Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiMail 6.4.1 Administration Guide
    6.4.1
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.7
    6.2.0
    6.0.6
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    Configuring FortiGuard services

    Configuring FortiGuard services

    FortiMail uses Fortinet FortiGuard antivirus, antispam, and URL protection services.

    Go to System > FortiGuard > License to view the most recent updates to FortiGuard Antivirus engines, antivirus definitions, and FortiGuard antispam definitions (antispam heuristic rules).

    FortiMail units receive updates from the FortiGuard Distribution Network (FDN), a world-wide network of FortiGuard Distribution Servers (FDS). FortiMail units connect to the FDN by connecting to the FDS nearest to the FortiMail unit by its configured time zone.

    In addition to manual update requests, FortiMail units support two kinds of automatic update mechanisms:

    • scheduled updates, by which the FortiMail unit periodically polls the FDN to determine if there are any available updates
    • push updates, by which the FDN notifies FortiMail units when updates become available
    Note

    You may want to configure both scheduled and push updates. In this way, if the network experiences temporary problems such as connectivity issues that interfere with either method, the other method may still provide your FortiMail unit with updated protection. You can alternatively manually update the FortiMail unit by uploading an update file by going to Dashboard > Status and click Update under License Information.

    For FortiGuard Antispam and FortiGuard Antivirus update connectivity requirements and troubleshooting information, see Troubleshoot FortiGuard connection issues.

    To access this part of the web UI, your administrator account’s:

    • Domain must be System
    • access profile must have Read-Write permission to the Others category

    For details, see About administrator account permissions and domains.

    This section contains the following topics:

    Configuring FortiGuard antivirus service

    You can configure the FortiMail unit to periodically request updates from the FDN or override servers for the FortiGuard antivirus engine and antivirus definitions.

    You can use push updates or manually initiate updates as alternatives or in conjunction with scheduled updates. If protection from the latest viral threats is a high priority, you could configure both scheduled updates and push updates, using scheduled updates as a failover method to increase the likelihood that the FortiMail unit always retrieves periodic updates if connectivity is interrupted during a push notification. While using only scheduled updates could potentially leave your network vulnerable to a new virus, it minimizes short disruptions to antivirus scans that can occur if the FortiMail unit applies push updates during peak volume times.

    For example, you might schedule updates every night at 2 AM or weekly on Sunday, when email traffic volume is light.

    Before configuring scheduled updates, first verify that the FortiMail unit can connect to the FDN or override server.

    To configure FortiGuard antivirus options
    1. Go to System > FortiGuard > AntiVirus.
    2. Configure the following and then click Apply.

    FortiGuard server port

    FortiGuard uses either port 443 or 8890. The default port is 443.

    Use override server

    Enable to override the default FDN server to which the FortiMail unit connects for updates.

    Override server IP address

    Enter the IP address of the override public or private FDN server.

    Allow push update

    Enable to allow the FortiMail unit to accept push notifications (UDP 9443). If the FortiMail unit is behind a NAT device, you may also need to enable and configure Use override push IP.

    Push notifications only notify the FortiMail unit that an update is available. They do not transmit the update itself. After receiving a push notification, the FortiMail unit then initiates a separate TCP 443 connection, similar to scheduled updates, in order to the FDN to download the update.

    Use override push IP

    Enable to override the IP address and default port number to which the FDN sends push notifications.

    • When enabled, the FortiMail unit notifies the FDN to send push updates to the IP address and port number that you enter (for example, a virtual IP/port forward on a NAT device that will forward push notifications to the FortiMail unit).
    • When disabled, the FortiMail unit notifies the FDN to send push updates to the FortiMail unit’s IP address, using the default port number (UDP 9443). This is useful only if the FortiMail unit has a public network IP address.

    This option is available only if Allow push update is enabled.

    Virus outbreak protection

    When a virus outbreak occurs, the FortiGuard antivirus database may need some time to get updated. Therefore, you can choose to defer the delivery of the suspicious email messages and scan them for the second time.

