Fortinet black logo

Administration Guide

Configuring network settings

Configuring network settings

The Network submenu provides options to configure network connectivity and administrative access to the web UI or CLI of the FortiMail unit through each network interface.

This section includes:

About IPv6 Support

IP version 6 (IPv6) handles issues that weren't around decades ago when IPv4 was created such as running out of IP addresses, fair distributing of IP addresses, built-in quality of service (QoS) features, better multimedia support, and improved handling of fragmentation. A bigger address space, bigger default packet size, and more optional header extensions provide these features with flexibility to customize them to any needs.

IPv6 has 128-bit addresses compared to IPv4's 32-bit addresses, effectively eliminating address exhaustion. This new very large address space will likely reduce the need for network address translation (NAT) since IPv6 provides more than a billion IP addresses for each person on Earth. All hardware and software network components must support this new address size, an upgrade that may take a while to complete and will force IPv6 and IPv4 to work side-by-side during the transition period.

Starting from 4.3 release, FortiMail supports the following IPv6 features:

  • Network interface
  • Network routing
  • High Availability
  • DNS
  • Admin access
  • Webmail access
  • Mail routing -- multiple combinations of IPv4/6 Server, IPv4/6 Remote Gateway
  • Access Control Lists
  • Grey list
  • Local sender reputation
  • IPv6 based policies
  • Block/safe list
  • LDAP
  • IP pool (starting from 4.3.3 release)

FortiMail will support the following IPv6 feature in future releases:

  • Port forwarding for IPv6
  • FortiGuard antispam database populated with IPv6 addresses

About the management IP

When a FortiMail unit operates in transparent mode, you can configure one or more of its network interfaces to act as a Layer 2 bridge, without IP addresses of their own. However, the FortiMail unit must have an IP address for administrators to configure it through a network connection rather than a local console. The management IP address enables administrators to connect to the FortiMail unit through port1 or other network ports, even when they are currently bridging.

By default, the management IP address is indirectly bound to port1 through the bridge. If other network interfaces are also included in the bridge with port1, you can configure the FortiMail unit to respond to connections to the management IP address that arrive on those other network interfaces. For more information, see Do not associate with management IP.

Unless you configured an override server IP address, FortiMail units uses this IP address to connect to the FortiGuard Distribution Network (FDN). Depending on your network topology, the management IP may be a private network address. In this case, it is not routable from the FDN and is unsuitable for use as the destination IP address of push update connections from the FDN. For push updates to function correctly, you must configure an override server. For details, see Configuring FortiGuard antivirus service.

You can access the web UI, FortiMail webmail, and the per-recipient quarantines remotely using the management IP address.

About FortiMail logical interfaces

In addition to the FortiMail physical interfaces, you can create the following types of logical interfaces on FortiMail:

VLAN subinterfaces

A Virtual LAN (VLAN) subinterface, also called a VLAN, is a virtual interface on a physical interface. The subinterface allows routing of VLAN tagged packets using that physical interface, but it is separate from any other traffic on the physical interface.

VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.

One example of an application of VLANs is a company’s accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet.

For information about adding VLAN subinterfaces, see Configuring the network interfaces.

Redundant interfaces

On the FortiMail unit, you can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.

In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

A physical interface is available to be in a redundant interface if:

  • it is a physical interface, not a VLAN interface
  • it is not already part of a redundant interface
  • it has no defined IP address and is not configured for DHCP
  • it does not have any VLAN subinterfaces
  • it is not monitored by HA

When a physical interface is included in a redundant interface, it is not listed on the System > Network > Interface page. You cannot configure the interface anymore.

For information about adding redundant interfaces, see Configuring the network interfaces.

Loopback interfaces

A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.

The FortiMail's loopback IP address does not depend on one specific external port, and is therefore possible to access it through several physical or VLAN interfaces. In the current release, you can only add one loopback interface on the FortiMail unit.

The loopback interface is useful when you use a layer 2 load balancer in front of several FortiMail units. In this case, you can set the FortiMail loopback interface’s IP address the same as the load balancer’s IP address and thus the FortiMail unit can pick up the traffic forwarded to it from the load balancer.

For information about adding a loopback interface, see Configuring the network interfaces.

Configuring the network interfaces

The System > Network > Interface tab displays the FortiMail unit’s network interfaces.

You must configure at least one network interface for the FortiMail unit to connect to your network. Depending on your network topology and other considerations, you can connect the FortiMail unit to your network using two or more of the network interfaces. You can configure each network interface separately. You can also configure advanced interface options, including VLAN subinterfaces, redundant interfaces, and loopback interfaces. For more information, see About FortiMail logical interfaces, and Editing network interfaces.

Note

If your FortiMail unit is not properly deployed and configured for the topology of your network, including network interface connections, email may bypass the FortiMail unit.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see About administrator account permissions and domains.

To view the list of network interfaces, go to System > Network > Interface.

GUI item

Description

Interface name

Displays the name of the network interface, such as port1.

If the FortiMail unit is operating in transparent mode, this column also indicates that the management IP address is that of port1. For more information, see About the management IP.

Type

Displays the interface type: physical, VLAN, redundant, or loopback. For details, see About FortiMail logical interfaces.

Bridge Member

In transparent mode, this column indicates if the port is on the same bridge as the management IP. By default, all ports are on the bridge. See Editing network interfaces for information on bridged networks in transparent mode.

IP/Netmask

Displays the IP address and netmask of the network interface.

If the FortiMail unit is in transparent mode, IP/Netmask may alternatively display bridging. This means that Do not associate with management IP has been disabled, and the network interface is acting as a Layer 2 bridge. If high availability (HA) is also enabled, IP and Netmask may alternatively display bridged (isolated) while the effective HA operating mode is secondary and therefore the network interface is currently disconnected from the network, or bridging (waiting for recovery) while the effective HA operating mode is failed and the network interface is currently disconnected from the network but a failover may soon occur, beginning connectivity. For more information, see Effective Operating Mode and Virtual IP address.

IPv6/Netmask

Displays the IPv6 address and netmask of the network interface. For more information about IPv6 support, see About IPv6 Support.

Access

Displays the administrative access and webmail access services that are enabled on the network interface, such as HTTPS for the web UI.

Status

Indicates the up (available) or down (unavailable) administrative status for the network interface.

  • Green up arrow: The network interface is up and can receive traffic.
  • Red down arrow: The network interface is down and cannot or receive traffic.

To change the administrative status (that is, bring up or down a network interface), see Editing network interfaces.

Editing network interfaces

You can edit FortiMail’s physical network interfaces to change their IP addresses, netmasks, administrative access protocols, and other settings. You can also create or edit logical interfaces, such as VLANs, redundant interfaces and the loopback interface.

Caution

Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiMail unit.

If your FortiMail unit operates in transparent mode and depending on your network topology, you may need to configure the network interfaces of the FortiMail unit.

