Configuring content profiles and content action profiles
The Content sub-menu lets you configure content profiles for incoming and outgoing content-based scanning. The available options vary depending on the chosen directionality.
This topic includes:
- Configuring content profiles
- Configuring file filters
- Configuring file password
- Configuring content action profiles
Configuring content profiles
The Content tab lets you create content profiles, which you can use to match email based upon its subject line, message body, and attachments.
Unlike antispam profiles, which deal primarily with spam, content profiles match any other type of email.
You can use content profiles to apply content-based encryption to email, or to restrict prohibited content, such as words or phrases, file names, and file attachments that are not permitted by your network usage policy. You can apply content profiles to email that you want to protect and email that you want to prevent.
To view and configure content profiles
- Go to Profile > Content > Content.
- Either click New to add a profile or double-click a profile to modify it.
- For a new profile, select System in the Domain list to see profiles that apply to the entire FortiMail unit or the name of a protected domain.
- For a new profile, enter its name. The profile name is editable later.
- In Action, select a content action profile to use. For details, see Configuring content action profiles.
- Configure the following sections as needed:
|
GUI item |
Description |
|
Clone (button) |
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK. |
|
Domain (drop-down list) |
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile. |
|
Profile Name |
Displays the name of the profile. |
|
Domain Name (column) |
Displays either System or the name of a domain. |
|
(Green dot in column heading) |
Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
A multisection dialog appears.
- Configuring attachment scan rules
- Configuring scan options
- Configuring content disarm and reconstruction (CDR)
- Configuring archive handling
- Configuring password decryption options
- Configuring content monitor and filtering
Configuring attachment scan rules
The attachment scan rules define what actions will be taken if the specified files types are found in email attachments.
Before you can configure the scan rule, you must configure the file filters. See Configuring file filters.
The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.
- Go to Profile > Content > Content.
- Click New to create a new profile or double click on an existing profile to edit it.
- Click the arrow to expand the Attachment Scan Rules section.
- Click New to add a rule:
|
GUI item |
Description |
|
Enabled |
Select to enable the rule. |
|
File filter |
Select the file filter. See Configuring file filters. |
|
Operator |
Select Is or Is Not. If Is is selected, the below action will be taken. If Is Not is selected, the below action will not be taken. You can use the Is Not option to safelist some attachment types. For example, if you want to reject all file types except for the PDF files, you can specify that PDF Is Not Reject. |
|
Action |
Specify the action. Or click New to create a new action profile. |
Configuring scan options
The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.
- Go to Profile > Content > Content.
- Click New to create a new profile or double click on an existing profile to edit it.
- Click the arrow to expand Scan Options and configure the following:
|
GUI item |
Description |
|
Bypass scan on SMTP authentication |
Enable to omit content profile scanning if the SMTP session is authenticated. |
|
Detect fragmented email |
Enable to detect and block fragmented email. Some mail user agents, such as Outlook, can fragment big emails into multiple sub-messages. This is used to bypass oversize limits/scanning. |
|
Detect password protected Office/PDF document |
Enable to apply the block action configured in the content action profile if an attached MS Office, OpenOffice, or PDF document is password-protected, and therefore cannot be decompressed in order to scan its contents. |
|
Attempt to decrypt Office/PDF document |
Enable to decrypt the MS Office, OpenOffice, or PDF attachments using the predefined or user-defined passwords. For details, see Configuring file password. |
|
Detect embedded component |
Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector. Enable to scan files that are encapsulated within the document itself for MIME types such as Microsoft Office, Microsoft Visio, OpenOffice.org , and PDF documents. |
|
Defer delivery of message on policy match |
Enable to defer mail delivery from specific senders configured in policy to conserve peak time bandwidth at the expense of sending low priority, bandwidth consuming traffic at scheduled times. For example, you can apply this function to senders of marketing campaign emails or mass mailing. For information on policy, see How to use policies. For information on scheduling deferred delivery, see Configuring mail server settings. |
|
Defer delivery of messages larger than |
Enter the file size limit over which the FortiMail unit will defer processing large email messages. If not enabled, large messages are not deferred. For information on scheduling deferred delivery, see Configuring mail server settings. |
|
Maximum number of attachment |
Specify how many attachments are allowed in one email message. The valid range is between 1 and 100. The default value is 10. |
|
Maximum size |
You can specify the actions to take against the email (either the message itself or the attachments) that exceeds the specified maximum size. |
|
Adult image analysis |
If you have purchase the adult image scan license, you can enable it to scan for adult images. You can also configure the scan sensitivity and image sizes under System > FortiGuard > Adult Image Analysis. For details, see "Configuring adult image analysys" in Configuring FortiGuard services. |
Configuring content disarm and reconstruction (CDR)
HTML contents in email body and attachments may contain potentially hazardous tags and attributes (such as hyperlinks and scripts). MS Office and PDF attachments may contain potentially hazardous macros, active scripts, and other active contents.