    • Disable: Do not query FortiGuard antivirus service.
    • Enable: Query FortiGuard antivirus service.
    • Enable with Defer: If the first query returns no results, defer the email for the specified time and do the second query.

    Virus outbreak protection period

    If you specify Enable with Defer in the above field, specify how many minutes later a second query will be done.

    Virus database

    Depending on your models, FortiMail supports three types of antivirus databases:

    • Default: The default FortiMail virus database contains most commonly seen viruses and should be sufficient enough for regular antivirus protection.
    • Extended: Some high-end FortiMail models support the usage of an extended virus database, which contains viruses that are not active any more.
    • Extreme: Some high-end models also support the usage of an extreme virus database, which contains more virus signatures than the default and extended databases.

    Scheduled update

    Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests. When the FortiMail unit requests an update at the scheduled time, results appear in Last Update Status.

    • Every: Select to request to update once every 1 to 23 hours, then select the number of hours between each update request.
    • Daily: Select to request to update once a day, then select the hour of the day to check for updates.
    • Weekly: Select to request to update once a week, then select the day of the week and the hour of the day to check for updates.

    Server location

    Use FortiGuard servers either in US only or in any locations in the world.

    See also

    Configuring FortiGuard services

    Verifying connectivity with FortiGuard services

    Configuring FortiGuard antivirus service

    Manually requesting updates

    Troubleshoot FortiGuard connection issues

    Manually requesting updates

    You can manually trigger the FortiMail unit to connect to the FDN or override server to request available updates for its FortiGuard antivirus packages.

    You can manually initiate updates as an alternative or in addition to other update methods.

    To manually request updates

    Before manually initiating an update, first verify that the FortiMail unit can connect to the FDN or override server.

    1. Go to System > FortiGuard > AntiVirus.
    2. Click Update Now.
      3. Note

      Updating FortiGuard Antivirus definitions can cause a short disruption in traffic currently being scanned while the FortiMail unit applies the new signature database. To minimize disruptions, update when traffic is light, such as during the night.

    3. After a few minutes, click the System > FortiGuard > License tab to check the update status. If an update was available, new version numbers appear for the packages that were updated. If you have enabled logging, messages are recorded to the event log indicating whether the update was successful or not. For details, see Logs, reports and alerts.

    Configuring FortiGuard antispam service

    You can connect to FDN to use its antispam service. You can also use your own override server, such as a FortiManager unit, to get the antispam service.

    To configure the FortiGuard antispam options
    1. Go to System > FortiGuard > AntiSpam.
    2. Verify that the Enable service is enabled. Also specify the FortiGuard server port (53, 443, or 8888. The default number is 53) and protocol (UDP or HTTPS).

      3. Note that port 443 is only available for protocol HTTPS.

    3. Specify a spam outbreak protection level. Higher level means more strict filtering. This feature temporarily hold email for a certain period of time (spam outbreak protection period) if the enabled FortiGuard antispam check (block IP and/or URL filter) returns no result (see Configuring FortiGuard options). After the specified time interval, FortiMail will query the FortiGuard server for the second time. This provides an opportunity for the FortiGuard antispam service to update its database in cases a spam outbreak occurs.
    4. If you want to use an override server, such as a local FortiManager unit, instead of the default FDN server, specify it by enabling the option and entering the server address.
    5. Optionally enable cache and specify the cache TTL time. Enabling cache can improve performance.
    6. Use FortiGuard servers either in U.S. only or in any locations in the world.
    7. Click Apply.

    Manually querying FortiGuard antispam service

    For testing or any other purposes, you may want to manually query the FortiGuard antispam service by entering an IP address, URL, or a Hash value of an email message.

    To query FortiGuard antispam service
    1. Go to System > FortiGuard > License.
    2. Enter an IP, URL or hash value of an email message.
    3. Click Query.

      4. If the query is successful, the Query result field will display if the IP/URL is spam or unknown (not spam).

      If the query is unsuccessful, the Query result field will display No response. In this case, you can use the following tips to troubleshoot the issue.

      If the FortiMail unit can reach the DNS server, but cannot successfully resolve the domain name of the FDN, a message appears notifying you that a DNS error occurred.