  • If all email servers protected by the FortiMail unit are located on the same subnet, no network interface configuration is necessary. Bridging is the default configuration for network interfaces when the FortiMail unit operates in transparent mode, and the FortiMail unit will bridge all connections occurring through it from the network to the protected email servers.
  • If email servers protected by the FortiMail unit are located on different subnets, you must connect those email servers through separate physical ports on the FortiMail unit, and configure the network interfaces associated with those ports, assigning IP addresses and removing them from the bridge.

It is possible to configure a mixture of bridging and non-bridging network interfaces. For example, if some email servers belong to the same subnet, network interfaces for those email servers may remain in the bridge group; email servers belonging to other subnets may be attached to network interfaces that are not associated with the bridge.

Note

You can restrict which IP addresses are permitted to log in as a FortiMail administrator through network interfaces. For details, see Configuring administrator accounts.

To create or edit a network interface
  1. Go to System > Network > Interface.
  2. Double-click a network interface to modify it or select the interface and click Edit. If you want to create a logical interface, click New.
  3. The Edit Interface dialog appears. Its appearance varies by:

  • the operation mode of the FortiMail unit (gateway, transparent, or server)
  • if the FortiMail unit is operating in transparent mode, by whether the network interface is port1, which is required to be configured as a Layer 2 bridge and associated with the management IP, and therefore cannot be configured with its own IP and Netmask
  • For gateway mode or server mode, configure the following:
  • GUI item

    Description

    Interface Name

    If you are editing an existing interface, this field displays the name (such as port2) and media access control (MAC) address for this network interface.

    If you are creating a logical interface, enter a name for the interface.

    Type

    If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see About FortiMail logical interfaces.

    VLAN

    If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for.

    Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.

    Redundant

    If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.

    Loopback

    If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on FortiMail.

    Addressing mode

    Manual

    Select to enter a static IP address, then enter the IP address and netmask for the network interface.

    IP/Netmask

    Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in gateway mode or server mode, this option is available only if Manual is selected.

    Note: IP addresses of different interfaces cannot be on the same subnet.

    DHCP

    Select to retrieve a dynamic IP address using DHCP.

    This option appears only if the FortiMail unit is operating in gateway mode or server mode.

    Retrieve default gateway and DNS from server

    Enable to retrieve both the default gateway and DNS addresses from the DHCP server, replacing any manually configured values.

    Connect to server

    Enable for the FortiMail unit to attempt to obtain DHCP addressing information from the DHCP server.

    Disable this option if you are configuring the network interface offline, and do not want the unit to attempt to obtain addressing information at this time.

    Advanced Setting

    Access

    Enable protocols that this network interface should accept for connections to the FortiMail unit itself (these options do not affect connections that will travel through the FortiMail unit).

    • HTTPS: Enable to allow secure HTTPS connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.
    • HTTP: Enable to allow HTTP connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.
      For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see Configuring global quarantine report settings.
    • PING: Enable to allow ICMP ECHO (ping) responses from this network interface.
      For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference.
    • SSH: Enable to allow SSH connections to the CLI through this network interface.
    • SNMP: Enable to allow SNMP connections (queries) to this network interface.
      For information on further restricting access, or on configuring the network interface that will be the source of traps, see Configuring the network interfaces.
    • TELNET: Enable to allow Telnet connections to the CLI through this network interface.

    Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see Configuring administrator accounts.

    Web access

    Enable the GUI access type that this network interface should accept.

    • Admin: Enable to allow access the admin GUI through this interface.
    • Webmail: Enable to allow webmail access through this interface.

    Mail access

    Enable the email access protocols that this network interface should accept: SMTP, SMTPS, IMAP, IMAPS, POP3, or POP3S.

    MTU

    Enter the maximum packet or Ethernet frame size in bytes.

    If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

    The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.

    Administrative status

    Select either:

    • Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.
    • Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.

    If the FortiMail unit is operating in transparent mode, configure the following:

    GUI item

    Description

    Interface Name

    Displays the name (such as port2) and media access control (MAC) address for this network interface.

    If you are creating a logical interface, enter a name for the interface.

    Type

    If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see About FortiMail logical interfaces.

    VLAN

    If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for.

    Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.

    Redundant

    If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.

    Loopback

    If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on FortiMail.

    Addressing mode

    Do not associate with management IP

    Enable to configure an IP address and netmask for this network interface, separate from the management IP, then configure IP/Netmask.

    This option appears only if the network interface is not port1, which is required to be a member of the bridge.

    IP/Netmask

    Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in transparent mode, this option is available only if Do not associate with management IP is enabled.

    Access

    Enable protocols that this network interface should accept for connections to the FortiMail unit itself (these options do not affect connections that will travel through the FortiMail unit).

    • HTTPS: Enable to allow secure HTTPS connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.
    • HTTP: Enable to allow HTTP connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.
      For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see Configuring global quarantine report settings.
    • PING: Enable to allow ICMP ECHO (ping) responses from this network interface.
      For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference.
    • SSH: Enable to allow SSH connections to the CLI through this network interface.
    • SNMP: Enable to allow SNMP connections (queries) to this network interface.
      For information on further restricting access, or on configuring the network interface that will be the source of traps, see Configuring the network interfaces.
    • TELNET: Enable to allow Telnet connections to the CLI through this network interface.

    Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see Configuring administrator accounts.

    MTU

    Override default MTU value (1500)

    Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.

    If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

    The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.

    Administrative status

    Select either:

    • Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.
    • Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.

    SMTP Proxy

    When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified.

    Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection.

    For more information about FortiMail transparent mode proxy and implicit STMP relay, see Configuring LDAP profiles.

    Note: When a FortiMail unit proxies or relays traffic, whether the email will be scanned or not depends on the policies you specify. For more information about policies, see Configuring policies.

    Incoming connections

    Select how the proxy or built-in MTA will handle SMTP connections for that interface that are incoming to the IP addresses of email servers belonging to a protected domain.

    • Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
    • Drop: Drop connections.
    • Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see Configuring policies.

    Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see For details, see Avoiding scanning email twice.

    Outgoing connections

    Select how the proxy or built-in MTA will handle SMTP connections for that interface that are outgoing to the IP addresses of email servers that are not a protected domain.

    • Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
    • Drop: Drop connections.
    • Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see Configuring policies.

    Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see Avoiding scanning email twice.

    Local connections

    elect how the FortiMail unit will handle SMTP connections on each network interface that are destined for the FortiMail unit itself, such as quarantine release or delete messages and Bayesian training messages.

    • Allow: SMTP connections will be allowed.
    • Disallow: SMTP connections will be blocked.
    To configure a non-bridging network interface
    1. Go to System > Network > Interface.
    2. Double-click the network interface to modify it or select the interface and click Edit.
    3. Note

      Port 1 is required to be a member of the bridge and cannot be removed from it.

    4. Enable Do not associate with management IP.
    5. This option appears only when the FortiMail unit is operating in transparent mode and the network interface is not port1, which is required to be a member of the bridge.

    6. In IP/Netmask, enter the IP address and netmask of the network interface.
    7. Click OK.
    8. Repeat this procedure for each network interface that is connected to an email server on a distinct subnet. When complete, configure static routes for those email servers. For details, see Configuring static routes . Also configure each protected domain to indicate through which network interface its email servers are connected. For details, see This server is on.

