Fortinet black logo

Administration Guide

Configuring scanning policies

Configuring scanning policies

After you connect to Microsoft 365 and create profiles, you can scan certain email on Microsoft 365 according to the criteria you specify. These can be real-time scans, or on-demand scheduled scans and searches.

Enabling and configuring real-time scanning

Real-time scanning allows you to apply security profiles and their actions to only those emails that match certain criteria specified in a real-time scan policy. These criteria are based on source, sender, and recipient information.

Before you can configure real-time scan policies, you must first enable the feature, and define the base URL for the FortiMail unit to receive notifications from Microsoft 365.

  1. Go to View > Microsoft 365 View.
  2. Go to Policy > Real-time Scan > Setting.
  3. Enable Real-time scan.
  4. Verify the Base URL to receive notification field, which is based on the local host and domain name of the FortiMail unit. To define this URL:
    1. Go to View > Advanced View.
    2. Go to System > Mail Setting > Mail Server Settings.
    3. Under Local Host, enter the Host name and Local domain name of the FortiMail unit, and click Apply.
    4. This displays the FortiMail unit’s fully qualified domain name (FQDN) in the format:

      <host-name>.<local-domain-name>

      For more information, see Configuring mail server settings

To configure real-time scan policy:
  1. Go to View > Microsoft 365 View.
  2. Go to Policy > Real-time Scan > Policy.
  3. Click New and configure the following:
  4. GUI item

    Description

    Enable

    Enter a descriptive name.

    Source Select either IP/Netmask, IP Group, or GeoIP Group, and enter the appropriate source information.
    Sender Define the sender as either a wildcard Pattern and enter the pattern to match in the format *@*, External, or Internal.

    Recipient

    Define the recipient email address to match, in the format *@*.

    Profiles

    Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.

  5. Click Create.

For full configuration and procedural details, see the Cookbook recipe Real-time scanning of Microsoft 365 email in FortiMail.

Hide email on arrival

With the introduction of real-time scanning to FortiMail 6.4.0, there is still the inherent risk that user's may open potentially dangerous emails in Microsoft 365 before the FortiMail unit has had the opportunity to scan the email, especially if the email contains large attachments. To mitigate this risk, you can enable a feature that automatically moves email to a hidden folder on arrival for it to be subjected to real-time scanning. After the email is scanned and deemed safe, it is then removed from the hidden folder and placed into the user's mailbox.

Note

This feature (disabled by default) can only be enabled using the CLI Console.

To enable this feature, open the CLI Console and enter the following:

config ms365 setting

set hide-email-on-arrival enable

end

Configuring scheduled scan

To scan email on-demand on Microsoft 365:

  1. Go to View > Microsoft 365 View.
  2. Go to Policy > Scheduled Scan & Search > Scan.
  3. Click New and configure the following:
  4. GUI item

    Description

    Description

    Enter a descriptive name.

    Account Select to scan All accounts, or specify specific accounts to scan.
    Mailbox Select to scan All mailboxes, or specify specific mailboxes to scan.

    Schedule

    Specify a scheduled time and email start and end time range.

    Profiles

    Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.

    Condition

    Specify the search criteria.

  5. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
  6. The scanning status of all the scan tasks will be displayed: either Running, Done, Scheduled, or Stopped.
  7. After the scan process is done, you can double click on the scan task to view the details.

In addition to automatic scanning, you can also search for specific email on Microsoft 365 and manual apply actions.

Configuring scheduled search

To search for email and take manual actions:

  1. Go to View > Microsoft 365 View.
  2. Go to Policy > Scheduled Scan & Search > Search.
  3. Click New and configure the following:
  4. GUI item

    Description

    Description

    Enter a descriptive name.

    Account Select to search All accounts, or specify specific accounts to search.
    Mailbox Select to search All mailboxes, or specify specific mailboxes to search.

    Schedule

    Specify a scheduled time and email start and end time range.

    Search Action

    Select an action profile to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profile.

    Condition

    Specify the search criteria.

  5. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
  6. The search status of all the search tasks will be displayed: either Running, Done, Scheduled, or Stopped.
  7. After the search process is done, you can double click on the search task to view the details.
  8. To take any action towards a specific email (if the search task has not already applied an action), from the search result list, select the email and select the action from the Apply Action dropdown list. For action definitions, see Configuring action profiles.