      DNS error when resolving the FortiGuard Antispam domain name

    4. Verify that the DNS servers contain A records to resolve service.fortiguard.net and other FDN servers. To try to obtain additional insight into the cause of the query failure, manually perform a DNS query from the FortiMail unit using the following CLI command:

      5. execute nslookup name service.fortiguard.net

      If the FortiMail unit cannot successfully connect, or if your FortiGuard Antispam license does not exist or has expired, a message appears notifying you that a connection error occurred.

      Connection error when verifying FortiGuard Antispam connectivity

    5. Verify that:
    • this is no proxy in between FortiMail and the FDN server.
    • your FortiGuard Antispam license is valid and currently active
    • the default route (located in System > Network > Routing) is correctly configured
    • the FortiMail unit can connect to the DNS servers (located in System > Network > DNS) and to the FDN servers
    • firewalls between the FortiMail unit and the Internet or override server allow FortiGuard Antispam rating query traffic.

    The default port number for FortiGuard antispam query is UDP port 53 in v4.0. Prior to v4.0, the port number was 8889.

  • To try to obtain additional insight into the point of the connection failure, trace the connection using the following CLI command:

    • execute traceroute <address_ipv4>

    where <address_ipv4> is the IP address of the DNS server or FDN server.

    When query connectivity is successful, antispam profiles can use the FortiGuard option.

    You can use the antispam log to monitor for subsequent query connectivity interruptions. When sending email through the FortiMail unit that matches a policy and profile where the FortiGuard option is enabled, if the FortiMail cannot connect to the FDN and/or its license is not valid, and if Information-level logging is enabled, the FortiMail unit records a log message in the antispam log (located in Monitor > Log > AntiSpam) whose Log Id field is 0300023472 and whose Message field is:

    FortiGuard-Antispam: No Answer from server.

  • Verify that the FortiGuard Antispam license is still valid, and that network connectivity has not been disrupted for UDP port 53 traffic from the FortiMail unit to the Internet.

    • Configuring FortiGuard URL click protection service

    When configuring the content profiles (see Configuring content disarm and reconstruction (CDR)), you can choose what to do with the URLs contained in the email messages: either remove them or leave them.

    However, if the URLs are not removed, there is a chance that email users may click and follow them. To protect users from harmful or spam URLs, such as phishing or advertising web sites, FortiMail uses FortiGuard URL filter service (see Configuring heuristic options) and FortiSandbox to scan the URLs after the users click the URLs. Depending on the inspection results from FortiGuard and FortiSandbox, you can decide if you would allow the users to access the URLs or block them.

    Starting from 6.2 release, you can also choose to use FortiIsolator to isolate threats. FortiIsolator is a browser isolation solution, which protects users against zero day malware and phishing threats that are delivered over the web and email. These threats may result in data loss, compromise, or ransomware. This protection is achieved by creating a visual air gap between users' browsers and websites, which prevents content from breaching the gap. With FortiIsolator, web content is executed in a remote disposable container and displayed to users visually.

    To configure FortiGuard URL click protection settings

    Go to System > FortiGuard > URL Protection and configure the following:

    GUI item

    Description

    URL Rewrite

    FortiMail must rewrite URLs to ensure that the URLs will be directed to FortiMail first when users click the URLs.

    Category

    Specify what URL categories will be rewritten.

    Base URL

    Enter prefix “https://” and the FortiMail FQDN or IP address. Note that without the prefix, the URL will not work.

    The rewritten URL will be in this format: https://company.com/fmlurlsvc/?fewReq/baseValue&url=originalUrlEscaped. Using the originalUrlEscaped part, you can get the original URL with the help of a URL decoding web site, such as https://www.urldecoder.org.

    URL Click Handling

    When users click the URLs in the email messages, you can choose to block or allow their access.

    Category

    Choose the URL category for the below action. For information about URL categories, see Configuring heuristic options.

    Action

    Specify either to Block or Allow with Confirmation for the above URL category.

    FortiSandbox Scan

    For all other URL categories not specified above, you can choose to send them to FortiSandbox (see Using FortiSandbox antivirus inspection) for further scanning.