    Configuring link status monitoring

    Link status monitoring enables the FortiMail unit to track the status of its interfaces and to bring an interface down or up based on the state of another associated interface.

    Interface tracking

    FortiMail units can process email before delivering it to your company’s internal mail server. In this configuration, mail comes from an external interface into the FortiMail unit. Then the mail is processed for spam, viruses and such. The mail is then forwarded over an internal interface to a company internal mail server for internal distribution.

    For redundancy, companies can configure a secondary FortiMail unit that is connected to a secondary internal mail server. In this configuration the secondary FortiMail unit is normally not active with all mail going through the primary FortiMail unit. The secondary system is activated when the external interface on the primary FortiMail unit is unreachable. Mail is routed to the secondary system until the primary unit is can be reached and then the mail is delivered to the primary FortiMail unit once again. In this configuration the mail only goes to one FortiMail unit or the other - it is never divided between the two.

    If the internal mail server becomes unreachable from the primary FortiMail unit's internal interface, the primary FortiMail unit needs to stop the incoming email or the email will continue to accumulate and not be delivered.

    The FortiMail unit can track the status of the internal interface. When interface tracking sees the internal interface go down, it brings down the FortiMail external interface. This stops email from accumulating on the primary FortiMail unit. If your company has the redundant secondary FortiMail unit configured, email can be routed to it until the primary FortiMail unit can be reached again. Interface tracking also brings the external interface up when the internal interface comes back up.

    With interface tracking, you can set which interfaces are associated. You can also set how often interface tracking checks the status of the interfaces. This is the maximum delay before the interfaces associated with the downed interface are brought down as well.

    Configuring Link Status propagation

    The Propagate Link Status to Ports section of the Link Status screen shows any interfaces whose status is linked to this interface.

    Linking the state of an internal link to the external link prevents an accumulation of undeliverable mail from building up on the FortiMail unit when the internal link goes down.

    To configure Link Status propagation
    1. Go to System > Network > Link Monitor.
    2. Select the enable button.
    3. Enter the number of seconds between checks of the Link Status. If this is set to zero, the Link Status will not propagate to the other ports.
    4. Enter the number of seconds to delay after a link state operation before checking the status.
    5. Under Link Status, select the interface you want to propagate the status from, then click Edit for the interface.
    6. In the Link Status Setting popup window, specify the ports you want to propagate the status to by moving the ports from the left box to the right box.
    7. Click OK to confirm your selections and return to the Link Status screen.

    Configuring static routes

    The System > Network > Routing tab displays a list of routes and lets you configure static routes and gateways used by the FortiMail unit.

    Static routes direct traffic exiting the FortiMail unit. You can specify through which network interface a packet will leave, and the IP address of a next-hop router that is reachable from that network interface. The router is aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets’ ultimate destinations.

    A default route is a special type of static route. A default route matches all packets, and defines a gateway router that can receive and route packets if no other, more specific static route is defined for the packet’s destination IP address.

    You should configure at least one static route, a default route, that points to your gateway. However, you may configure multiple static routes if you have multiple gateway routers, each of which should receive packets destined for a different subset of IP addresses.

    To determine which route a packet will be subject to, the FortiMail unit compares the packet’s destination IP address to those of the static routes and forward the packet to the route with the largest prefix match.

    For example, if an SMTP server is directly attached to one of the network interfaces, but all other destinations, such as connecting clients, are located on distant networks such as the Internet, you might need to add only one route: a default route for the gateway router through which the FortiMail unit connects to the Internet.

    To configure static routes
    1. Go to System > Network > Routing.
    2. Either click New to add a route or double-click a route to modify it.
    3. A dialog appears.

    4. In Destination IP/netmask, enter the destination IP address and netmask of packets that will be subject to this static route.
    5. To create a default route that will match all packets, enter 0.0.0.0/0.0.0.0.

    6. Select the interface that this route applies to.
    7. In Gateway, type the IP address of the next-hop router to which the FortiMail unit will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/netmask. For an Internet connection, the next hop routing gateway routes traffic to the Internet.
    8. Click Create.

    Configuring DNS

    FortiMail units require DNS servers for features such as reverse DNS lookups, FortiGuard connectivity, and other aspects of email processing. Your ISP may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.

    Caution

    If the FortiMail unit is operating in gateway mode, you must configure the MX record of the DNS server for each protected domain to direct all email to this FortiMail unit instead of the protected SMTP servers. Failure to update the records of your DNS server may enable email to circumvent the FortiMail unit.

    Note

    For improved FortiMail unit performance, use DNS servers on your local network.

    Go to System > Network > DNS to configure the DNS servers that the FortiMail unit queries to resolve domain names into IP addresses.

    To access this part of the web UI, your administrator account’s:

    • Domain must be System
    • access profile must have Read-Write permission to the Others category

    For details, see About administrator account permissions and domains.

    Configuring dynamic DNS

    The System > Network > DDNS tab lets you configure the FortiMail unit to use a dynamic DNS (DDNS) service.

    If the FortiMail unit has a static domain name but a dynamic public IP address, you can use DDNS to update DNS servers on the Internet when the public IP address for its fully qualified domain name (FQDN) changes. For information on setting a dynamic public IP address, see the DHCP option.)

    To access this part of the web UI, your administrator account’s:

    • Domain must be System
    • access profile must have Read-Write permission to the Others category

    For details, see About administrator account permissions and domains.

    To view and configure dynamic DNS accounts
    1. Go to System > Network > DDNS.
    2. GUI item

      Description

      Server

      Displays the name of your DDNS service provider.

      User Name

      Displays your user name for the DDNS service provider.

      Host/Domain Name

      A public host name or fully qualified domain name (FQDN) that should resolve to the public IP address of the FortiMail unit.

      Its public DNS records are updated by the DDNS service provider when the FortiMail unit sends its current public IP address. As such, it might not be the same as the host name and local domain name that you configured in Host name and Local domain name, which could be valid only for your internal network.

      Update Time

      Displays the interval in hours that the FortiMail unit waits between contacts to the DDNS service provider.

    3. If you have not yet configured the dynamic DNS account that the FortiMail unit will use when it connects to the DDNS service provider, click New.
    4. A dialog appears.

      GUI item

      Description

      Server

      Select a DDNS service provider to which the FortiMail unit will send DDNS updates.

      User name

      Enter the user name of your account with the DDNS service provider. The FortiMail unit will provide this to authenticate itself with the service when sending updates.

      Password

      Enter the password for the DDNS user name.

      Update time

      Enter the interval in hours between each time that the FortiMail unit will query the DDNS service provider’s IP detection page if IP mode is Auto detect.

      Caution: Do not exceed the recommended frequency published by your DDNS service provider. Some DDNS service providers consider excessive connections to be abusive, and may ignore further queries from the FortiMail unit.

    5. Click Create.
    6. The tab returns to the list of dynamic DNS accounts, which should now include your new account.
    7. Double-click the row corresponding to the new DDNS account.
    8. The Host/Domain Name Setting area is now visible.