FortiMail provides the capability to remove or neutralize the potentially hazardous contents and reconstruct the email messages and attachment files.
The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.
|
Since the release of 6.4, the following options have been enhanced for greater customization. For example, it is now possible to separately customize for the removal of active content, such as Java Script, and also customize click protection. |
- Go to Profile > Content > Content.
- Click New to create a new profile or double click on an existing profile to edit it.
- Expand Content Disarm and Reconstruction and configure the following:
|
GUI item |
Description |
|---|---|
|
Action |
Either use the default action or specify an action. |
|
HTML content |
Enable to detect hypertext markup language (HTML) tags in the content type text/html parts of the email messages.
|
|
Active content |
Select to either Keep or Remove active content. |
|
URL |
Select one of the following actions:
|
|
Apply to |
Select whether the specified action to take for URLs should apply to either Tag attribute, Tag text content, or both. |
|
Text content |
Configure the appropriate action for URL handling for the plain text content of email messages. |
|
MS Office |
Enable to disarm and reconstruct the MS Office attachments. This also includes the .zip files that are compressed once. |
|
|
Enable to disarm and reconstruct the PDF attachments. This also includes the .zip files that are compressed once. |
Configuring archive handling
For email with archive attachments, you can decide what to do with them. Currently, FortiMail supports ZIP, PKZIP, GZIP, BZIP, TAR, RAR, JAR, CAB, 7Z, and EGG for content inspection.
The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.
- Go to Profile > Content > Content.
- Click New to create a new profile or double click on an existing profile to edit it.
- Expand Archive Handling and configure the following:
|
Enable to determine which action to perform with the archive attachments.
By default, archives with less than 10 levels of compression will be blocked if they cannot be successfully decompressed or are password-protected. Depending on the nesting depth threshold and the attachment’s depth of nested archives, the FortiMail unit may also consider the file types of files within the archive when determining which action to perform. For details, see the section below. If disabled, the FortiMail unit will perform the Block/Pass action solely based upon whether an email contains an archive. It will disregard the depth of nesting, password protection, successful decompression, and the file types of contents within the archive. |
|
|
Enable to apply the block action configured in the content action profile if an attached archive cannot be successfully decompressed, such as if the compression algorithm is unknown, and therefore cannot be decompressed in order to scan its contents. This option is available only if Check Archive Content is enabled. |
|
|
Enable to apply the block action configured in the content action profile if an attached archive is password-protected, and therefore cannot be decompressed in order to scan its contents. This option is available only if Check Archive Content is enabled. |
|
|
Attempt to decrypt archive |
Enable to decrypt and scan the archives, using the passwords configured in Configuring password decryption options. If fails, the email will be passed. This option is available only if Check Archive Content is enabled. |
|
Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit uses one of the following methods to determine if it should block or pass the email.
The specified compression value is always considered if Check Archive Content is enabled, but has an effect only if the threshold is exceeded. This option is available only if Check Archive Content is enabled. |
Configuring password decryption options
For password-protected PDF and archive attachments, if you want to decrypt and scan them, you can specify what kind of passwords you want to use to decrypt the files.
The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.
- Go to Profile > Content > Content.
- Click New to create a new profile or double click on an existing profile to edit it.
- Expand File Password Decryption Options.
- Specify the type of passwords to use:
- Words in email content: Enable and enter the Number of adjacent word to keyword to specify how many words before and after the keywords to use as the passwords. For example, in the email content, there is such a sentence: “To open the document, please use password 123456. If you cannot open it, please contact us.” If you specify to use two words before and after the keyword, “please”, “use” (two words before the keyword “password”), “123456”, and “If” (two words after the keyword “password”) will be used as one by one as the password to decrypt the attachments. Note that if no keyword exists, any words in the email body may be tried as the password.
- Built-in password list: Enable this option to use the predefined passwords.