    Enable: Toggle to enable or disable FortiSandbox scan.

    Action: Allow with Confirmation means to allow access with warning; Block means to block access; and Submit only means to allow access while sending the URLs for scanning.

    Timeout action: When the URLs are sent to FortiSandbox for scanning, it may take a while to get the results back. You should specify how long you want to wait for the results before you take Block, Allow, or Allow with Confirmation actions.

    Timeout: Specify how long (in seconds) you want to wait for FortiSandbox scan results before you take Block, Allow, or Allow with Confirmation actions.

    FortiIsolator Integration

    Category

    Specify what URL categories will be going through FortiIsolator. For information about URL categories, see Configuring heuristic options.

    Base URL

    Enter prefix “https://” and the FortiIsolator FQDN or IP address. Note that without the prefix, the URL will not work.

    URL Removal

    You can also choose to remove the URLs in the specified category.

    Category

    Specify the URL category to remove the URLs. For information about URL categories, see Configuring heuristic options.

    Configuring GeoIP override

    GeoIP service looks up the IP address geolocations in the GeoIP database. However, in some cases, the lookup might not be accurate, for example, when clients use proxies.

    With FortiMail, you can override the GeoIP lookup by manually specifying the geolocations of some IP addresses/IP ranges. When you create GeoIP groups (see Configuring GeoIP groups), you can use the override geolocations in the groups.

    Note

    When entering IP addresses for GeoIP overrides, only IPv4 addresses are supported.

    To configure GeoIP override
    1. Go to System > FortiGuard > GeoIP Override.
    2. Click New.
    3. Specify a geolocation name for the client IP addresses.
    4. Optionally enter a description.
    5. Click New to specify the IPv4 addresses that you want to include in the geolocation.
    6. Click Create.

    You can test GeoIP lookup by clicking IP Geography Query.

    Configuring MSSP features (license required)

    FortiMail provides some features that are useful to the MSSP customers.

    If you have the MSSP license, you can enable or disable the following features under System > FortiGuard > MSSP.

    Previous
    Next

    Configuring FortiGuard services

    Configuring FortiGuard services

    FortiMail uses Fortinet FortiGuard antivirus, antispam, and URL protection services.

    Go to System > FortiGuard > License to view the most recent updates to FortiGuard Antivirus engines, antivirus definitions, and FortiGuard antispam definitions (antispam heuristic rules).

    FortiMail units receive updates from the FortiGuard Distribution Network (FDN), a world-wide network of FortiGuard Distribution Servers (FDS). FortiMail units connect to the FDN by connecting to the FDS nearest to the FortiMail unit by its configured time zone.

    In addition to manual update requests, FortiMail units support two kinds of automatic update mechanisms:

    • scheduled updates, by which the FortiMail unit periodically polls the FDN to determine if there are any available updates
    • push updates, by which the FDN notifies FortiMail units when updates become available
    Note

    You may want to configure both scheduled and push updates. In this way, if the network experiences temporary problems such as connectivity issues that interfere with either method, the other method may still provide your FortiMail unit with updated protection. You can alternatively manually update the FortiMail unit by uploading an update file by going to Dashboard > Status and click Update under License Information.

    For FortiGuard Antispam and FortiGuard Antivirus update connectivity requirements and troubleshooting information, see Troubleshoot FortiGuard connection issues.

    To access this part of the web UI, your administrator account’s:

    • Domain must be System
    • access profile must have Read-Write permission to the Others category

    For details, see About administrator account permissions and domains.

    This section contains the following topics:

    Configuring FortiGuard antivirus service

    You can configure the FortiMail unit to periodically request updates from the FDN or override servers for the FortiGuard antivirus engine and antivirus definitions.

    You can use push updates or manually initiate updates as alternatives or in conjunction with scheduled updates. If protection from the latest viral threats is a high priority, you could configure both scheduled updates and push updates, using scheduled updates as a failover method to increase the likelihood that the FortiMail unit always retrieves periodic updates if connectivity is interrupted during a push notification. While using only scheduled updates could potentially leave your network vulnerable to a new virus, it minimizes short disruptions to antivirus scans that can occur if the FortiMail unit applies push updates during peak volume times.