    9. In the Host/Domain Name Setting area, click Create New, or, to modify an existing host/domain name, select its row and click Edit.
    10. A dialog appears.

    11. Configure the following:
    12. GUI item

      Description

      Server

      Displays the dynamic DNS service provider of this account.

      Status

      Enable to update the DDNS service provider when the FortiMail unit’s public IP address changes.

      Disable to notify the DDNS service provider that this FQDN should use its offline redirect, if you configured any. If the FortiMail unit’s public IP address changes, it will not notify the DDNS service provider.

      Host name

      Enter the fully qualified domain name (FQDN) whose records the DDNS provider should update.

      IP mode

      Select which of the following ways the FortiMail unit should use to determine its current publicly routable IP address.

      • Auto detect: Periodically query the DDNS service provider’s IP address detection web page to see if the FortiMail unit’s public IP address has changed. The IP detection web page returns the apparent source IP address of the query. If this IP address has changed, the FortiMail unit then sends an update request to the DDNS service provider, causing it to update DNS records for the FQDN in Host name.
        This option is the most common choice. To configure the interval of DDNS IP detection queries, see Update time.

      Note: If this query occurs through a NAT device such as a router or firewall, its apparent source IP address will not be the private network IP address of any of the FortiMail unit’s network interfaces. Instead, it will be the IP address of the NAT device’s externally facing network interface.
      For example, a public virtual IP (VIP) on a FortiGate unit in NAT mode might be used to route email from the Internet to a FortiMail unit. DDNS updates are also routed out from the VIP to the DDNS service provider on the Internet. From the DDNS service provider’s perspective, the DDNS update connection appears to come from the VIP, and therefore it updates the DNS records with the IP address of the VIP. The DDNS service provider does not know the private network address of the FortiMail unit.

      • Bind interface: Use the current IP address of one of the FortiMail unit’s network interfaces. Choose this option only if the network interface has an IP address that is routable from the Internet — that is, it is not an RFC 1918 private network address.
      • Static IP: Use an IP address that you configure. You must manually update the accompanying field if the FortiMail unit’s public IP address changes.

      Type

      Select one of the following:

      • dynamic (this is the default)
      • static
      • custom

      To verify your DDNS configuration and connectivity, do not query DNS servers: depending on DNS caching, record propagation, and other effects, DNS queries may not be able to determine whether the update actually reached your DDNS service provider.

      Instead, log in to your DDNS service provider account and verify whether its host records have been updated. You can also view the FortiMail event log. Log messages such as this indicate DDNS update failure:

      DDNS daemon failed on update members.dyndns.org, domain fortimail.example.com, next try at 1251752285\n

    Configuring port forwarding

    FortiMail port forwarding allows remote computers, for example, computers on the Internet, to connect to a specific computer or service within a private local area network (LAN). Port Forwarding is useful when FortiMail is deployed as a gateway and you want external users to access an internal server via FortiMail.

    For example, FortiMail port1 is connected to the Internet and its IP address 192.168.37.4, port 7000, is mapped to 10.10.10.42, port 8000, on a private network. Attempts to communicate with 192.168.37.4, port 7000, from the Internet are translated and sent to 10.10.10.42, port 8000, by the FortiMail unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4, port 7000, rather than the 10.10.10.42 network behind the FortiMail unit.

    To view and configure port forwarding rules
    1. Go to System > Network > Port Forwarding.
    2. GUI item

      Description

      ID

      Displays the ID number assigned by the FortiMail unit.

      Protocol

      Displays the type of protocol.

      Host IP

      Displays the mapped IP address.

      Host Port

      Displays the assigned port number on the host computer.

      Destination IP

      Displays the IP address being mapped to the host.

      Destination Port

      Displays the assigned port number of the destination computer.

    3. Select New to configure a new forwarding rule or double-click a rule to modify it.
    4. A dialog appears.

    5. In Protocol, specify the protocol that the rule will apply to: TCP, UDP, or Both.
    6. In Host IP and Port, enter the IP address and port number that will be mapped. In most cases, they are the IP address and port of the receiving FortiMail interface. In the above example, they are 192.168.37.4 and 7000.
    7. In Destination IP and Port, enter the IP address and port number that will be mapped to. In most cases, they are the IP address and port of the system behind the FortiMail unit. In the above example, they are 10.10.10.42 and 8000.
    8. Click Create.

    Scanning SMTP traffic redirected from FortiGate

    FortiMail and FortiGate support Web Cache Communication Protocol (WCCP) to redirect SMTP traffic from FortiGate to FortiMail. If the FortiGate unit is configured to redirect SMTP traffic to FortiMail for antispam scanning (for details, see the FortiGate documentation), on the FortiMail side, you must do corresponding configurations to accept the SMTP traffic from FortiGate.

    To configure the WCCP communication with FortiGate
    1. Go to System > Network > FortiGate.
    2. Configure the following settings:

    GUI item

    Description

    Enabled

    Enable WCCP communication with FortiGate.

    Tunnel ID

    Enter the WCCP tunnel ID assigned by FortiGate.

    Local IP

    Enter the IP address of the FortiMail interface that communicates with FortiGate.

    Remote IP

    Enter the IP address of the FortiGate interface that communicate with FortiMail.

    Authentication

    Enable if authentication is required on both sides.

    Password

    Enter the authentication password.

    Using the traffic capture

    When troubleshooting networks, it helps to look inside the contents of the packets. This helps to determine if the packets, route, and destination are all what you expect. Traffic capture can also be called packet sniffing, a network tap, or logic analyzing.

    Packet sniffing tells you what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:

    • finding missing traffic
    • seeing if sessions are setting up properly
    • locating ARP problems such as broadcast storm sources and causes
    • confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks
    • confirming routing is working as you expect
    • intermittent missing PING packets.

    If you are running a constant traffic application such as ping, packet sniffing can tell you if the traffic is reaching the destination, how the port enters and exits the FortiRecorder unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. You can also use packet switching to verify that NAT or other configuration is translating addresses or routing traffic the way that you want it to.

    Before you start sniffing packets, you need to have a good idea of what you are looking for. Sniffing is used to confirm or deny your ideas about what is happening on the network. If you try sniffing without a plan to narrow your search, you could end up with too much data to effectively analyze. On the other hand, you need to sniff enough packets to really understand all of the patterns and behavior that you are looking for.

    To capture the traffic
    1. Go to System > Network > Traffic Capture.
    2. Click New.
    3. Enter a description for the file generated from the captured traffic.
    4. Enter the time period for performing the packet capture.
    5. Specify which interface you want to capture.
    6. If you want to limit the scope of traffic capture, in the IP/HOST field, enter a maximum of 3 IP addresses or host names for which you want to capture.
    7. Select the filter for the traffic capture:
    • Use protocol: Only UDP or TCP traffic on the specified port number will be captured.
    • Capture all: All network traffic will be captured.
  • For Exclusion, enter the IP addresses/host names and port numbers for which do not want to capture.
  • Click Create.
  • Configuring network settings

    The Network submenu provides options to configure network connectivity and administrative access to the web UI or CLI of the FortiMail unit through each network interface.

