profile content
Use this command to create content profiles, which you can use to match email based upon its subject line, message body, and attachments.
Unlike antispam profiles, which deal primarily with spam, content profiles match any other type of email.
Content profiles can be used to apply content-based encryption to email. They can also be used to restrict prohibited content, such as words or phrases, file names, and file attachments that are not permitted by your network usage policy. As such, content profiles can be used both for email that you want to protect, and for email that you want to prevent.
Syntax
config profile content
edit <profile_name>
config attachment-scan
edit <index_number>
set action <action>
set attachment-name-pattern <pattern_str>
config monitor
edit monitor <index_int>
set dictionary-group <dictionary-group_name>
set dictionary-profile <dictionary-profile_name>
set dictionary-type {group | profile}
set scan-msoffice {enable | disable}
set scan-pdf {enable | disable}
set action-cdr <action_profile>
set action-default <action_profile>
set action-image-analysis <action_profile>
set action-max-size <action-profile>
set archive-scan-options {block-on-failure-to-decompress | block-password-protected | block-recursive}
set cdr-file-type-options {msoffice | pdf}
set decrypt-password-archive {enable |disable}
set decrypt-password-num-of-words <number>
set decrypt-password-office {enable | disable}
set html-content-action {click-protection | convert-to-text | remove-uri | sanitize-content}
set image-analysis-scan {enable | disable}
set max-num-of-attachment <number>
set max-size-options {message | attachment}
set max-size-status {enable | disable}
set scan options block-fragmented-email
set scan options block-password-protected-office
set scan options check-archive-content
set scan options check-embedded-content
set scan options bypass-on-smtp-auth
set scan options check-html-content
set scan options check-max-num-of-attachment
set scan options check-text-content
set scan options defer-message-delivery
set text-content-action {remove-uri | click-protection}
end
Variable |
Description |
Default |
Enter the name of the profile. To view a list of existing entries, enter a question mark ( |
No default. |
|
Specify the action to use. |
No default. |
|
Specify the operator. |
is |
|
Enter a pattern, such as The patterns include:
|
No default. |
|
Enable or disable a pattern that matches the email attachment names that you want the content profile to match. |
enable |
|
Enter the index number of the monitor profile. If the monitor profile does not currently exist, it will be created. |
No default. |
|
Enter the action profile for this monitor profile. The FortiMail unit will perform the actions if the content of the email message matches words or patterns from the dictionary profile that the monitor profile uses. |
No default. |
|
Enter the number of times that an email must match the content monitor profile before it will receive the antispam action. |
1 |
|
Enter the dictionary profile group that this monitor profile will use. The FortiMail unit will compare content in the subject line and message body of the email message with words and patterns in the dictionary profiles. If it locates matching content, the FortiMail unit will perform the actions configured for this monitor profile. For information on dictionary profiles, see the FortiMail Administration Guide. |
No default. |
|
Enter the dictionary profile that this monitor profile will use. The FortiMail unit will compare content in the subject line and message body of the email message with words and patterns in the dictionary profile. If it locates matching content, the FortiMail unit will perform the actions configured for this monitor profile in profile content-action. For information on dictionary profiles, see the FortiMail Administration Guide. |
No default. |
|
Enter |
group |
|
Enable or disable MS Word document scanning for this profile. |
disable |
|
Enable or disable PDF document scanning for this profile. |
disable |
|
Enable or disable this monitor profile. |
disable |
|
Specify the action profile to use. |
|
|
Enter a content action profile to be used by all the content filters except for the encrypted email, which can have its own action. See below for details. |
|
|
For the image email file type, you can use a content action profile to overwrite the default action profile used in the content profile. |
|
|
Specify the action profile to use for message over maximum size. |
|
|
Enter to apply the action configured in profile content-action if an attached archive cannot be successfully decompressed in order to scan its contents. |
|
|
Enter to apply the action configured inprofile content-action if an attached archive is password-protected. |
|
|
Enable to block archive attachments whose depth of nested archives exceeds archive-max-recursive-level <depth_int>. |
|
|
Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit will use one of the following methods to determine whether it should block or pass the email.
