Fortinet black logo

Administration Guide

Configuring email, IP and GeoIP groups

Configuring email, IP and GeoIP groups

The Profile > Group tab displays the list of email and IP group and override profiles.

This sections includes:

Configuring email groups

Email groups include groups of email addresses that can be used when configuring access control rules and recipient-based policies. For information about access control rules and polices, see Configuring access control rules and Controlling email based on sender and recipient addresses.

To configure email groups
  1. Go to .
  2. Either click New to add a profile or double-click a profile to modify it. The profile name is editable.
  3. A dialog appears.

  4. For a new group, enter a name for this email group.
  5. The name must contain only alphanumeric characters. Spaces are not allowed.

  6. In New member, enter the email address of a group member and click -> to move the address to the Current members field.
  7. You can also use wildcards to enter partial patterns that can match multiple email addresses. The asterisk represents one or more characters and the question mark (?) represents any single character.

    For example, the pattern ??@*.com will match any email user with a two letter email user name from any “.com” domain name.

    Note

    To remove a member’s email address, select the address in the Current members field and click <-.

  8. Click Create or OK.

Configuring IP groups

IP groups include groups of IP addresses that can be used when configuring access control rules and IP-based policies. For information about access control rules and polices, see Configuring access control rules and Controlling email based on IP addresses.

To configure an IP group
  1. Go to Profile > Group > IP Group.
  2. Either click New to add a profile or double-click a profile to modify it.
  3. A dialog appears.

  4. For a new group, enter a name in Group name.
  5. The name must contain only alphanumeric characters. Spaces are not allowed.

  6. Under IP Groups, click New.
  7. A field appears under IP/Netmask or IP Range.

  8. Enter the IP address and netmask of the group, or the IP range. Use the netmask, the portion after the slash (/), to specify the matching subnet.
  9. For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

    Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

    To match any address, enter 0.0.0.0/0.

  10. Click Create.

Configuring GeoIP groups

Starting from 6.2 release, FortiMail utilizes the GeoIP database to map the geolocations of client IP addresses. You can use GeoIP groups in access control rules and IP-based policies to geo-targeting spam and virus devices. For information about access control rules and polices, see Configuring access control rules and Controlling email based on IP addresses.

You can also override geolocation mappings that may not be correct in the GeoIP database. For details, see Configuring GeoIP override.

To configure a GeoIP group
  1. Go to Profile > Group > GeoIP Group.
  2. Either click New to add a profile or double-click a profile to modify it.
  3. A dialog appears.

  4. For a new group, enter a name in Group name.
  5. The name must contain only alphanumeric characters. Spaces are not allowed.

  6. Optionally enter a comment.
  7. If you want to create a group to include all countries and regions, enable this option and click Create. Otherwise, disable this option and move the available countries, regions, or override groups to the member list, and click Create. You can have a maximum of 30 countries/regions in one group.

Configuring GeoIP override

GeoIP service looks up the IP address geolocations in the GeoIP database. However, in some cases, the lookup might not be accurate, for example, when clients use proxies.

With FortiMail, you can override the GeoIP lookup by manually specifying the geolocations of some IP addresses/IP ranges. When you create GeoIP groups (see Configuring GeoIP groups), you can use the override geolocations in the groups.

Note

When entering IP addresses for GeoIP overrides, only IPv4 addresses are supported.

To configure GeoIP override
  1. Go to System > FortiGuard > GeoIP Override.
  2. Click New.
  3. Specify a geolocation name for the client IP addresses.
  4. Optionally enter a description.
  5. Click New to specify the IPv4 addresses that you want to include in the geolocation.
  6. Click Create.

You can test GeoIP lookup by clicking IP Geography Query.

Configuring email, IP and GeoIP groups

The Profile > Group tab displays the list of email and IP group and override profiles.

This sections includes:

Configuring email groups

Email groups include groups of email addresses that can be used when configuring access control rules and recipient-based policies. For information about access control rules and polices, see Configuring access control rules and Controlling email based on sender and recipient addresses.

To configure email groups
  1. Go to .
  2. Either click New to add a profile or double-click a profile to modify it. The profile name is editable.
  3. A dialog appears.

  4. For a new group, enter a name for this email group.
  5. The name must contain only alphanumeric characters. Spaces are not allowed.

  6. In New member, enter the email address of a group member and click -> to move the address to the Current members field.
  7. You can also use wildcards to enter partial patterns that can match multiple email addresses. The asterisk represents one or more characters and the question mark (?) represents any single character.

    For example, the pattern ??@*.com will match any email user with a two letter email user name from any “.com” domain name.

    Note

    To remove a member’s email address, select the address in the Current members field and click <-.

  8. Click Create or OK.

Configuring IP groups

IP groups include groups of IP addresses that can be used when configuring access control rules and IP-based policies. For information about access control rules and polices, see Configuring access control rules and Controlling email based on IP addresses.

To configure an IP group
  1. Go to Profile > Group > IP Group.
  2. Either click New to add a profile or double-click a profile to modify it.
  3. A dialog appears.

  4. For a new group, enter a name in Group name.
  5. The name must contain only alphanumeric characters. Spaces are not allowed.

  6. Under IP Groups, click New.
  7. A field appears under IP/Netmask or IP Range.

  8. Enter the IP address and netmask of the group, or the IP range. Use the netmask, the portion after the slash (/), to specify the matching subnet.
  9. For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

    Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

    To match any address, enter 0.0.0.0/0.

  10. Click Create.

Configuring GeoIP groups

Starting from 6.2 release, FortiMail utilizes the GeoIP database to map the geolocations of client IP addresses. You can use GeoIP groups in access control rules and IP-based policies to geo-targeting spam and virus devices. For information about access control rules and polices, see Configuring access control rules and Controlling email based on IP addresses.

You can also override geolocation mappings that may not be correct in the GeoIP database. For details, see Configuring GeoIP override.

To configure a GeoIP group
  1. Go to Profile > Group > GeoIP Group.
  2. Either click New to add a profile or double-click a profile to modify it.
  3. A dialog appears.

  4. For a new group, enter a name in Group name.
  5. The name must contain only alphanumeric characters. Spaces are not allowed.

  6. Optionally enter a comment.
  7. If you want to create a group to include all countries and regions, enable this option and click Create. Otherwise, disable this option and move the available countries, regions, or override groups to the member list, and click Create. You can have a maximum of 30 countries/regions in one group.

Configuring GeoIP override

GeoIP service looks up the IP address geolocations in the GeoIP database. However, in some cases, the lookup might not be accurate, for example, when clients use proxies.

With FortiMail, you can override the GeoIP lookup by manually specifying the geolocations of some IP addresses/IP ranges. When you create GeoIP groups (see Configuring GeoIP groups), you can use the override geolocations in the groups.

Note

When entering IP addresses for GeoIP overrides, only IPv4 addresses are supported.

To configure GeoIP override
  1. Go to System > FortiGuard > GeoIP Override.
  2. Click New.
  3. Specify a geolocation name for the client IP addresses.
  4. Optionally enter a description.
  5. Click New to specify the IPv4 addresses that you want to include in the geolocation.
  6. Click Create.

You can test GeoIP lookup by clicking IP Geography Query.