    This section includes:

    About IPv6 Support

    IP version 6 (IPv6) handles issues that weren't around decades ago when IPv4 was created such as running out of IP addresses, fair distributing of IP addresses, built-in quality of service (QoS) features, better multimedia support, and improved handling of fragmentation. A bigger address space, bigger default packet size, and more optional header extensions provide these features with flexibility to customize them to any needs.

    IPv6 has 128-bit addresses compared to IPv4's 32-bit addresses, effectively eliminating address exhaustion. This new very large address space will likely reduce the need for network address translation (NAT) since IPv6 provides more than a billion IP addresses for each person on Earth. All hardware and software network components must support this new address size, an upgrade that may take a while to complete and will force IPv6 and IPv4 to work side-by-side during the transition period.

    Starting from 4.3 release, FortiMail supports the following IPv6 features:

    • Network interface
    • Network routing
    • High Availability
    • DNS
    • Admin access
    • Webmail access
    • Mail routing -- multiple combinations of IPv4/6 Server, IPv4/6 Remote Gateway
    • Access Control Lists
    • Grey list
    • Local sender reputation
    • IPv6 based policies
    • Block/safe list
    • LDAP
    • IP pool (starting from 4.3.3 release)

    FortiMail will support the following IPv6 feature in future releases:

    • Port forwarding for IPv6
    • FortiGuard antispam database populated with IPv6 addresses

    About the management IP

    When a FortiMail unit operates in transparent mode, you can configure one or more of its network interfaces to act as a Layer 2 bridge, without IP addresses of their own. However, the FortiMail unit must have an IP address for administrators to configure it through a network connection rather than a local console. The management IP address enables administrators to connect to the FortiMail unit through port1 or other network ports, even when they are currently bridging.

    By default, the management IP address is indirectly bound to port1 through the bridge. If other network interfaces are also included in the bridge with port1, you can configure the FortiMail unit to respond to connections to the management IP address that arrive on those other network interfaces. For more information, see Do not associate with management IP.

    Unless you configured an override server IP address, FortiMail units uses this IP address to connect to the FortiGuard Distribution Network (FDN). Depending on your network topology, the management IP may be a private network address. In this case, it is not routable from the FDN and is unsuitable for use as the destination IP address of push update connections from the FDN. For push updates to function correctly, you must configure an override server. For details, see Configuring FortiGuard antivirus service.

    You can access the web UI, FortiMail webmail, and the per-recipient quarantines remotely using the management IP address.

    About FortiMail logical interfaces

    In addition to the FortiMail physical interfaces, you can create the following types of logical interfaces on FortiMail:

    VLAN subinterfaces

    A Virtual LAN (VLAN) subinterface, also called a VLAN, is a virtual interface on a physical interface. The subinterface allows routing of VLAN tagged packets using that physical interface, but it is separate from any other traffic on the physical interface.

    VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.

    One example of an application of VLANs is a company’s accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet.

    For information about adding VLAN subinterfaces, see Configuring the network interfaces.

    Redundant interfaces

    On the FortiMail unit, you can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.

    In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

    A physical interface is available to be in a redundant interface if:

    • it is a physical interface, not a VLAN interface
    • it is not already part of a redundant interface
    • it has no defined IP address and is not configured for DHCP
    • it does not have any VLAN subinterfaces
    • it is not monitored by HA

    When a physical interface is included in a redundant interface, it is not listed on the System > Network > Interface page. You cannot configure the interface anymore.

    For information about adding redundant interfaces, see Configuring the network interfaces.

    Loopback interfaces

    A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.

    The FortiMail's loopback IP address does not depend on one specific external port, and is therefore possible to access it through several physical or VLAN interfaces. In the current release, you can only add one loopback interface on the FortiMail unit.

    The loopback interface is useful when you use a layer 2 load balancer in front of several FortiMail units. In this case, you can set the FortiMail loopback interface’s IP address the same as the load balancer’s IP address and thus the FortiMail unit can pick up the traffic forwarded to it from the load balancer.

    For information about adding a loopback interface, see Configuring the network interfaces.

    Configuring the network interfaces

    The System > Network > Interface tab displays the FortiMail unit’s network interfaces.

    You must configure at least one network interface for the FortiMail unit to connect to your network. Depending on your network topology and other considerations, you can connect the FortiMail unit to your network using two or more of the network interfaces. You can configure each network interface separately. You can also configure advanced interface options, including VLAN subinterfaces, redundant interfaces, and loopback interfaces. For more information, see About FortiMail logical interfaces, and Editing network interfaces.

    Note

    If your FortiMail unit is not properly deployed and configured for the topology of your network, including network interface connections, email may bypass the FortiMail unit.

    To access this part of the web UI, your administrator account’s:

    • Domain must be System
    • access profile must have Read-Write permission to the Others category

    For details, see About administrator account permissions and domains.

    To view the list of network interfaces, go to System > Network > Interface.

    GUI item

    Description

    Interface name

    Displays the name of the network interface, such as port1.

    If the FortiMail unit is operating in transparent mode, this column also indicates that the management IP address is that of port1. For more information, see About the management IP.

    Type

    Displays the interface type: physical, VLAN, redundant, or loopback. For details, see About FortiMail logical interfaces.

    Bridge Member

    In transparent mode, this column indicates if the port is on the same bridge as the management IP. By default, all ports are on the bridge. See Editing network interfaces for information on bridged networks in transparent mode.

    IP/Netmask

    Displays the IP address and netmask of the network interface.

    If the FortiMail unit is in transparent mode, IP/Netmask may alternatively display bridging. This means that Do not associate with management IP has been disabled, and the network interface is acting as a Layer 2 bridge. If high availability (HA) is also enabled, IP and Netmask may alternatively display bridged (isolated) while the effective HA operating mode is secondary and therefore the network interface is currently disconnected from the network, or bridging (waiting for recovery) while the effective HA operating mode is failed and the network interface is currently disconnected from the network but a failover may soon occur, beginning connectivity. For more information, see Effective Operating Mode and Virtual IP address.

    IPv6/Netmask

    Displays the IPv6 address and netmask of the network interface. For more information about IPv6 support, see About IPv6 Support.

    Access

    Displays the administrative access and webmail access services that are enabled on the network interface, such as HTTPS for the web UI.

    Status

    Indicates the up (available) or down (unavailable) administrative status for the network interface.

    • Green up arrow: The network interface is up and can receive traffic.
    • Red down arrow: The network interface is down and cannot or receive traffic.

    To change the administrative status (that is, bring up or down a network interface), see Editing network interfaces.

    Editing network interfaces

    You can edit FortiMail’s physical network interfaces to change their IP addresses, netmasks, administrative access protocols, and other settings. You can also create or edit logical interfaces, such as VLANs, redundant interfaces and the loopback interface.

    Caution

    Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiMail unit.

    If your FortiMail unit operates in transparent mode and depending on your network topology, you may need to configure the network interfaces of the FortiMail unit.

