Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

profile content

Use this command to create content profiles, which you can use to match email based upon its subject line, message body, and attachments.

Unlike antispam profiles, which deal primarily with spam, content profiles match any other type of email.

Content profiles can be used to apply content-based encryption to email. They can also be used to restrict prohibited content, such as words or phrases, file names, and file attachments that are not permitted by your network usage policy. As such, content profiles can be used both for email that you want to protect, and for email that you want to prevent.

Syntax

config profile content

edit <profile_name>

config attachment-scan

edit <index_number>

set action <action>

set operator {is | is-not}

set attachment-name-pattern <pattern_str>

set status {enable | disable}

config monitor

edit monitor <index_int>

set action <profile_name>

set dict-score <score_int>

set dictionary-group <dictionary-group_name>

set dictionary-profile <dictionary-profile_name>

set dictionary-type {group | profile}

set scan-msoffice {enable | disable}

set scan-pdf {enable | disable}

set status {enable | disable}

set action-cdr <action_profile>

set action-default <action_profile>

set action-image-analysis <action_profile>

set action-max-size <action-profile>

set archive-scan-options {block-on-failure-to-decompress | block-password-protected | block-recursive}

set cdr-file-type-options {msoffice | pdf}

set decrypt-password-archive {enable |disable}

set decrypt-password-num-of-words <number>

set decrypt-password-office {enable | disable}

set decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}

set defersize <size-in-kb>

set embedded-scan-options {check-msoffice | check-msoffice-vba | check-msvisio | check-openoffice | check-pdf}

set html-content-action {convert-to-text | modify-content}

set html-content-uri-action {click-protection | click-protection-isolator | isolator | keep | remove}

set html-content-uri-selection {tag-attribute | tag-content}

set image-analysis-scan {enable | disable}

set max-num-of-attachment <number>

set max-size <size-in-kb>

set max-size-options {message | attachment}

set max-size-status {enable | disable}

set remove-active-content {enable | disable}

set scan options block-fragmented-email

set scan options block-password-protected-office

set scan options check-archive-content

set scan options check-embedded-content

set scan options bypass-on-smtp-auth

set scan options check-html-content

set scan options check-max-num-of-attachment

set scan options check-text-content

set scan options defer-message-delivery

set text-content-action {remove-uri | click-protection}

end

Variable

Description

Default

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

action <action>

Specify the action to use.

operator {is | is-not}

Specify the operator.

is

attachment-name-pattern <pattern_str>

Enter a pattern, such as '*.bat', that matches the email attachment names that you want the content profile to match.

The patterns include:

  • *.bat
  • *.com
  • *.dll
  • *.doc
  • *.exe
  • *.gz
  • *.hta
  • *.ppt
  • *.rar
  • *.scr
  • *.tar
  • *.tgz
  • *.vb?
  • *.wps
  • *.xl?
  • *.zip
  • *.pif

status {enable | disable}

Enable or disable a pattern that matches the email attachment names that you want the content profile to match.

enable

monitor <index_int>

Enter the index number of the monitor profile.

If the monitor profile does not currently exist, it will be created.

action <profile_name>

Enter the action profile for this monitor profile. The FortiMail unit will perform the actions if the content of the email message matches words or patterns from the dictionary profile that the monitor profile uses.

dict-score <score_int>

Enter the number of times that an email must match the content monitor profile before it will receive the antispam action.

1

dictionary-group <dictionary-group_name>

Enter the dictionary profile group that this monitor profile will use.

The FortiMail unit will compare content in the subject line and message body of the email message with words and patterns in the dictionary profiles. If it locates matching content, the FortiMail unit will perform the actions configured for this monitor profile.

For information on dictionary profiles, see the FortiMail Administration Guide.

dictionary-profile <dictionary-profile_name>

Enter the dictionary profile that this monitor profile will use.

The FortiMail unit will compare content in the subject line and message body of the email message with words and patterns in the dictionary profile. If it locates matching content, the FortiMail unit will perform the actions configured for this monitor profile in profile content-action.

For information on dictionary profiles, see the FortiMail Administration Guide.

dictionary-type {group | profile}

Enter profile to detect content based upon a dictionary profile, or group to detect content based upon a group of dictionary profiles.

group

scan-msoffice {enable | disable}

Enable or disable MS Word document scanning for this profile.

disable

scan-pdf {enable | disable}

Enable or disable PDF document scanning for this profile.

disable

status {enable | disable}

Enable or disable this monitor profile.

disable

action-cdr <action_profile>

Specify the action profile to use.

 

action-default <action_profile>

Enter a content action profile to be used by all the content filters except for the encrypted email, which can have its own action. See below for details.

