specify your own.

    Caution

    Encrypted email content cannot be scanned for spam, viruses, or banned content.

    Note

    Unlike other attachment types, archives may receive an action other than your Block/Pass selection, depending on your configuration in the Scan Conditions (see Action).

    Note

    For each file type, you can use an action profile to overwrite the default action profile used by the content profile. For example, if you want to redirect encrypted email to a third party box (such as a PGP Universal Server) for decryption, You can:

    1. Create a content action profile and enable the Send to alternate host option in the action profile. Enter the PGP server as the alternate host. For details about how create a content action profile, see Configuring content action profiles.
    2. Select to block the encrypted/pgp file type under document/encrypted. “Block” means to apply an action profile.
    3. Select the action profile for the document/encrypted file type. This action profile will overwrite the action profile you select for the entire content profile.

    Configuring file password

    When you configure the content profile, you can choose to decrypt PDF documents (see Configuring scan options) and archived files (see Configuring archive handling. To decrypt the documents, you need passwords. For details, see Configuring password decryption options.

    To configure user-defined passwords
    1. Go to Profile > Content > File Password.
    2. Click New.
    3. Enter the password that will be used to decrypt documents.
    4. Click Create.

    Configuring content action profiles

    The Action tab in the Content submenu lets you define content action profiles. Use these profiles to apply content-based encryption.

    Alternatively, content action profiles can define one or more things that the FortiMail unit should do if the content profile determines that an email contains prohibited words or phrases, file names, or file types.

    For example, you might have configured most content profiles to match prohibited content, and therefore to use a content action profile named quar_profile which quarantines email to the system quarantine for review.

    However, you have decided that email that does not pass the dictionary scan named financial_terms is always prohibited, and should be rejected so that it does not require manual review. To do this, first configure a second action profile, named rejection_profile, which rejects email. You would then override quar_profile specifically for the dictionary-based content scan in each profile by selecting rejection_profile for content that matches financial_terms.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see About administrator account permissions and domains.

    To view and manage the list of content action profiles
    1. Go to Profile > Content > Action.
    2. GUI item

      Description

      Domain

      (drop-down list)

      Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.

      Profile Name

      Displays the name of the profile.

      Domain

      (column)

      Displays either System or a domain name.

      (Green dot in column heading)

      Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

    3. Either click New to add a profile or double-click an existing profile to modify it.
    4. A dialog appears.

    5. Configure the following:
    6. GUI item

      Description

      Domain

      For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.

      Profile name

      For a new profile, enter its name.

      Tag email’s subject line

      Enable and enter the text that will appear in the subject line of the email, such as “[PROHIBITED-CONTENT]”, in the With value field. The FortiMail unit prepends this text to the subject line of the email before forwarding it to the recipient.

      Many email clients can sort incoming email messages into separate mailboxes based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client.

      Insert header

      Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient.

      Many email clients can sort incoming email messages into separate mailboxes based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client.

      Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter:

      X-Content-Filter: Contains banned word.

      If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key.

      Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822.

      Starting from 6.0.1 release, you can add multiple headers by adding them to the header table. You can also insert the predefined variables to the header value.

      Insert disclaimer

      Starting from 6.0.1 release, you can insert disclaimer as an action.

      You can modify the default discaimer or add new disclaimers by going to System > Customization > Custom Message > Email Content Resources > Disclaimer insertion message.

      Deliver to alternate host

      Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination.

      You can choose to deliver the original email or the modified email.

      Deliver to original host

      Enable to route the email to the original SMTP server or relay. Note the you can deliver email to both the original and alternate hosts.

      You can choose to deliver the original email or the modified email.

      BCC

      Enable to send a blind carbon copy (BCC) of the email.

      Configure BCC recipient email addresses by entering each one and clicking Create in the BCC area.

      Replace with message

      Enable to replace the email’s contents with a replacement message. Then select a replacement message from the dropdown list. For more information, see Customizing GUI, replacement messages, email templates, and SSO.

      Note: When the action profile is used in a DLP profile, the replace action will fallback to system quarantine action.

      Archive to account

      Enable to send the email to an archiving account. As long as this action is enabled, no matter if the email is delivered or rejected, it will still be archived.

      Click New to create a new archiving account or click Edit to modify an existing account. For details about archiving accounts, see Email archiving workflow.

      Notify with profile

      Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see Configuring notification profiles and Customizing email templates.

      Final action

      Treat as spam

      Enable to perform the Actions selected in the antispam profile of the policy that matches the email. For more information, see Configuring antispam action profiles.

      Reject

      Enable to reject the email and reply to the SMTP client with SMTP reply code 550.

      Discard

      Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.

      Personal quarantine

      For incoming email, enable to redirect the email to the recipient’s personal quarantine. For more information, see Managing the personal quarantines.

      For outgoing email, this action will fallback to the system quarantine.

      You can choose to quarantine the original email or the modified email.

      System quarantine to folder

      Enable to redirect the email to the system quarantine and specify the quarantine folder. For more information, see Managing the system quarantine.

      The two quarantine options are mutually exclusive.

      You can choose to quarantine the original email or the modified email.

      Rewrite recipient email address

      Enable to change the recipient address of any email that matches the content profile.

      Configure rewrites separately for the local-part (the portion of the email address before the '@' symbol, typically a user name) and the domain part (the portion of the email address after the '@' symbol). For each part, select either:

      • None: No change.
      • Prefix: Prepend the part with text that you have entered in the With field.
      • Suffix: Append the part with the text you have entered in the With field.
      • Replace: Substitute the part with the text you have entered in the With field.

      Encrypt with profile

      Enable to apply an encryption profile, then select which encryption profile to use. For details, see Configuring encryption profiles.

      Note that If you select an IBE encryption profile, it will be overridden if either S/MIME or TLS or both are selected in the message delivery rule configuration (Policy > Access control > Delivery > New).

      For information about message delivery rules, see Configuring delivery rules.

    To apply a content action profile, select it in the Action drop-down list of one or more antispam profiles. For details, see Managing antispam profiles.

    See also

    Configuring content profiles