    For example, you might schedule updates every night at 2 AM or weekly on Sunday, when email traffic volume is light.

    Before configuring scheduled updates, first verify that the FortiMail unit can connect to the FDN or override server.

    To configure FortiGuard antivirus options
    1. Go to System > FortiGuard > AntiVirus.
    2. Configure the following and then click Apply.

    FortiGuard server port

    FortiGuard uses either port 443 or 8890. The default port is 443.

    Use override server

    Enable to override the default FDN server to which the FortiMail unit connects for updates.

    Override server IP address

    Enter the IP address of the override public or private FDN server.

    Allow push update

    Enable to allow the FortiMail unit to accept push notifications (UDP 9443). If the FortiMail unit is behind a NAT device, you may also need to enable and configure Use override push IP.

    Push notifications only notify the FortiMail unit that an update is available. They do not transmit the update itself. After receiving a push notification, the FortiMail unit then initiates a separate TCP 443 connection, similar to scheduled updates, in order to the FDN to download the update.

    Use override push IP

    Enable to override the IP address and default port number to which the FDN sends push notifications.

    • When enabled, the FortiMail unit notifies the FDN to send push updates to the IP address and port number that you enter (for example, a virtual IP/port forward on a NAT device that will forward push notifications to the FortiMail unit).
    • When disabled, the FortiMail unit notifies the FDN to send push updates to the FortiMail unit’s IP address, using the default port number (UDP 9443). This is useful only if the FortiMail unit has a public network IP address.

    This option is available only if Allow push update is enabled.

    Virus outbreak protection

    When a virus outbreak occurs, the FortiGuard antivirus database may need some time to get updated. Therefore, you can choose to defer the delivery of the suspicious email messages and scan them for the second time.

    • Disable: Do not query FortiGuard antivirus service.
    • Enable: Query FortiGuard antivirus service.
    • Enable with Defer: If the first query returns no results, defer the email for the specified time and do the second query.

    Virus outbreak protection period

    If you specify Enable with Defer in the above field, specify how many minutes later a second query will be done.

    Virus database

    Depending on your models, FortiMail supports three types of antivirus databases:

    • Default: The default FortiMail virus database contains most commonly seen viruses and should be sufficient enough for regular antivirus protection.
    • Extended: Some high-end FortiMail models support the usage of an extended virus database, which contains viruses that are not active any more.
    • Extreme: Some high-end models also support the usage of an extreme virus database, which contains more virus signatures than the default and extended databases.

    Scheduled update

    Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests. When the FortiMail unit requests an update at the scheduled time, results appear in Last Update Status.

    • Every: Select to request to update once every 1 to 23 hours, then select the number of hours between each update request.
    • Daily: Select to request to update once a day, then select the hour of the day to check for updates.
    • Weekly: Select to request to update once a week, then select the day of the week and the hour of the day to check for updates.

    Server location

    Use FortiGuard servers either in US only or in any locations in the world.

    See also

    Configuring FortiGuard services

    Verifying connectivity with FortiGuard services

    Configuring FortiGuard antivirus service

    Manually requesting updates

    Troubleshoot FortiGuard connection issues

    Manually requesting updates

    You can manually trigger the FortiMail unit to connect to the FDN or override server to request available updates for its FortiGuard antivirus packages.

    You can manually initiate updates as an alternative or in addition to other update methods.

    To manually request updates

    Before manually initiating an update, first verify that the FortiMail unit can connect to the FDN or override server.

    1. Go to System > FortiGuard > AntiVirus.
    2. Click Update Now.
      3. Note

      Updating FortiGuard Antivirus definitions can cause a short disruption in traffic currently being scanned while the FortiMail unit applies the new signature database. To minimize disruptions, update when traffic is light, such as during the night.

    3. After a few minutes, click the System > FortiGuard > License tab to check the update status. If an update was available, new version numbers appear for the packages that were updated. If you have enabled logging, messages are recorded to the event log indicating whether the update was successful or not. For details, see Logs, reports and alerts.