 

action-image-analysis <action_profile>

For the image email file type, you can use a content action profile to overwrite the default action profile used in the content profile.

 

action-max-size <action-profile>

Specify the action profile to use for message over maximum size.

 

block-on-failure-to-decompress

Enter to apply the action configured in profile content-action if an attached archive cannot be successfully decompressed in order to scan its contents.

 

block-password-protected

Enter to apply the action configured inprofile content-action if an attached archive is password-protected.

 

block-recursive

Enable to block archive attachments whose depth of nested archives exceeds archive-max-recursive-level <depth_int>.

 

archive-max-recursive-level <depth_int>

Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit will use one of the following methods to determine whether it should block or pass the email.

archive-max-recursive-level is 0, or attachment’s depth of nesting equals or is less than archive-max-recursive-level: If the attachment contains a file that matches one of the other MIME file types, perform the action configured for that file type, either block or pass.

Attachment’s depth of nesting is greater than archive-max-recursive-level: Apply the block action, unless you have disabled block-recursive, in which case it will pass the MIME file type content filter. Block actions are specified in the profile content-action.

0

cdr-file-type-options {msoffice | pdf}

Specify the file type for content disarm and reconstruction.

 

decrypt-password-archive {enable |disable}

Enable or disable to decrypt password protected archives.

disable

decrypt-password-num-of-words <number>

Specify the number of words adjacent to the keyword to try for archive decryption.

5

decrypt-password-office {enable | disable}

Enable to decrypt password protected Office files.

disable

decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}

Specify which kind of password to use to decrypt the archives.

words-in-email-content

defersize <size-in-kb>

Bigger size will be deferred. 0 means no limit.

0

embedded-scan-options {check-msoffice | check-msoffice-vba | check-msvisio | check-openoffice | check-pdf}

Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector.

Enable to, for MIME types such as Microsoft Office, Microsoft Visio, OpenOffice.org , and PDF documents, scan files that are encapsulated within the document itself.

 

html-content-action {convert-to-text | modify-content}

Specify the action towards hypertext markup language (HTML) tags in email messages:

  • convert-to-text: Convert the HTML content to text only content.
  • modify-content: Set to determine active content handling and URI processing (see html-content-uri-selection and remove-active-content respectively).

modify-content

html-content-uri-action {click-protection | click-protection-isolator | isolator | keep | remove}

Specify HTML content URI tag handling in email messages:

  • click-protection: Rewrite the URIs and in case the user clicks on the URIs, scan the URIs and then take the configured actions.
  • click-protection-isolator: Redirect to Click Protection and FortiIsolator. If the rewritten URL matched FortiIsolator URL category and passed Click Protection handling category, it is opened in FortiIsolator.
  • isolator: Redirect to FortiIsolator.
  • keep: Keep URI tags.
  • remove: Remove URI tags.

click-protection

html-content-uri-selection {tag-attribute | tag-content}

Select URIs to process from specified parts of HTML.

This field applies only if html-content-action is modify-content.

tag-attribute

image-analysis-scan {enable | disable}

If you have purchase the adult image scan license, you can enable it to scan for adult images.

You can also configure the scan sensitivity and image sizes under Security > Other > Adult Image Analysis.

disable

max-num-of-attachment <number>

Specify how many attachments are allowed in one email message. The valid range is between 1 and 100. The default value is 10.

10

max-size <size-in-kb>

Enter the size threshold in kilobytes. Delivery of email messages greater than this size will be deferred until the period configured for oversize email.

To disable deferred delivery, enter 0.

10240

max-size-options {message | attachment}

Specify either the message or attachment for the size limit.

message

max-size-status {enable | disable}

Enable to apply the maximum size limits.

disable

remove-active-content {enable | disable}

Enable to remove active content.

This field applies only if html-content-action is modify-content.

enable

block-fragmented-email

Enable to detect and block fragmented email.

Some mail user agents, such as Outlook, are able to fragment big emails into multiple sub-messages. This is used to bypass oversize limits/scanning.

disable

block-password-protected-office

Enable to apply the block action configured in the content action profile if an attached MS Office document is password-protected, and therefore cannot be decompressed in order to scan its contents.

disable

check-archive-content

Enable to check for archived attachments.

 

check-embedded-content

Enable to check for embedded contents.
Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector.

 

bypass-on-smtp-auth

Enable to omit antispam scans when an SMTP sender is authenticated.

disable

check-html-content

Enable to detect hypertext markup language (HTML) tags and, if found:

apply the action profile

add X-FEAS-ATTACHMENT-FILTER: Contains HTML tags. to the message headers

This option can be used to mitigate potentially harmful HTML content such as corrupted images or files, or phishing URLs that have been specially crafted for a targeted attack, and therefore not yet identified by the FortiGuard Antispam service.

