Fortinet black logo

Administration Guide

Policy tuning

Policy tuning

  • Disable or delete policies and policy settings with care. Any changes made to policies take effect immediately.
  • Arrange policies in the policy list from most specific at the top to more general at the bottom. Policy matches are checked from the top of the list, downward. For example, a very general policy matches all connection attempts. When you create exceptions to a general policy, you must add them to the policy list above the general policy.
  • Verify all SMTP traffic has a matching policy. If traffic does not match a policy, it is allowed. If you’re certain all desired traffic is allowed by existing policies, add an IP policy to the bottom of the IP policy list to reject all remaining connections and thereby tighten security.
  • To do this, create a new IP policy. Enter 0.0.0.0/0 as the IP address to match, and select Reject connections with this match. Finally, move this policy to the bottom of the IP policy list. With this policy in place, the FortiMail unit’s default behavior of allowing traffic with no policy matches is effectively reversed. Traffic with no other matches will now be denied by this final policy.

  • Users can authenticate with the FortiMail unit using SMTP, POP3, IMAP, LDAP, or RADIUS servers. For users to authenticate successfully, you must create and apply an authentication profile (accessed from Profile > LDAP > LDAP, or Profile > Authentication or Profile > Authentication > RADIUS).
  • Addresses specified in an IP-based policy should be as specific as possible. Use subnets or specific IP addresses for more granular control. Use a 32-bit subnet mask (that is, 255.255.255.255) when creating a single host address. The IP setting 0.0.0.0/0 matches all hosts.

Policy tuning

  • Disable or delete policies and policy settings with care. Any changes made to policies take effect immediately.
  • Arrange policies in the policy list from most specific at the top to more general at the bottom. Policy matches are checked from the top of the list, downward. For example, a very general policy matches all connection attempts. When you create exceptions to a general policy, you must add them to the policy list above the general policy.
  • Verify all SMTP traffic has a matching policy. If traffic does not match a policy, it is allowed. If you’re certain all desired traffic is allowed by existing policies, add an IP policy to the bottom of the IP policy list to reject all remaining connections and thereby tighten security.
  • To do this, create a new IP policy. Enter 0.0.0.0/0 as the IP address to match, and select Reject connections with this match. Finally, move this policy to the bottom of the IP policy list. With this policy in place, the FortiMail unit’s default behavior of allowing traffic with no policy matches is effectively reversed. Traffic with no other matches will now be denied by this final policy.

  • Users can authenticate with the FortiMail unit using SMTP, POP3, IMAP, LDAP, or RADIUS servers. For users to authenticate successfully, you must create and apply an authentication profile (accessed from Profile > LDAP > LDAP, or Profile > Authentication or Profile > Authentication > RADIUS).
  • Addresses specified in an IP-based policy should be as specific as possible. Use subnets or specific IP addresses for more granular control. Use a 32-bit subnet mask (that is, 255.255.255.255) when creating a single host address. The IP setting 0.0.0.0/0 matches all hosts.