Fortinet white logo
Fortinet white logo

CLI Reference

policy ip

policy ip

Use this command to create policies that apply profiles to SMTP connections based upon the IP addresses of SMTP clients and/or servers.

Syntax

config policy ip

edit <policy_int>

set action {proxy-bypass | reject | scan | temp-fail}

set client-ip-group <group_name>

set client <client_ipv4mask>

set client-type {ip-address |ip-group | ip-pool}

set comment

set exclusive {enable | disable}

set profile-antispam <antispam-profile_name>

set profile-antivirus <antivirus-profile_name>

set sensitive-data {...}

set profile-content <content-profile_name>

set profile-dlp

set profile-ip-pool <ip-pool_name>

set profile-session <session-profile_name>

set server-ip-group <group_name>

set server <smtp-server_ipv4mask>

set server-ip-pool <ip-pool_str>

set server-type {ip-address | ip-group | ip-pool}

set smtp-diff-identity {enable | disable}

set smtp-diff-identity-ldap

set smtp-diff-identity-ldap-profile

set status {enable | disable}

set use-for-smtp-auth {enable | disable}

end

Variable

Description

Default

<policy_int>

Enter the index number of the IP-based policy.

action {proxy-bypass | reject | scan | temp-fail}

Enter an action for this policy:

Proxy-bypass: Bypass the FortiMail unit’s scanning. This action is for transparent mode only.

scan: Accept the connection and perform any scans configured in the profiles selected in this policy.

reject: Reject the email and respond to the SMTP client with SMTP reply code 550, indicating a permanent failure.

Fail Temporarily: Reject the email and respond to the SMTP client with SMTP reply code 451, indicating and indicate a temporary failure.

scan

client-ip-group <group_name>

Enter the IP group of the SMTP client to whose connections this policy will apply.

This option only appears if you enter ip-group in client-type {ip-address |ip-group | ip-pool}.

client <client_ipv4mask>

Enter the IP address and subnet mask of the SMTP client to whose connections this policy will apply.

To match all clients, enter 0.0.0.0/0.

192.168.224.15

255.255.255.255

client-type {ip-address |ip-group | ip-pool}

Enter the client type.

ip-address

comment

Enter a brief comment for the IP policy.

exclusive {enable | disable}

Enable to omit evaluation of matches with recipient-based policies, causing the FortiMail unit to disregard applicable recipient-based policies and apply only the IP-based policy.

Disable to apply any matching recipient-based policy in addition to the IP-based policy. Any profiles selected in the recipient-based policy will override those selected in the IP-based policy.

disable

profile-antispam <antispam-profile_name>

Enter the name of an outgoing antispam profile, if any, that this policy will apply.

profile-antivirus <antivirus-profile_name>

Enter the name of an antivirus profile, if any, that this policy will apply.

profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

Enter the type of the authentication profile that this policy will apply.

The command profile-auth-<auth_type> appears for the type chosen. Enter the name of an authentication profile for the type.

profile-content <content-profile_name>

Enter the name of the content profile that you want to apply to connections matching the policy.

profile-dlp

Enter the name of the DLP profile for this policy.

profile-ip-pool <ip-pool_name>

Enter the name of the IP pool profile that you want to apply to connections matching the policy.

profile-session <session-profile_name>

Enter the name of the session profile that you want to apply to connections matching the policy.

server-ip-group <group_name>

Enter the name of the IP group profile that you want to apply to connections matching the policy.

This option is only available when the server-type is ip-group.

server <smtp-server_ipv4mask>

Enter the IP address and subnet mask of the SMTP server to whose connections this policy will apply.

To match all servers, enter 0.0.0.0/0.

This option applies only for FortiMail units operating in transparent mode. For other modes, the FortiMail unit receives the SMTP connection, and therefore acts as the server.

0.0.0.0

0.0.0.0

server-ip-pool <ip-pool_str>

Enter the name of the ip pool to whose connections this policy will apply. This option is only available when the server-type is ip-pool.

server-type {ip-address | ip-group | ip-pool}

Enter the SMTP server type o whose connections this policy will apply. Also configure server <smtp-server_ipv4mask>, server-ip-group <group_name>, and server-ip-pool <ip-pool_str>.

ip-address

smtp-diff-identity {enable | disable}

Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

disable

smtp-diff-identity-ldap

Verify SMTP sender identity with LDAP for authenticated email.

disable

smtp-diff-identity-ldap-profile

LDAP profile for SMTP sender identity verification.

disable

status {enable | disable}

Enable to apply this policy.

enable

use-for-smtp-auth {enable | disable}

Enable to authenticate SMTP connections using the authentication profile configured in sensitive-data {...}.

disable

Related topics

ms365 profile antivirus

policy access-control delivery

policy recipient

policy ip

policy ip

Use this command to create policies that apply profiles to SMTP connections based upon the IP addresses of SMTP clients and/or servers.