Depending on the action profile, for example, you could warn email users by tagging email that contains potentially dangerous HTML content, or, if you have removed the HTML tags, allow users to safely read the email to decide whether or not it is legitimate first, without automatically displaying and executing potentially dangerous scripts, images, or other files (automatic display of HTML content is a risk on some email clients).

Caution: Unless you also select replace for the action in the content action profile, HTML will not be removed, and the email will not be converted to plain text. Instead, the FortiMail unit will only apply whichever other action profile “block” action you have selected.

To actually remove HTML tags, you must also select replace.

If you select Replace, all HTML tags will be removed, except for the minimum required by the HTML document type definition (DTD):

<html>

<head>

<body>

Stripped body text will be surrounded by <pre> tags, which is typically rendered in a monospace font, causing the appearance to mimic plain text.

For linked files, which are hosted on an external web site for subsequent download rather than directly attached to the email, the FortiMail unit will download and attach the file to the email before removing the <img> or <embed> tag. In this way, while the format is converted to plain text, attachments and linked files which may be relevant to the content are still preserved.

For example, in an email that is a mixture of HTML and plain text (Content‑Type: multipart/alternative), and if the action profile’s “block” action is replace, the FortiMail unit would remove hyperlink, font, and other HTML tags in the sections labeled with Content-Type: text/html. Linked images would be converted to attachments (The MIME Content‑Type: text/html label itself, however, would not be modified).

 

check-max-num-of-attachment

Enable to specify how many attachments are allowed in one email message. The valid range is between 1 and 100. The default value is 10.

 

check-text-content

Enable to check the URI in the text part of the messages.

 

defer-message-delivery

Enable to defer mail delivery from specific senders configured in policy to conserve peak time bandwidth at the expense of sending low priority, bandwidth consuming traffic at scheduled times. For example, you can apply this function to senders of marketing campaign emails or mass mailing.

 

text-content-action {remove-uri | click-protection}

Remove URIs: Removes URIs in the text parts of email messages.

Click Protection: Rewrite the URIs and in case the user clicks on the URIs, scan the URIs and then take the configured action.

remove-uri

Related topics

profile content-action

profile content

Use this command to create content profiles, which you can use to match email based upon its subject line, message body, and attachments.

Unlike antispam profiles, which deal primarily with spam, content profiles match any other type of email.

Content profiles can be used to apply content-based encryption to email. They can also be used to restrict prohibited content, such as words or phrases, file names, and file attachments that are not permitted by your network usage policy. As such, content profiles can be used both for email that you want to protect, and for email that you want to prevent.

Syntax

config profile content

edit <profile_name>

config attachment-scan

edit <index_number>

set action <action>

set operator {is | is-not}

set attachment-name-pattern <pattern_str>

set status {enable | disable}

config monitor

edit monitor <index_int>

set action <profile_name>

set dict-score <score_int>

set dictionary-group <dictionary-group_name>

set dictionary-profile <dictionary-profile_name>

set dictionary-type {group | profile}

set scan-msoffice {enable | disable}

set scan-pdf {enable | disable}

set status {enable | disable}

set action-cdr <action_profile>

set action-default <action_profile>

set action-image-analysis <action_profile>

set action-max-size <action-profile>

set archive-scan-options {block-on-failure-to-decompress | block-password-protected | block-recursive}

set cdr-file-type-options {msoffice | pdf}

set decrypt-password-archive {enable |disable}

set decrypt-password-num-of-words <number>

set decrypt-password-office {enable | disable}

set decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}

set defersize <size-in-kb>

set embedded-scan-options {check-msoffice | check-msoffice-vba | check-msvisio | check-openoffice | check-pdf}

set html-content-action {convert-to-text | modify-content}

set html-content-uri-action {click-protection | click-protection-isolator | isolator | keep | remove}

set html-content-uri-selection {tag-attribute | tag-content}

set image-analysis-scan {enable | disable}

set max-num-of-attachment <number>

set max-size <size-in-kb>

set max-size-options {message | attachment}

set max-size-status {enable | disable}

set remove-active-content {enable | disable}

set scan options block-fragmented-email

set scan options block-password-protected-office

set scan options check-archive-content

set scan options check-embedded-content

set scan options bypass-on-smtp-auth

set scan options check-html-content

set scan options check-max-num-of-attachment

set scan options check-text-content

set scan options defer-message-delivery

set text-content-action {remove-uri | click-protection}

end

Variable

Description

Default

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

action <action>

Specify the action to use.

operator {is | is-not}

Specify the operator.

is

attachment-name-pattern <pattern_str>

Enter a pattern, such as '*.bat', that matches the email attachment names that you want the content profile to match.

