Configuring content disarm and reconstruction
Content disarm and reconstruction (CDR) allows the FortiMail unit to decide what action to take on emails with attachments that contain any active content in them, such as hyperlinks, embedded media, JavaScript, and macros from the files, without affecting the integrity of its textual content.
Configuring CDR attachment settings
- Go to Security > Disarm & Reconstruction > Attachment.
- Configuring the following:
GUI item |
Description |
Attachment handling for deferred email |
Configure the following:
|
Attachment scan by FortiSandbox |
Enable Continue FortiSandbox scan on successful content disarm to allow FortiSandbox to scan the attachment content after a successful disarming of the active content. |
When FortiMail is running firmware 6.4, even on successful CDR, FortiSandbox scanning for this attachment will not be bypassed. When FortiMail is running firmware 7.0, the FortiSandbox scan on successful content disarm is bypassed by default. Enable |
Configuring URL click protection and removal options
When configuring the content profiles (see Configuring content disarm and reconstruction (CDR)), you can choose what to do with the URLs contained in the email messages: either remove them or leave them.
However, if the URLs are not removed, there is a chance that email users may click and follow them. To protect users from harmful or spam URLs, such as phishing or advertising web sites, FortiMail uses FortiGuard URL filter service (see Configuring the FortiGuard URL filter) and FortiSandbox to scan the URLs after the users click the URLs. Depending on the inspection results from FortiGuard and FortiSandbox, you can decide if you would allow the users to access the URLs or block them.
Starting from 6.2 release, you can also choose to use FortiIsolator to isolate threats. FortiIsolator is a browser isolation solution, which protects users against zero day malware and phishing threats that are delivered over the web and email. These threats may result in data loss, compromise, or ransomware. This protection is achieved by creating a visual air gap between users' browsers and websites, which prevents content from breaching the gap. With FortiIsolator, web content is executed in a remote disposable container and displayed to users visually.
To configure URL click protection options
Go to Security > Disarm & Reconstruction > URL and configure the following:
GUI item |
Description |
||
---|---|---|---|
URL Click Protection Option |
Configure the following URL click protection options. |
||
|
URL Rewrite |
FortiMail must rewrite URLs to ensure that the URLs will be directed to FortiMail first when users click the URLs. |
|
|
|
Category |
Specify what URL categories will be rewritten. |
|
|
Base URL |
Enter prefix “https://” and the FortiMail FQDN or IP address. Note that without the prefix, the URL will not work. The rewritten URL will be in this format:
Using the originalUrlEscaped part, you can get the original URL with the help of a URL decoding web site, such as https://www.urldecoder.org. |
|
URL Click Handling |
When users click the URLs in the email messages, you can choose to block or allow their access. |
|
|
|
Category |
Choose the URL category for the below action. For information about URL categories, see Configuring the FortiGuard URL filter. |
|
|
Action |
Specify either to Block or Allow with Confirmation for the above URL category. |
|
|
FortiSandbox Scan |
For all other URL categories not specified above, you can choose to send them to FortiSandbox (see Using FortiSandbox antivirus inspection) for further scanning.
|
|
FortiIsolator Integration |
|
|
|
|
Category |
Specify what URL categories will be going through FortiIsolator. For information about URL categories, see Configuring the FortiGuard URL filter. |
|
|
Base URL |
Enter prefix “https://” and the FortiIsolator FQDN or IP address. Note that without the prefix, the URL will not work. |
URL Removal |
You can also choose to remove the URLs in the specified category. |
||
|
Category |
Specify the URL category to remove the URLs. For information about URL categories, see Configuring the FortiGuard URL filter. |