Fortinet black logo

CLI Reference

policy ip

policy ip

Use this command to create policies that apply profiles to SMTP connections based upon the IP addresses of SMTP clients and/or servers.

Syntax

config policy ip

edit <policy_int>

set action {proxy-bypass | reject | scan | temp-fail}

set client-ip-group <group_name>

set client <client_ipv4mask>

set client-type {ip-address |ip-group | ip-pool}

set comment

set exclusive {enable | disable}

set profile-antispam <antispam-profile_name>

set profile-antivirus <antivirus-profile_name>

set profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

set profile-content <content-profile_name>

set profile-dlp

set profile-ip-pool <ip-pool_name>

set profile-session <session-profile_name>

set server-ip-group <group_name>

set server <smtp-server_ipv4mask>

set server-ip-pool <ip-pool_str>

set server-type {ip-address | ip-group | ip-pool}

set smtp-diff-identity {enable | disable}

set smtp-diff-identity-ldap

set smtp-diff-identity-ldap-profile

set status {enable | disable}

set use-for-smtp-auth {enable | disable}

end

Variable

Description

Default

<policy_int>

Enter the index number of the IP-based policy.

action {proxy-bypass | reject | scan | temp-fail}

Enter an action for this policy:

Proxy-bypass: Bypass the FortiMail unit’s scanning. This action is for transparent mode only.

scan: Accept the connection and perform any scans configured in the profiles selected in this policy.

reject: Reject the email and respond to the SMTP client with SMTP reply code 550, indicating a permanent failure.

Fail Temporarily: Reject the email and respond to the SMTP client with SMTP reply code 451, indicating and indicate a temporary failure.

scan

client-ip-group <group_name>

Enter the IP group of the SMTP client to whose connections this policy will apply.

This option only appears if you enter ip-group in client-type {ip-address |ip-group | ip-pool}.

client <client_ipv4mask>

Enter the IP address and subnet mask of the SMTP client to whose connections this policy will apply.

To match all clients, enter 0.0.0.0/0.

192.168.224.15

255.255.255.255

client-type {ip-address |ip-group | ip-pool}

Enter the client type.

ip-address

comment

Enter a brief comment for the IP policy.

exclusive {enable | disable}

Enable to omit evaluation of matches with recipient-based policies, causing the FortiMail unit to disregard applicable recipient-based policies and apply only the IP-based policy.

Disable to apply any matching recipient-based policy in addition to the IP-based policy. Any profiles selected in the recipient-based policy will override those selected in the IP-based policy.

disable

profile-antispam <antispam-profile_name>

Enter the name of an outgoing antispam profile, if any, that this policy will apply.

profile-antivirus <antivirus-profile_name>

Enter the name of an antivirus profile, if any, that this policy will apply.

profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

Enter the type of the authentication profile that this policy will apply.

The command profile-auth-<auth_type> appears for the type chosen. Enter the name of an authentication profile for the type.

none

profile-content <content-profile_name>

Enter the name of the content profile that you want to apply to connections matching the policy.

profile-dlp

Enter the name of the DLP profile for this policy.

profile-ip-pool <ip-pool_name>

Enter the name of the IP pool profile that you want to apply to connections matching the policy.

profile-session <session-profile_name>

Enter the name of the session profile that you want to apply to connections matching the policy.

server-ip-group <group_name>

Enter the name of the IP group profile that you want to apply to connections matching the policy.

This option is only available when the server-type is ip-group.

server <smtp-server_ipv4mask>

Enter the IP address and subnet mask of the SMTP server to whose connections this policy will apply.

To match all servers, enter 0.0.0.0/0.

This option applies only for FortiMail units operating in transparent mode. For other modes, the FortiMail unit receives the SMTP connection, and therefore acts as the server.

0.0.0.0

0.0.0.0

server-ip-pool <ip-pool_str>

Enter the name of the ip pool to whose connections this policy will apply. This option is only available when the server-type is ip-pool.

server-type {ip-address | ip-group | ip-pool}

Enter the SMTP server type o whose connections this policy will apply. Also configure server <smtp-server_ipv4mask>, server-ip-group <group_name>, and server-ip-pool <ip-pool_str>.

ip-address

smtp-diff-identity {enable | disable}

Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

disable

smtp-diff-identity-ldap

Verify SMTP sender identity with LDAP for authenticated email.

disable

smtp-diff-identity-ldap-profile

LDAP profile for SMTP sender identity verification.

disable

status {enable | disable}

Enable to apply this policy.

enable

use-for-smtp-auth {enable | disable}

Enable to authenticate SMTP connections using the authentication profile configured in sensitive-data {...}.

disable

Related topics

ms365 profile antivirus

policy access-control delivery

policy recipient

policy ip

policy ip

Use this command to create policies that apply profiles to SMTP connections based upon the IP addresses of SMTP clients and/or servers.