The patterns include:

  • *.bat
  • *.com
  • *.dll
  • *.doc
  • *.exe
  • *.gz
  • *.hta
  • *.ppt
  • *.rar
  • *.scr
  • *.tar
  • *.tgz
  • *.vb?
  • *.wps
  • *.xl?
  • *.zip
  • *.pif

status {enable | disable}

Enable or disable a pattern that matches the email attachment names that you want the content profile to match.

enable

monitor <index_int>

Enter the index number of the monitor profile.

If the monitor profile does not currently exist, it will be created.

action <profile_name>

Enter the action profile for this monitor profile. The FortiMail unit will perform the actions if the content of the email message matches words or patterns from the dictionary profile that the monitor profile uses.

dict-score <score_int>

Enter the number of times that an email must match the content monitor profile before it will receive the antispam action.

1

dictionary-group <dictionary-group_name>

Enter the dictionary profile group that this monitor profile will use.

The FortiMail unit will compare content in the subject line and message body of the email message with words and patterns in the dictionary profiles. If it locates matching content, the FortiMail unit will perform the actions configured for this monitor profile.

For information on dictionary profiles, see the FortiMail Administration Guide.

dictionary-profile <dictionary-profile_name>

Enter the dictionary profile that this monitor profile will use.

The FortiMail unit will compare content in the subject line and message body of the email message with words and patterns in the dictionary profile. If it locates matching content, the FortiMail unit will perform the actions configured for this monitor profile in profile content-action.

For information on dictionary profiles, see the FortiMail Administration Guide.

dictionary-type {group | profile}

Enter profile to detect content based upon a dictionary profile, or group to detect content based upon a group of dictionary profiles.

group

scan-msoffice {enable | disable}

Enable or disable MS Word document scanning for this profile.

disable

scan-pdf {enable | disable}

Enable or disable PDF document scanning for this profile.

disable

status {enable | disable}

Enable or disable this monitor profile.

disable

action-cdr <action_profile>

Specify the action profile to use.

 

action-default <action_profile>

Enter a content action profile to be used by all the content filters except for the encrypted email, which can have its own action. See below for details.

 

action-image-analysis <action_profile>

For the image email file type, you can use a content action profile to overwrite the default action profile used in the content profile.

 

action-max-size <action-profile>

Specify the action profile to use for message over maximum size.

 

block-on-failure-to-decompress

Enter to apply the action configured in profile content-action if an attached archive cannot be successfully decompressed in order to scan its contents.

 

block-password-protected

Enter to apply the action configured inprofile content-action if an attached archive is password-protected.

 

block-recursive

Enable to block archive attachments whose depth of nested archives exceeds archive-max-recursive-level <depth_int>.

 

archive-max-recursive-level <depth_int>

Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit will use one of the following methods to determine whether it should block or pass the email.

archive-max-recursive-level is 0, or attachment’s depth of nesting equals or is less than archive-max-recursive-level: If the attachment contains a file that matches one of the other MIME file types, perform the action configured for that file type, either block or pass.

Attachment’s depth of nesting is greater than archive-max-recursive-level: Apply the block action, unless you have disabled block-recursive, in which case it will pass the MIME file type content filter. Block actions are specified in the profile content-action.

0

cdr-file-type-options {msoffice | pdf}

Specify the file type for content disarm and reconstruction.

 

decrypt-password-archive {enable |disable}

Enable or disable to decrypt password protected archives.

disable

decrypt-password-num-of-words <number>

Specify the number of words adjacent to the keyword to try for archive decryption.

5

decrypt-password-office {enable | disable}

Enable to decrypt password protected Office files.

disable

decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}

Specify which kind of password to use to decrypt the archives.

words-in-email-content

defersize <size-in-kb>

Bigger size will be deferred. 0 means no limit.

0

embedded-scan-options {check-msoffice | check-msoffice-vba | check-msvisio | check-openoffice | check-pdf}

Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector.

Enable to, for MIME types such as Microsoft Office, Microsoft Visio, OpenOffice.org , and PDF documents, scan files that are encapsulated within the document itself.