- User-defined password list: Enable this option to use the passwords defined under Profile > Content > File Password. For details, see Configuring file password.
Configuring content monitor and filtering
The monitor profile uses the dictionary profile to determine matching email messages, and the actions that will be performed if a match is found.
You can also select to scan Microsoft Office, PDF, or archived email attachments.
The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.
To configure a content monitor profile
- Go to Profile > Content > Content.
- Click New to create a new profile or double click on an existing profile to edit it.
- Click the arrow to expand Content Monitor and Filtering.
- Click New for a new monitor profile or double-click an existing profile to modify it.
- Configure the following:
- PDF files
- Microsoft Office files
- Archived PDF and MS Office files. If you select this option, you can also use the following CLI commands to specify the maximum levels to decompress and the maximum file size to decompress:
- Click Create or OK on the Content Monitor Profile dialog to save and close it.
|
GUI item |
Description |
|
Move (button) |
Mark a check box to select a content monitor profile, then click this button. Choose Up or Down from the pop-up menu. Content monitor profiles are evaluated for a match in order of their appearance in this list. Usually, content monitor profiles should be ordered from most specific to most general, and from accepting or quarantining to rejecting. |
|
Delete (button) |
Mark a check box to select a content monitor profile, then click this button to remove it. Note: Deletion does not take effect immediately; it occurs when you save the content profile. |
A dialog appears.
|
GUI item |
Description |
|
Enable |
Enable to use the content monitor to inspect email for matching email and perform the configured action. |
|
Dictionary |
Select either Profile or Group, then select the name of a dictionary profile or group from the drop-down list next to it. If no profile or group exists, click New to create one, or select an existing profile or group and click Edit to modify it. A dialog appears. For information on creating and editing dictionary profiles and groups, see Configuring dictionary profiles. |
|
Minimum score |
Displays the number of times that an email must match the dictionary profile before it will receive the action configured in Action. Note that the score value is based on individual dictionary profile matches, not the dictionary group matches. |
|
Displays action that the FortiMail unit will perform if the content of the email message matches words or patterns from the dictionary profile. If no action exists, click New to create one, or select an existing action and click Edit to modify it. A dialog appears. For information on action profiles, see Configuring content action profiles. |
|
|
Scan Condition |
Specify the content type to scan: config mailsetting mail-scan-options set decompress-max-level <level_1-16> set decompress-max-size <size_in_MB> end |
Configuring file filters
File filters are used in the attachment scan rules (see Configuring attachment scan rules. File filters defines the email attachment file types and file extensions to be scanned.
|
|
Wildcards can be used in file filters. For details, see Appendix D: Wildcards and regular expressions. |
The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles and content action profiles.
- Go to Profile > Content > File Filter.
- Click New to create a new filter or double click on an existing filter to edit it.
|
GUI item |
Description |
|
Domain |
The new filter can applied to a domain or system wide. |
|
Name |
Enter a name for the filter. |
|
Description |
Optionally enter a description. |
|
File Type |
Either select from the predefined types and/or specify your own. |
|
File Extension |
Either select from the predefined extensions and/or specify your own. |
|
Encrypted email content cannot be scanned for spam, viruses, or banned content. |
|
|
Unlike other attachment types, archives may receive an action other than your Block/Pass selection, depending on your configuration in the Scan Conditions (see Action). |
|
|
For each file type, you can use an action profile to overwrite the default action profile used by the content profile. For example, if you want to redirect encrypted email to a third party box (such as a PGP Universal Server) for decryption, You can:
|
Configuring file password
When you configure the content profile, you can choose to decrypt PDF documents (see Configuring scan options) and archived files (see Configuring archive handling. To decrypt the documents, you need passwords. For details, see Configuring password decryption options.
To configure user-defined passwords
- Go to Profile > Content > File Password.
- Click New.
- Enter the password that will be used to decrypt documents.
- Click Create.
Configuring content action profiles
The Action tab in the Content submenu lets you define content action profiles. Use these profiles to apply content-based encryption.
Alternatively, content action profiles can define one or more things that the FortiMail unit should do if the content profile determines that an email contains prohibited words or phrases, file names, or file types.
For example, you might have configured most content profiles to match prohibited content, and therefore to use a content action profile named quar_profile which quarantines email to the system quarantine for review.
However, you have decided that email that does not pass the dictionary scan named financial_terms is always prohibited, and should be rejected so that it does not require manual review. To do this, first configure a second action profile, named rejection_profile, which rejects email. You would then override quar_profile specifically for the dictionary-based content scan in each profile by selecting rejection_profile for content that matches financial_terms.