    • If all email servers protected by the FortiMail unit are located on the same subnet, no network interface configuration is necessary. Bridging is the default configuration for network interfaces when the FortiMail unit operates in transparent mode, and the FortiMail unit will bridge all connections occurring through it from the network to the protected email servers.
    • If email servers protected by the FortiMail unit are located on different subnets, you must connect those email servers through separate physical ports on the FortiMail unit, and configure the network interfaces associated with those ports, assigning IP addresses and removing them from the bridge.

    It is possible to configure a mixture of bridging and non-bridging network interfaces. For example, if some email servers belong to the same subnet, network interfaces for those email servers may remain in the bridge group; email servers belonging to other subnets may be attached to network interfaces that are not associated with the bridge.

    Note

    You can restrict which IP addresses are permitted to log in as a FortiMail administrator through network interfaces. For details, see Configuring administrator accounts.

    To create or edit a network interface
    1. Go to System > Network > Interface.
    2. Double-click a network interface to modify it or select the interface and click Edit. If you want to create a logical interface, click New.
    3. The Edit Interface dialog appears. Its appearance varies by:

    • the operation mode of the FortiMail unit (gateway, transparent, or server)
    • if the FortiMail unit is operating in transparent mode, by whether the network interface is port1, which is required to be configured as a Layer 2 bridge and associated with the management IP, and therefore cannot be configured with its own IP and Netmask
  • For gateway mode or server mode, configure the following:
  • GUI item

    Description

    Interface Name

    If you are editing an existing interface, this field displays the name (such as port2) and media access control (MAC) address for this network interface.

    If you are creating a logical interface, enter a name for the interface.

    Type

    If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see About FortiMail logical interfaces.

    VLAN

    If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for.

    Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.

    Redundant

    If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.

    Loopback

    If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on FortiMail.

    Addressing mode

    Manual

    Select to enter a static IP address, then enter the IP address and netmask for the network interface.

    IP/Netmask

    Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in gateway mode or server mode, this option is available only if Manual is selected.

    Note: IP addresses of different interfaces cannot be on the same subnet.

    DHCP

    Select to retrieve a dynamic IP address using DHCP.

    This option appears only if the FortiMail unit is operating in gateway mode or server mode.

    Retrieve default gateway and DNS from server

    Enable to retrieve both the default gateway and DNS addresses from the DHCP server, replacing any manually configured values.

    Connect to server

    Enable for the FortiMail unit to attempt to obtain DHCP addressing information from the DHCP server.

    Disable this option if you are configuring the network interface offline, and do not want the unit to attempt to obtain addressing information at this time.

    Advanced Setting

    Access

    Enable protocols that this network interface should accept for connections to the FortiMail unit itself (these options do not affect connections that will travel through the FortiMail unit).

    • HTTPS: Enable to allow secure HTTPS connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.
    • HTTP: Enable to allow HTTP connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.
      For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see Configuring global quarantine report settings.
    • PING: Enable to allow ICMP ECHO (ping) responses from this network interface.
      For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference.
    • SSH: Enable to allow SSH connections to the CLI through this network interface.
    • SNMP: Enable to allow SNMP connections (queries) to this network interface.
      For information on further restricting access, or on configuring the network interface that will be the source of traps, see Configuring the network interfaces.
    • TELNET: Enable to allow Telnet connections to the CLI through this network interface.

    Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see Configuring administrator accounts.

    Web access

    Enable the GUI access type that this network interface should accept.

    • Admin: Enable to allow access the admin GUI through this interface.
    • Webmail: Enable to allow webmail access through this interface.

    Mail access

    Enable the email access protocols that this network interface should accept: SMTP, SMTPS, IMAP, IMAPS, POP3, or POP3S.

    MTU

    Enter the maximum packet or Ethernet frame size in bytes.

    If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

    The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.

    Administrative status

    Select either:

    • Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.
    • Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.

    If the FortiMail unit is operating in transparent mode, configure the following:

    GUI item

    Description

    Interface Name

    Displays the name (such as port2) and media access control (MAC) address for this network interface.

    If you are creating a logical interface, enter a name for the interface.

    Type

    If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see About FortiMail logical interfaces.

    VLAN

    If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for.

    Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.

    Redundant

    If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.

    Loopback

    If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on FortiMail.

    Addressing mode

    Do not associate with management IP

    Enable to configure an IP address and netmask for this network interface, separate from the management IP, then configure IP/Netmask.

    This option appears only if the network interface is not port1, which is required to be a member of the bridge.

    IP/Netmask

    Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in transparent mode, this option is available only if Do not associate with management IP is enabled.

    Access

    Enable protocols that this network interface should accept for connections to the FortiMail unit itself (these options do not affect connections that will travel through the FortiMail unit).

    • HTTPS: Enable to allow secure HTTPS connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.
    • HTTP: Enable to allow HTTP connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.
      For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see Configuring global quarantine report settings.
    • PING: Enable to allow ICMP ECHO (ping) responses from this network interface.
      For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference.
    • SSH: Enable to allow SSH connections to the CLI through this network interface.
    • SNMP: Enable to allow SNMP connections (queries) to this network interface.
      For information on further restricting access, or on configuring the network interface that will be the source of traps, see Configuring the network interfaces.
    • TELNET: Enable to allow Telnet connections to the CLI through this network interface.

    Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see Configuring administrator accounts.

    MTU

    Override default MTU value (1500)

    Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.

    If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

    The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.

    Administrative status

    Select either:

    • Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.
    • Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.

    SMTP Proxy

    When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified.

    Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection.

    For more information about FortiMail transparent mode proxy and implicit STMP relay, see Configuring LDAP profiles.

    Note: When a FortiMail unit proxies or relays traffic, whether the email will be scanned or not depends on the policies you specify. For more information about policies, see Configuring policies.

    Incoming connections

    Select how the proxy or built-in MTA will handle SMTP connections for that interface that are incoming to the IP addresses of email servers belonging to a protected domain.

    • Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
    • Drop: Drop connections.
    • Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see Configuring policies.

    Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see For details, see Avoiding scanning email twice.

    Outgoing connections

    Select how the proxy or built-in MTA will handle SMTP connections for that interface that are outgoing to the IP addresses of email servers that are not a protected domain.

    • Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
    • Drop: Drop connections.
    • Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see Configuring policies.

    Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see Avoiding scanning email twice.

    Local connections

    elect how the FortiMail unit will handle SMTP connections on each network interface that are destined for the FortiMail unit itself, such as quarantine release or delete messages and Bayesian training messages.

    • Allow: SMTP connections will be allowed.
    • Disallow: SMTP connections will be blocked.
    To configure a non-bridging network interface
    1. Go to System > Network > Interface.
    2. Double-click the network interface to modify it or select the interface and click Edit.
    3. Note

      Port 1 is required to be a member of the bridge and cannot be removed from it.

    4. Enable Do not associate with management IP.
    5. This option appears only when the FortiMail unit is operating in transparent mode and the network interface is not port1, which is required to be a member of the bridge.

    6. In IP/Netmask, enter the IP address and netmask of the network interface.
    7. Click OK.
    8. Repeat this procedure for each network interface that is connected to an email server on a distinct subnet. When complete, configure static routes for those email servers. For details, see Configuring static routes . Also configure each protected domain to indicate through which network interface its email servers are connected. For details, see This server is on.