 

html-content-action {convert-to-text | modify-content}

Specify the action towards hypertext markup language (HTML) tags in email messages:

  • convert-to-text: Convert the HTML content to text only content.
  • modify-content: Set to determine active content handling and URI processing (see html-content-uri-selection and remove-active-content respectively).

modify-content

html-content-uri-action {click-protection | click-protection-isolator | isolator | keep | remove}

Specify HTML content URI tag handling in email messages:

  • click-protection: Rewrite the URIs and in case the user clicks on the URIs, scan the URIs and then take the configured actions.
  • click-protection-isolator: Redirect to Click Protection and FortiIsolator. If the rewritten URL matched FortiIsolator URL category and passed Click Protection handling category, it is opened in FortiIsolator.
  • isolator: Redirect to FortiIsolator.
  • keep: Keep URI tags.
  • remove: Remove URI tags.

click-protection

html-content-uri-selection {tag-attribute | tag-content}

Select URIs to process from specified parts of HTML.

This field applies only if html-content-action is modify-content.

tag-attribute

image-analysis-scan {enable | disable}

If you have purchase the adult image scan license, you can enable it to scan for adult images.

You can also configure the scan sensitivity and image sizes under Security > Other > Adult Image Analysis.

disable

max-num-of-attachment <number>

Specify how many attachments are allowed in one email message. The valid range is between 1 and 100. The default value is 10.

10

max-size <size-in-kb>

Enter the size threshold in kilobytes. Delivery of email messages greater than this size will be deferred until the period configured for oversize email.

To disable deferred delivery, enter 0.

10240

max-size-options {message | attachment}

Specify either the message or attachment for the size limit.

message

max-size-status {enable | disable}

Enable to apply the maximum size limits.

disable

remove-active-content {enable | disable}

Enable to remove active content.

This field applies only if html-content-action is modify-content.

enable

block-fragmented-email

Enable to detect and block fragmented email.

Some mail user agents, such as Outlook, are able to fragment big emails into multiple sub-messages. This is used to bypass oversize limits/scanning.

disable

block-password-protected-office

Enable to apply the block action configured in the content action profile if an attached MS Office document is password-protected, and therefore cannot be decompressed in order to scan its contents.

disable

check-archive-content

Enable to check for archived attachments.

 

check-embedded-content

Enable to check for embedded contents.
Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector.

 

bypass-on-smtp-auth

Enable to omit antispam scans when an SMTP sender is authenticated.

disable

check-html-content

Enable to detect hypertext markup language (HTML) tags and, if found:

apply the action profile

add X-FEAS-ATTACHMENT-FILTER: Contains HTML tags. to the message headers

This option can be used to mitigate potentially harmful HTML content such as corrupted images or files, or phishing URLs that have been specially crafted for a targeted attack, and therefore not yet identified by the FortiGuard Antispam service.

Depending on the action profile, for example, you could warn email users by tagging email that contains potentially dangerous HTML content, or, if you have removed the HTML tags, allow users to safely read the email to decide whether or not it is legitimate first, without automatically displaying and executing potentially dangerous scripts, images, or other files (automatic display of HTML content is a risk on some email clients).

Caution: Unless you also select replace for the action in the content action profile, HTML will not be removed, and the email will not be converted to plain text. Instead, the FortiMail unit will only apply whichever other action profile “block” action you have selected.

To actually remove HTML tags, you must also select replace.

If you select Replace, all HTML tags will be removed, except for the minimum required by the HTML document type definition (DTD):

<html>

<head>

<body>

Stripped body text will be surrounded by <pre> tags, which is typically rendered in a monospace font, causing the appearance to mimic plain text.

For linked files, which are hosted on an external web site for subsequent download rather than directly attached to the email, the FortiMail unit will download and attach the file to the email before removing the <img> or <embed> tag. In this way, while the format is converted to plain text, attachments and linked files which may be relevant to the content are still preserved.

For example, in an email that is a mixture of HTML and plain text (Content‑Type: multipart/alternative), and if the action profile’s “block” action is replace, the FortiMail unit would remove hyperlink, font, and other HTML tags in the sections labeled with Content-Type: text/html. Linked images would be converted to attachments (The MIME Content‑Type: text/html label itself, however, would not be modified).

 

check-max-num-of-attachment

Enable to specify how many attachments are allowed in one email message. The valid range is between 1 and 100. The default value is 10.

 

check-text-content

Enable to check the URI in the text part of the messages.

 

defer-message-delivery

Enable to defer mail delivery from specific senders configured in policy to conserve peak time bandwidth at the expense of sending low priority, bandwidth consuming traffic at scheduled times. For example, you can apply this function to senders of marketing campaign emails or mass mailing.

 

text-content-action {remove-uri | click-protection}

Remove URIs: Removes URIs in the text parts of email messages.

Click Protection: Rewrite the URIs and in case the user clicks on the URIs, scan the URIs and then take the configured action.

remove-uri

Related topics

profile content-action