Syntax

config policy ip

edit <policy_int>

set action {proxy-bypass | reject | scan | temp-fail}

set client-ip-group <group_name>

set client <client_ipv4mask>

set client-type {ip-address |ip-group | ip-pool}

set comment

set exclusive {enable | disable}

set profile-antispam <antispam-profile_name>

set profile-antivirus <antivirus-profile_name>

set sensitive-data {...}

set profile-content <content-profile_name>

set profile-dlp

set profile-ip-pool <ip-pool_name>

set profile-session <session-profile_name>

set server-ip-group <group_name>

set server <smtp-server_ipv4mask>

set server-ip-pool <ip-pool_str>

set server-type {ip-address | ip-group | ip-pool}

set smtp-diff-identity {enable | disable}

set smtp-diff-identity-ldap

set smtp-diff-identity-ldap-profile

set status {enable | disable}

set use-for-smtp-auth {enable | disable}

end

Variable

Description

Default

<policy_int>

Enter the index number of the IP-based policy.

action {proxy-bypass | reject | scan | temp-fail}

Enter an action for this policy:

Proxy-bypass: Bypass the FortiMail unit’s scanning. This action is for transparent mode only.

scan: Accept the connection and perform any scans configured in the profiles selected in this policy.

reject: Reject the email and respond to the SMTP client with SMTP reply code 550, indicating a permanent failure.

Fail Temporarily: Reject the email and respond to the SMTP client with SMTP reply code 451, indicating and indicate a temporary failure.

scan

client-ip-group <group_name>

Enter the IP group of the SMTP client to whose connections this policy will apply.

This option only appears if you enter ip-group in client-type {ip-address |ip-group | ip-pool}.

client <client_ipv4mask>

Enter the IP address and subnet mask of the SMTP client to whose connections this policy will apply.

To match all clients, enter 0.0.0.0/0.

192.168.224.15

255.255.255.255

client-type {ip-address |ip-group | ip-pool}

Enter the client type.

ip-address

comment

Enter a brief comment for the IP policy.

exclusive {enable | disable}

Enable to omit evaluation of matches with recipient-based policies, causing the FortiMail unit to disregard applicable recipient-based policies and apply only the IP-based policy.

Disable to apply any matching recipient-based policy in addition to the IP-based policy. Any profiles selected in the recipient-based policy will override those selected in the IP-based policy.

disable

profile-antispam <antispam-profile_name>

Enter the name of an outgoing antispam profile, if any, that this policy will apply.

profile-antivirus <antivirus-profile_name>

Enter the name of an antivirus profile, if any, that this policy will apply.

profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

Enter the type of the authentication profile that this policy will apply.

The command profile-auth-<auth_type> appears for the type chosen. Enter the name of an authentication profile for the type.

profile-content <content-profile_name>

Enter the name of the content profile that you want to apply to connections matching the policy.

profile-dlp

Enter the name of the DLP profile for this policy.

profile-ip-pool <ip-pool_name>

Enter the name of the IP pool profile that you want to apply to connections matching the policy.

profile-session <session-profile_name>

Enter the name of the session profile that you want to apply to connections matching the policy.

server-ip-group <group_name>

Enter the name of the IP group profile that you want to apply to connections matching the policy.

This option is only available when the server-type is ip-group.

server <smtp-server_ipv4mask>

Enter the IP address and subnet mask of the SMTP server to whose connections this policy will apply.

To match all servers, enter 0.0.0.0/0.

This option applies only for FortiMail units operating in transparent mode. For other modes, the FortiMail unit receives the SMTP connection, and therefore acts as the server.

0.0.0.0

0.0.0.0

server-ip-pool <ip-pool_str>

Enter the name of the ip pool to whose connections this policy will apply. This option is only available when the server-type is ip-pool.

server-type {ip-address | ip-group | ip-pool}

Enter the SMTP server type o whose connections this policy will apply. Also configure server <smtp-server_ipv4mask>, server-ip-group <group_name>, and server-ip-pool <ip-pool_str>.

ip-address

smtp-diff-identity {enable | disable}

Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

disable

smtp-diff-identity-ldap

Verify SMTP sender identity with LDAP for authenticated email.

disable

smtp-diff-identity-ldap-profile

LDAP profile for SMTP sender identity verification.

disable

status {enable | disable}

Enable to apply this policy.

enable

use-for-smtp-auth {enable | disable}

Enable to authenticate SMTP connections using the authentication profile configured in sensitive-data {...}.

disable

Related topics

ms365 profile antivirus

policy access-control delivery

policy recipient