    Configuring FortiGuard antispam service

    You can connect to FDN to use its antispam service. You can also use your own override server, such as a FortiManager unit, to get the antispam service.

    To configure the FortiGuard antispam options
    1. Go to System > FortiGuard > AntiSpam.
    2. Verify that the Enable service is enabled. Also specify the FortiGuard server port (53, 443, or 8888. The default number is 53) and protocol (UDP or HTTPS).

      3. Note that port 443 is only available for protocol HTTPS.

    3. Specify a spam outbreak protection level. Higher level means more strict filtering. This feature temporarily hold email for a certain period of time (spam outbreak protection period) if the enabled FortiGuard antispam check (block IP and/or URL filter) returns no result (see Configuring FortiGuard options). After the specified time interval, FortiMail will query the FortiGuard server for the second time. This provides an opportunity for the FortiGuard antispam service to update its database in cases a spam outbreak occurs.
    4. If you want to use an override server, such as a local FortiManager unit, instead of the default FDN server, specify it by enabling the option and entering the server address.
    5. Optionally enable cache and specify the cache TTL time. Enabling cache can improve performance.
    6. Use FortiGuard servers either in U.S. only or in any locations in the world.
    7. Click Apply.

    Manually querying FortiGuard antispam service

    For testing or any other purposes, you may want to manually query the FortiGuard antispam service by entering an IP address, URL, or a Hash value of an email message.

    To query FortiGuard antispam service
    1. Go to System > FortiGuard > License.
    2. Enter an IP, URL or hash value of an email message.
    3. Click Query.

      4. If the query is successful, the Query result field will display if the IP/URL is spam or unknown (not spam).

      If the query is unsuccessful, the Query result field will display No response. In this case, you can use the following tips to troubleshoot the issue.

      If the FortiMail unit can reach the DNS server, but cannot successfully resolve the domain name of the FDN, a message appears notifying you that a DNS error occurred.

      DNS error when resolving the FortiGuard Antispam domain name

    4. Verify that the DNS servers contain A records to resolve service.fortiguard.net and other FDN servers. To try to obtain additional insight into the cause of the query failure, manually perform a DNS query from the FortiMail unit using the following CLI command:

      5. execute nslookup name service.fortiguard.net

      If the FortiMail unit cannot successfully connect, or if your FortiGuard Antispam license does not exist or has expired, a message appears notifying you that a connection error occurred.

      Connection error when verifying FortiGuard Antispam connectivity

    5. Verify that:
    • this is no proxy in between FortiMail and the FDN server.
    • your FortiGuard Antispam license is valid and currently active
    • the default route (located in System > Network > Routing) is correctly configured
    • the FortiMail unit can connect to the DNS servers (located in System > Network > DNS) and to the FDN servers
    • firewalls between the FortiMail unit and the Internet or override server allow FortiGuard Antispam rating query traffic.

    The default port number for FortiGuard antispam query is UDP port 53 in v4.0. Prior to v4.0, the port number was 8889.

  • To try to obtain additional insight into the point of the connection failure, trace the connection using the following CLI command:

    • execute traceroute <address_ipv4>

    where <address_ipv4> is the IP address of the DNS server or FDN server.

    When query connectivity is successful, antispam profiles can use the FortiGuard option.

    You can use the antispam log to monitor for subsequent query connectivity interruptions. When sending email through the FortiMail unit that matches a policy and profile where the FortiGuard option is enabled, if the FortiMail cannot connect to the FDN and/or its license is not valid, and if Information-level logging is enabled, the FortiMail unit records a log message in the antispam log (located in Monitor > Log > AntiSpam) whose Log Id field is 0300023472 and whose Message field is:

    FortiGuard-Antispam: No Answer from server.

  • Verify that the FortiGuard Antispam license is still valid, and that network connectivity has not been disrupted for UDP port 53 traffic from the FortiMail unit to the Internet.

    • Configuring FortiGuard URL click protection service

    When configuring the content profiles (see Configuring content disarm and reconstruction (CDR)), you can choose what to do with the URLs contained in the email messages: either remove them or leave them.