    Configuring link status monitoring

    Link status monitoring enables the FortiMail unit to track the status of its interfaces and to bring an interface down or up based on the state of another associated interface.

    Interface tracking

    FortiMail units can process email before delivering it to your company’s internal mail server. In this configuration, mail comes from an external interface into the FortiMail unit. Then the mail is processed for spam, viruses and such. The mail is then forwarded over an internal interface to a company internal mail server for internal distribution.

    For redundancy, companies can configure a secondary FortiMail unit that is connected to a secondary internal mail server. In this configuration the secondary FortiMail unit is normally not active with all mail going through the primary FortiMail unit. The secondary system is activated when the external interface on the primary FortiMail unit is unreachable. Mail is routed to the secondary system until the primary unit is can be reached and then the mail is delivered to the primary FortiMail unit once again. In this configuration the mail only goes to one FortiMail unit or the other - it is never divided between the two.

    If the internal mail server becomes unreachable from the primary FortiMail unit's internal interface, the primary FortiMail unit needs to stop the incoming email or the email will continue to accumulate and not be delivered.

    The FortiMail unit can track the status of the internal interface. When interface tracking sees the internal interface go down, it brings down the FortiMail external interface. This stops email from accumulating on the primary FortiMail unit. If your company has the redundant secondary FortiMail unit configured, email can be routed to it until the primary FortiMail unit can be reached again. Interface tracking also brings the external interface up when the internal interface comes back up.

    With interface tracking, you can set which interfaces are associated. You can also set how often interface tracking checks the status of the interfaces. This is the maximum delay before the interfaces associated with the downed interface are brought down as well.

    Configuring Link Status propagation

    The Propagate Link Status to Ports section of the Link Status screen shows any interfaces whose status is linked to this interface.

    Linking the state of an internal link to the external link prevents an accumulation of undeliverable mail from building up on the FortiMail unit when the internal link goes down.

    To configure Link Status propagation
    1. Go to System > Network > Link Monitor.
    2. Select the enable button.
    3. Enter the number of seconds between checks of the Link Status. If this is set to zero, the Link Status will not propagate to the other ports.
    4. Enter the number of seconds to delay after a link state operation before checking the status.
    5. Under Link Status, select the interface you want to propagate the status from, then click Edit for the interface.
    6. In the Link Status Setting popup window, specify the ports you want to propagate the status to by moving the ports from the left box to the right box.
    7. Click OK to confirm your selections and return to the Link Status screen.

    Configuring static routes

    The System > Network > Routing tab displays a list of routes and lets you configure static routes and gateways used by the FortiMail unit.

    Static routes direct traffic exiting the FortiMail unit. You can specify through which network interface a packet will leave, and the IP address of a next-hop router that is reachable from that network interface. The router is aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets’ ultimate destinations.

    A default route is a special type of static route. A default route matches all packets, and defines a gateway router that can receive and route packets if no other, more specific static route is defined for the packet’s destination IP address.

    You should configure at least one static route, a default route, that points to your gateway. However, you may configure multiple static routes if you have multiple gateway routers, each of which should receive packets destined for a different subset of IP addresses.

    To determine which route a packet will be subject to, the FortiMail unit compares the packet’s destination IP address to those of the static routes and forward the packet to the route with the largest prefix match.

    For example, if an SMTP server is directly attached to one of the network interfaces, but all other destinations, such as connecting clients, are located on distant networks such as the Internet, you might need to add only one route: a default route for the gateway router through which the FortiMail unit connects to the Internet.

    To configure static routes
    1. Go to System > Network > Routing.
    2. Either click New to add a route or double-click a route to modify it.
    3. A dialog appears.

    4. In Destination IP/netmask, enter the destination IP address and netmask of packets that will be subject to this static route.
    5. To create a default route that will match all packets, enter 0.0.0.0/0.0.0.0.

    6. Select the interface that this route applies to.
    7. In Gateway, type the IP address of the next-hop router to which the FortiMail unit will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/netmask. For an Internet connection, the next hop routing gateway routes traffic to the Internet.
    8. Click Create.

    Configuring DNS

    FortiMail units require DNS servers for features such as reverse DNS lookups, FortiGuard connectivity, and other aspects of email processing. Your ISP may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.

    Caution

    If the FortiMail unit is operating in gateway mode, you must configure the MX record of the DNS server for each protected domain to direct all email to this FortiMail unit instead of the protected SMTP servers. Failure to update the records of your DNS server may enable email to circumvent the FortiMail unit.

    Note

    For improved FortiMail unit performance, use DNS servers on your local network.

    Go to System > Network > DNS to configure the DNS servers that the FortiMail unit queries to resolve domain names into IP addresses.

    To access this part of the web UI, your administrator account’s:

    • Domain must be System
    • access profile must have Read-Write permission to the Others category

    For details, see About administrator account permissions and domains.

    Configuring dynamic DNS

    The System > Network > DDNS tab lets you configure the FortiMail unit to use a dynamic DNS (DDNS) service.

    If the FortiMail unit has a static domain name but a dynamic public IP address, you can use DDNS to update DNS servers on the Internet when the public IP address for its fully qualified domain name (FQDN) changes. For information on setting a dynamic public IP address, see the DHCP option.)

    To access this part of the web UI, your administrator account’s:

    • Domain must be System
    • access profile must have Read-Write permission to the Others category

    For details, see About administrator account permissions and domains.

    To view and configure dynamic DNS accounts
    1. Go to System > Network > DDNS.
    2. GUI item

      Description

      Server

      Displays the name of your DDNS service provider.

      User Name

      Displays your user name for the DDNS service provider.

      Host/Domain Name

      A public host name or fully qualified domain name (FQDN) that should resolve to the public IP address of the FortiMail unit.

      Its public DNS records are updated by the DDNS service provider when the FortiMail unit sends its current public IP address. As such, it might not be the same as the host name and local domain name that you configured in Host name and Local domain name, which could be valid only for your internal network.

      Update Time

      Displays the interval in hours that the FortiMail unit waits between contacts to the DDNS service provider.

    3. If you have not yet configured the dynamic DNS account that the FortiMail unit will use when it connects to the DDNS service provider, click New.
    4. A dialog appears.

      GUI item

      Description

      Server

      Select a DDNS service provider to which the FortiMail unit will send DDNS updates.

      User name

      Enter the user name of your account with the DDNS service provider. The FortiMail unit will provide this to authenticate itself with the service when sending updates.

      Password

      Enter the password for the DDNS user name.

      Update time

      Enter the interval in hours between each time that the FortiMail unit will query the DDNS service provider’s IP detection page if IP mode is Auto detect.

      Caution: Do not exceed the recommended frequency published by your DDNS service provider. Some DDNS service providers consider excessive connections to be abusive, and may ignore further queries from the FortiMail unit.

    5. Click Create.
    6. The tab returns to the list of dynamic DNS accounts, which should now include your new account.
    7. Double-click the row corresponding to the new DDNS account.
    8. The Host/Domain Name Setting area is now visible.