Configuring scanning policies

After you connect to Microsoft 365 and create profiles, you can scan certain email on Microsoft 365 according to the criteria you specify. These can be real-time scans, or on-demand scheduled scans and searches.

Enabling and configuring real-time scanning

Real-time scanning allows you to apply security profiles and their actions to only those emails that match certain criteria specified in a real-time scan policy. These criteria are based on source, sender, and recipient information.

Before you can configure real-time scan policies, you must first enable the feature, and define the base URL for the FortiMail unit to receive notifications from Microsoft 365.

  1. Go to View > Microsoft 365 View.
  2. Go to Policy > Real-time Scan > Setting.
  3. Enable Real-time scan.
  4. Verify the Base URL to receive notification field, which is based on the local host and domain name of the FortiMail unit. To define this URL:
    1. Go to View > Advanced View.
    2. Go to System > Mail Setting > Mail Server Settings.
    3. Under Local Host, enter the Host name and Local domain name of the FortiMail unit, and click Apply.
    4. This displays the FortiMail unit’s fully qualified domain name (FQDN) in the format:

      <host-name>.<local-domain-name>

      For more information, see Configuring mail server settings

To configure real-time scan policy:
  1. Go to View > Microsoft 365 View.
  2. Go to Policy > Real-time Scan > Policy.
  3. Click New and configure the following:
  4. GUI item

    Description

    Enable

    Enter a descriptive name.

    Source Select either IP/Netmask, IP Group, or GeoIP Group, and enter the appropriate source information.
    Sender Define the sender as either a wildcard Pattern and enter the pattern to match in the format *@*, External, or Internal.

    Recipient

    Define the recipient email address to match, in the format *@*.

    Profiles

    Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.

  5. Click Create.

For full configuration and procedural details, see the Cookbook recipe Real-time scanning of Microsoft 365 email in FortiMail.

Hide email on arrival

With the introduction of real-time scanning to FortiMail 6.4.0, there is still the inherent risk that user's may open potentially dangerous emails in Microsoft 365 before the FortiMail unit has had the opportunity to scan the email, especially if the email contains large attachments. To mitigate this risk, you can enable a feature that automatically moves email to a hidden folder on arrival for it to be subjected to real-time scanning. After the email is scanned and deemed safe, it is then removed from the hidden folder and placed into the user's mailbox.

Note

This feature (disabled by default) can only be enabled using the CLI Console.

To enable this feature, open the CLI Console and enter the following:

config ms365 setting

set hide-email-on-arrival enable

end

Configuring scheduled scan

To scan email on-demand on Microsoft 365:

  1. Go to View > Microsoft 365 View.
  2. Go to Policy > Scheduled Scan & Search > Scan.
  3. Click New and configure the following:
  4. GUI item

    Description

    Description

    Enter a descriptive name.

    Account Select to scan All accounts, or specify specific accounts to scan.
    Mailbox Select to scan All mailboxes, or specify specific mailboxes to scan.

    Schedule

    Specify a scheduled time and email start and end time range.

    Profiles

    Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.

    Condition

    Specify the search criteria.

  5. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
  6. The scanning status of all the scan tasks will be displayed: either Running, Done, Scheduled, or Stopped.
  7. After the scan process is done, you can double click on the scan task to view the details.

In addition to automatic scanning, you can also search for specific email on Microsoft 365 and manual apply actions.

Configuring scheduled search

To search for email and take manual actions:

  1. Go to View > Microsoft 365 View.
  2. Go to Policy > Scheduled Scan & Search > Search.
  3. Click New and configure the following:
  4. GUI item

    Description

    Description

    Enter a descriptive name.

    Account Select to search All accounts, or specify specific accounts to search.
    Mailbox Select to search All mailboxes, or specify specific mailboxes to search.

    Schedule

    Specify a scheduled time and email start and end time range.

    Search Action

    Select an action profile to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profile.

    Condition

    Specify the search criteria.

  5. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
  6. The search status of all the search tasks will be displayed: either Running, Done, Scheduled, or Stopped.
  7. After the search process is done, you can double click on the search task to view the details.
  8. To take any action towards a specific email (if the search task has not already applied an action), from the search result list, select the email and select the action from the Apply Action dropdown list. For action definitions, see Configuring action profiles.