Attachment’s depth of nesting is greater than |
0 |
|
Specify the file type for content disarm and reconstruction. |
|
|
Enable or disable to decrypt password protected archives. |
disable |
|
Specify the number of words adjacent to the keyword to try for archive decryption. |
5 |
|
Enable to decrypt password protected Office files. |
disable |
|
decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content} |
Specify which kind of password to use to decrypt the archives. |
words-in-email-content |
Bigger size will be deferred. 0 means no limit. |
0 |
|
embedded-scan-options {check-msoffice | check-msoffice-vba | check-msvisio | check-openoffice | check-pdf} |
Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector. Enable to, for MIME types such as Microsoft Office, Microsoft Visio, OpenOffice.org , and PDF documents, scan files that are encapsulated within the document itself. |
|
html-content-action {click-protection | convert-to-text | remove-uri | sanitize-content} |
Specify the action towards hypertext markup language (HTML) tags in email messages: Convert HTML to text: convert the HTML content to text only content. Sanitize HTML content: produce new HTML content by removing the potentially hazardous tags and attributes (such as hyperlinks and scripts) and only preserving the safe and essential tags (such as formatting tags). Remove URIs: remove the URIs in email message. Click Protection: Rewrite the URIs and in case the user clicks on the URIs, scan the URIs and then take the configured actions. |
|
If you have purchase the adult image scan license, you can enable it to scan for adult images. You can also configure the scan sensitivity and image sizes under Security > Other > Adult Image Analysis. |
disable |
|
Specify how many attachments are allowed in one email message. The valid range is between 1 and 100. The default value is 10. |
10 |
|
Enter the size threshold in kilobytes. Delivery of email messages greater than this size will be deferred until the period configured for oversize email. To disable deferred delivery, enter |
10240 |
|
Specify either the message or attachment for the size limit. |
message |
|
Enable to apply the maximum size limits. |
disable |
|
Enable to detect and block fragmented email. Some mail user agents, such as Outlook, are able to fragment big emails into multiple sub-messages. This is used to bypass oversize limits/scanning. |
disable |
|
Enable to apply the block action configured in the content action profile if an attached MS Office document is password-protected, and therefore cannot be decompressed in order to scan its contents. |
disable |
|
Enable to check for archived attachments. |
|
|
Enable to check for embedded contents. |
|
|
Enable to omit antispam scans when an SMTP sender is authenticated. |
disable |
|
Enable to detect hypertext markup language (HTML) tags and, if found: apply the action profile add This option can be used to mitigate potentially harmful HTML content such as corrupted images or files, or phishing URLs that have been specially crafted for a targeted attack, and therefore not yet identified by the FortiGuard Antispam service. Depending on the action profile, for example, you could warn email users by tagging email that contains potentially dangerous HTML content, or, if you have removed the HTML tags, allow users to safely read the email to decide whether or not it is legitimate first, without automatically displaying and executing potentially dangerous scripts, images, or other files. (Automatic display of HTML content is a risk on some email clients.) Caution: Unless you also select To actually remove HTML tags, you must also select replace. If you select Replace, all HTML tags will be removed, except for the minimum required by the HTML document type definition (DTD):
Stripped body text will be surrounded by For linked files, which are hosted on an external web site for subsequent download rather than directly attached to the email, the FortiMail unit will download and attach the file to the email before removing the For example, in an email that is a mixture of HTML and plain text ( |
|
|
Enable to specify how many attachments are allowed in one email message. The valid range is between 1 and 100. The default value is 10. |
|
|
Enable to check the URI in the text part of the messages. |
|
|
Enable to defer mail delivery from specific senders configured in policy to conserve peak time bandwidth at the expense of sending low priority, bandwidth consuming traffic at scheduled times. For example, you can apply this function to senders of marketing campaign emails or mass mailing. |
|
|
Remove URIs: Removes URIs in the text parts of email messages. Click Protection: Rewrite the URIs and in case the user clicks on the URIs, scan the URIs and then take the configured action. |
remove-uri |