    However, if the URLs are not removed, there is a chance that email users may click and follow them. To protect users from harmful or spam URLs, such as phishing or advertising web sites, FortiMail uses FortiGuard URL filter service (see Configuring heuristic options) and FortiSandbox to scan the URLs after the users click the URLs. Depending on the inspection results from FortiGuard and FortiSandbox, you can decide if you would allow the users to access the URLs or block them.

    Starting from 6.2 release, you can also choose to use FortiIsolator to isolate threats. FortiIsolator is a browser isolation solution, which protects users against zero day malware and phishing threats that are delivered over the web and email. These threats may result in data loss, compromise, or ransomware. This protection is achieved by creating a visual air gap between users' browsers and websites, which prevents content from breaching the gap. With FortiIsolator, web content is executed in a remote disposable container and displayed to users visually.

    To configure FortiGuard URL click protection settings

    Go to System > FortiGuard > URL Protection and configure the following:

    GUI item

    Description

    URL Rewrite

    FortiMail must rewrite URLs to ensure that the URLs will be directed to FortiMail first when users click the URLs.

    Category

    Specify what URL categories will be rewritten.

    Base URL

    Enter prefix “https://” and the FortiMail FQDN or IP address. Note that without the prefix, the URL will not work.

    The rewritten URL will be in this format: https://company.com/fmlurlsvc/?fewReq/baseValue&url=originalUrlEscaped. Using the originalUrlEscaped part, you can get the original URL with the help of a URL decoding web site, such as https://www.urldecoder.org.

    URL Click Handling

    When users click the URLs in the email messages, you can choose to block or allow their access.

    Category

    Choose the URL category for the below action. For information about URL categories, see Configuring heuristic options.

    Action

    Specify either to Block or Allow with Confirmation for the above URL category.

    FortiSandbox Scan

    For all other URL categories not specified above, you can choose to send them to FortiSandbox (see Using FortiSandbox antivirus inspection) for further scanning.

    Enable: Toggle to enable or disable FortiSandbox scan.

    Action: Allow with Confirmation means to allow access with warning; Block means to block access; and Submit only means to allow access while sending the URLs for scanning.

    Timeout action: When the URLs are sent to FortiSandbox for scanning, it may take a while to get the results back. You should specify how long you want to wait for the results before you take Block, Allow, or Allow with Confirmation actions.

    Timeout: Specify how long (in seconds) you want to wait for FortiSandbox scan results before you take Block, Allow, or Allow with Confirmation actions.

    FortiIsolator Integration

    Category

    Specify what URL categories will be going through FortiIsolator. For information about URL categories, see Configuring heuristic options.

    Base URL

    Enter prefix “https://” and the FortiIsolator FQDN or IP address. Note that without the prefix, the URL will not work.

    URL Removal

    You can also choose to remove the URLs in the specified category.

    Category

    Specify the URL category to remove the URLs. For information about URL categories, see Configuring heuristic options.

    Configuring GeoIP override

    GeoIP service looks up the IP address geolocations in the GeoIP database. However, in some cases, the lookup might not be accurate, for example, when clients use proxies.

    With FortiMail, you can override the GeoIP lookup by manually specifying the geolocations of some IP addresses/IP ranges. When you create GeoIP groups (see Configuring GeoIP groups), you can use the override geolocations in the groups.

    Note

    When entering IP addresses for GeoIP overrides, only IPv4 addresses are supported.

    To configure GeoIP override
    1. Go to System > FortiGuard > GeoIP Override.
    2. Click New.
    3. Specify a geolocation name for the client IP addresses.
    4. Optionally enter a description.
    5. Click New to specify the IPv4 addresses that you want to include in the geolocation.
    6. Click Create.

    You can test GeoIP lookup by clicking IP Geography Query.

    Configuring MSSP features (license required)

    FortiMail provides some features that are useful to the MSSP customers.

    If you have the MSSP license, you can enable or disable the following features under System > FortiGuard > MSSP.

    Previous
    Next