Syntax

config policy ip

edit <policy_int>

set action {proxy-bypass | reject | scan | temp-fail}

set client-ip-group <group_name>

set client <client_ipv4mask>

set client-type {ip-address |ip-group | ip-pool}

set comment

set exclusive {enable | disable}

set profile-antispam <antispam-profile_name>

set profile-antivirus <antivirus-profile_name>

set profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

set profile-content <content-profile_name>

set profile-dlp

set profile-ip-pool <ip-pool_name>

set profile-session <session-profile_name>

set server-ip-group <group_name>

set server <smtp-server_ipv4mask>

set server-ip-pool <ip-pool_str>

set server-type {ip-address | ip-group | ip-pool}

set smtp-diff-identity {enable | disable}

set smtp-diff-identity-ldap

set smtp-diff-identity-ldap-profile

set status {enable | disable}

set use-for-smtp-auth {enable | disable}

end

Variable

Description

Default

<policy_int>

Enter the index number of the IP-based policy.

action {proxy-bypass | reject | scan | temp-fail}

Enter an action for this policy:

Proxy-bypass: Bypass the FortiMail unit’s scanning. This action is for transparent mode only.

scan: Accept the connection and perform any scans configured in the profiles selected in this policy.

reject: Reject the email and respond to the SMTP client with SMTP reply code 550, indicating a permanent failure.

Fail Temporarily: Reject the email and respond to the SMTP client with SMTP reply code 451, indicating and indicate a temporary failure.

scan

client-ip-group <group_name>

Enter the IP group of the SMTP client to whose connections this policy will apply.

This option only appears if you enter ip-group in client-type {ip-address |ip-group | ip-pool}.

client <client_ipv4mask>

Enter the IP address and subnet mask of the SMTP client to whose connections this policy will apply.

To match all clients, enter 0.0.0.0/0.

192.168.224.15

255.255.255.255

client-type {ip-address |ip-group | ip-pool}

Enter the client type.

ip-address

comment

Enter a brief comment for the IP policy.

exclusive {enable | disable}

Enable to omit evaluation of matches with recipient-based policies, causing the FortiMail unit to disregard applicable recipient-based policies and apply only the IP-based policy.

Disable to apply any matching recipient-based policy in addition to the IP-based policy. Any profiles selected in the recipient-based policy will override those selected in the IP-based policy.

disable

profile-antispam <antispam-profile_name>

Enter the name of an outgoing antispam profile, if any, that this policy will apply.

profile-antivirus <antivirus-profile_name>

Enter the name of an antivirus profile, if any, that this policy will apply.

profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

Enter the type of the authentication profile that this policy will apply.

The command profile-auth-<auth_type> appears for the type chosen. Enter the name of an authentication profile for the type.

none

profile-content <content-profile_name>

Enter the name of the content profile that you want to apply to connections matching the policy.

profile-dlp

Enter the name of the DLP profile for this policy.

profile-ip-pool <ip-pool_name>

Enter the name of the IP pool profile that you want to apply to connections matching the policy.

profile-session <session-profile_name>

Enter the name of the session profile that you want to apply to connections matching the policy.

server-ip-group <group_name>

Enter the name of the IP group profile that you want to apply to connections matching the policy.

This option is only available when the server-type is ip-group.

server <smtp-server_ipv4mask>

Enter the IP address and subnet mask of the SMTP server to whose connections this policy will apply.

To match all servers, enter 0.0.0.0/0.

This option applies only for FortiMail units operating in transparent mode. For other modes, the FortiMail unit receives the SMTP connection, and therefore acts as the server.

0.0.0.0

0.0.0.0

server-ip-pool <ip-pool_str>

Enter the name of the ip pool to whose connections this policy will apply. This option is only available when the server-type is ip-pool.

server-type {ip-address | ip-group | ip-pool}

Enter the SMTP server type o whose connections this policy will apply. Also configure server <smtp-server_ipv4mask>, server-ip-group <group_name>, and server-ip-pool <ip-pool_str>.

ip-address

smtp-diff-identity {enable | disable}

Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

disable

smtp-diff-identity-ldap

Verify SMTP sender identity with LDAP for authenticated email.

disable

smtp-diff-identity-ldap-profile

LDAP profile for SMTP sender identity verification.

disable

status {enable | disable}

Enable to apply this policy.

enable

use-for-smtp-auth {enable | disable}

Enable to authenticate SMTP connections using the authentication profile configured in sensitive-data {...}.

disable

Related topics

ms365 profile antivirus

policy access-control delivery

policy recipient