To view and manage the list of content action profiles
- Go to Profile > Content > Action.
- Either click New to add a profile or double-click an existing profile to modify it.
- Configure the following:
- None: No change.
- Prefix: Prepend the part with text that you have entered in the With field.
- Suffix: Append the part with the text you have entered in the With field.
- Replace: Substitute the part with the text you have entered in the With field.
|
GUI item |
Description |
|
Domain (drop-down list) |
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile. |
|
Profile Name |
Displays the name of the profile. |
|
Domain (column) |
Displays either System or a domain name. |
|
(Green dot in column heading) |
Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
A dialog appears.
|
GUI item |
Description |
|
Domain |
For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile. |
|
Profile name |
For a new profile, enter its name. |
|
Enable and enter the text that will appear in the subject line of the email, such as Many email clients can sort incoming email messages into separate mailboxes based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client. |
|
|
Enable and click New to enter a message header key. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient. Many email clients can sort incoming email messages into separate mailboxes based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client. Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter: X-Content-Filter: Contains banned word. If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key. Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822. Starting from 6.0.1 release, you can add multiple headers by adding them to the header table. You can also insert the predefined variables to the header value. |
|
|
Remove header |
Enable and click New to enter the message header name to be removed. |
|
Insert disclaimer |
Starting from 6.0.1 release, you can insert disclaimer as an action. You can modify the default disclaimer or add new disclaimers by going to System > Customization > Custom Message > Email Content Resources > Disclaimer insertion message. |
|
Deliver to alternate host |
Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination. You can choose to deliver the original email or the modified email. |
|
Deliver to original host |
Enable to route the email to the original SMTP server or relay. Note the you can deliver email to both the original and alternate hosts. You can choose to deliver the original email or the modified email. |
|
BCC |
Enable to send a blind carbon copy (BCC) of the email. Configure BCC recipient email addresses by entering each one and clicking Create in the BCC area. |
|
Enable to replace the email’s contents with a replacement message. Then select a replacement message from the dropdown list. For more information, see Customizing GUI, custom messages, email templates, SSO, and Security Fabric. Note: Before 6.4.2 release, when the action profile is used in a DLP profile, the replace action will fallback to system quarantine action. |
|
|
Archive to account |
Enable to send the email to an archiving account. As long as this action is enabled, no matter if the email is delivered or rejected, it will still be archived. Click New to create a new archiving account or click Edit to modify an existing account. For details about archiving accounts, see Email archiving workflow. |
|
Notify with profile |
Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see Configuring notification profiles and Customizing email templates. |
|
Final action |
Select one of the following final actions listed below for the content action profile. |
|
Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client. |
|
|
Enable to reject the email and reply to the SMTP client with SMTP reply code 550. However, if email messages are held for FortiGuard spam outbreak protection or FortiGuard virus outbreak protection, or sent to FortiSandbox, the actual action will fallback to "system quarantine". |
|
|
For incoming email, enable to redirect the email to the recipient’s personal quarantine. For more information, see Managing the personal quarantines. For outgoing email, this action will fallback to the system quarantine. You can choose to quarantine the original email or the modified email. |
|
|
Enable to redirect the email to the system quarantine and specify the quarantine folder. For more information, see Managing the system quarantine. You can choose to quarantine the original email or the modified email. |
|
|
Domain quarantine |
Enable to redirect email to the domain quarantine folder. For more information, see Managing the domain quarantines. |
|
Enable to change the recipient address of any email that matches the content profile. Configure rewrites separately for the local-part (the portion of the email address before the '@' symbol, typically a user name) and the domain part (the portion of the email address after the '@' symbol). For each part, select either: |
|
|
Encrypt with profile |
Enable to apply an encryption profile, then select which encryption profile to use. For details, see Configuring encryption profiles. Note that If you select an IBE encryption profile, it will be overridden if either S/MIME or TLS or both are selected in the message delivery rule configuration (Policy > Access Control > Delivery > New). For information about message delivery rules, see Configuring delivery rules. |
|
Treat as spam |
Enable to perform the Actions selected in the antispam profile of the policy that matches the email. For more information, see Configuring antispam action profiles. |
To apply a content action profile, select it in the Action drop-down list of one or more antispam profiles. For details, see Managing antispam profiles.