    9. In the Host/Domain Name Setting area, click Create New, or, to modify an existing host/domain name, select its row and click Edit.
    10. A dialog appears.

    11. Configure the following:
    12. GUI item

      Description

      Server

      Displays the dynamic DNS service provider of this account.

      Status

      Enable to update the DDNS service provider when the FortiMail unit’s public IP address changes.

      Disable to notify the DDNS service provider that this FQDN should use its offline redirect, if you configured any. If the FortiMail unit’s public IP address changes, it will not notify the DDNS service provider.

      Host name

      Enter the fully qualified domain name (FQDN) whose records the DDNS provider should update.

      IP mode

      Select which of the following ways the FortiMail unit should use to determine its current publicly routable IP address.

      • Auto detect: Periodically query the DDNS service provider’s IP address detection web page to see if the FortiMail unit’s public IP address has changed. The IP detection web page returns the apparent source IP address of the query. If this IP address has changed, the FortiMail unit then sends an update request to the DDNS service provider, causing it to update DNS records for the FQDN in Host name.
        This option is the most common choice. To configure the interval of DDNS IP detection queries, see Update time.

      Note: If this query occurs through a NAT device such as a router or firewall, its apparent source IP address will not be the private network IP address of any of the FortiMail unit’s network interfaces. Instead, it will be the IP address of the NAT device’s externally facing network interface.
      For example, a public virtual IP (VIP) on a FortiGate unit in NAT mode might be used to route email from the Internet to a FortiMail unit. DDNS updates are also routed out from the VIP to the DDNS service provider on the Internet. From the DDNS service provider’s perspective, the DDNS update connection appears to come from the VIP, and therefore it updates the DNS records with the IP address of the VIP. The DDNS service provider does not know the private network address of the FortiMail unit.

      • Bind interface: Use the current IP address of one of the FortiMail unit’s network interfaces. Choose this option only if the network interface has an IP address that is routable from the Internet — that is, it is not an RFC 1918 private network address.
      • Static IP: Use an IP address that you configure. You must manually update the accompanying field if the FortiMail unit’s public IP address changes.

      Type

      Select one of the following:

      • dynamic (this is the default)
      • static
      • custom

      To verify your DDNS configuration and connectivity, do not query DNS servers: depending on DNS caching, record propagation, and other effects, DNS queries may not be able to determine whether the update actually reached your DDNS service provider.

      Instead, log in to your DDNS service provider account and verify whether its host records have been updated. You can also view the FortiMail event log. Log messages such as this indicate DDNS update failure:

      DDNS daemon failed on update members.dyndns.org, domain fortimail.example.com, next try at 1251752285\n

    Configuring port forwarding

    FortiMail port forwarding allows remote computers, for example, computers on the Internet, to connect to a specific computer or service within a private local area network (LAN). Port Forwarding is useful when FortiMail is deployed as a gateway and you want external users to access an internal server via FortiMail.

    For example, FortiMail port1 is connected to the Internet and its IP address 192.168.37.4, port 7000, is mapped to 10.10.10.42, port 8000, on a private network. Attempts to communicate with 192.168.37.4, port 7000, from the Internet are translated and sent to 10.10.10.42, port 8000, by the FortiMail unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4, port 7000, rather than the 10.10.10.42 network behind the FortiMail unit.

    To view and configure port forwarding rules
    1. Go to System > Network > Port Forwarding.
    2. GUI item

      Description

      ID

      Displays the ID number assigned by the FortiMail unit.

      Protocol

      Displays the type of protocol.

      Host IP

      Displays the mapped IP address.

      Host Port

      Displays the assigned port number on the host computer.

      Destination IP

      Displays the IP address being mapped to the host.

      Destination Port

      Displays the assigned port number of the destination computer.

    3. Select New to configure a new forwarding rule or double-click a rule to modify it.
    4. A dialog appears.

    5. In Protocol, specify the protocol that the rule will apply to: TCP, UDP, or Both.
    6. In Host IP and Port, enter the IP address and port number that will be mapped. In most cases, they are the IP address and port of the receiving FortiMail interface. In the above example, they are 192.168.37.4 and 7000.
    7. In Destination IP and Port, enter the IP address and port number that will be mapped to. In most cases, they are the IP address and port of the system behind the FortiMail unit. In the above example, they are 10.10.10.42 and 8000.
    8. Click Create.

    Scanning SMTP traffic redirected from FortiGate

    FortiMail and FortiGate support Web Cache Communication Protocol (WCCP) to redirect SMTP traffic from FortiGate to FortiMail. If the FortiGate unit is configured to redirect SMTP traffic to FortiMail for antispam scanning (for details, see the FortiGate documentation), on the FortiMail side, you must do corresponding configurations to accept the SMTP traffic from FortiGate.

    To configure the WCCP communication with FortiGate
    1. Go to System > Network > FortiGate.
    2. Configure the following settings:

    GUI item

    Description

    Enabled

    Enable WCCP communication with FortiGate.

    Tunnel ID

    Enter the WCCP tunnel ID assigned by FortiGate.

    Local IP

    Enter the IP address of the FortiMail interface that communicates with FortiGate.

    Remote IP

    Enter the IP address of the FortiGate interface that communicate with FortiMail.

    Authentication

    Enable if authentication is required on both sides.

    Password

    Enter the authentication password.

    Using the traffic capture

    When troubleshooting networks, it helps to look inside the contents of the packets. This helps to determine if the packets, route, and destination are all what you expect. Traffic capture can also be called packet sniffing, a network tap, or logic analyzing.

    Packet sniffing tells you what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:

    • finding missing traffic
    • seeing if sessions are setting up properly
    • locating ARP problems such as broadcast storm sources and causes
    • confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks
    • confirming routing is working as you expect
    • intermittent missing PING packets.

    If you are running a constant traffic application such as ping, packet sniffing can tell you if the traffic is reaching the destination, how the port enters and exits the FortiRecorder unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. You can also use packet switching to verify that NAT or other configuration is translating addresses or routing traffic the way that you want it to.

    Before you start sniffing packets, you need to have a good idea of what you are looking for. Sniffing is used to confirm or deny your ideas about what is happening on the network. If you try sniffing without a plan to narrow your search, you could end up with too much data to effectively analyze. On the other hand, you need to sniff enough packets to really understand all of the patterns and behavior that you are looking for.

    To capture the traffic
    1. Go to System > Network > Traffic Capture.
    2. Click New.
    3. Enter a description for the file generated from the captured traffic.
    4. Enter the time period for performing the packet capture.
    5. Specify which interface you want to capture.
    6. If you want to limit the scope of traffic capture, in the IP/HOST field, enter a maximum of 3 IP addresses or host names for which you want to capture.
    7. Select the filter for the traffic capture:
    • Use protocol: Only UDP or TCP traffic on the specified port number will be captured.
    • Capture all: All network traffic will be captured.
  • For Exclusion, enter the IP addresses/host names and port numbers for which do not want to capture.
  • Click Create.