Configuring content disarm and reconstruction
Content disarm and reconstruction (CDR) allows the FortiMail unit to decide what action to take on emails with attachments that contain any active content in them, such as hyperlinks, embedded media, JavaScript, and macros from the files, without affecting the integrity of its textual content.
Configuring CDR attachment settings
- Go to Security > Disarm & Reconstruction > Attachment.
- Configuring the following:
GUI item |
Description |
Attachment handling for deferred email |
Configure the following:
|
Attachment scan by FortiSandbox |
If your FortiMail unit is running 7.0 or newer releases, the FortiSandbox scan on successful content disarm is bypassed by default. Enable Continue FortiSandbox scan on successful content disarm if you want to allow FortiSandbox to scan the attachment upon successful CDR. If your FortiMail unit is running 6.4 or older firmware, even on successful CDR, FortiSandbox scanning for the attachment will not be bypassed. |
Configuring URL click protection and removal options
When configuring the content profiles (see Configuring content disarm and reconstruction (CDR)), you can choose what to do with the URLs contained in the email messages: either remove them or leave them.
However, if the URLs are not removed, there is a chance that email users may click and follow them. To protect users from harmful or spam URLs, such as phishing or advertising web sites, FortiMail uses FortiGuard URL filter service (see Configuring heuristic options) and FortiSandbox to scan the URLs after the users click the URLs. Depending on the inspection results from FortiGuard and FortiSandbox, you can decide if you would allow the users to access the URLs or block them.
Starting from 6.2 release, you can also choose to use FortiIsolator to isolate threats. FortiIsolator is a browser isolation solution, which protects users against zero day malware and phishing threats that are delivered over the web and email. These threats may result in data loss, compromise, or ransomware. This protection is achieved by creating a visual air gap between users' browsers and websites, which prevents content from breaching the gap. With FortiIsolator, web content is executed in a remote disposable container and displayed to users visually.
To configure URL click protection options
Go to Security > Disarm & Reconstruction > URL and configure the following:
GUI item |
Description |
||
---|---|---|---|
URL Click Protection Option |
Configure the following URL click protection options. |
||
|
URL Rewrite |
FortiMail must rewrite URLs to ensure that the URLs will be directed to FortiMail first when users click the URLs. |
|
|
|
Category |
Specify what URL categories will be rewritten. |
|
|
Base URL |
Enter prefix “https://” and the FortiMail FQDN or IP address. Note that without the prefix, the URL will not work. The rewritten URL will be in this format:
Using the originalUrlEscaped part, you can get the original URL with the help of a URL decoding web site, such as https://www.urldecoder.org. |
|
URL Click Handling |
When users click the URLs in the email messages, you can choose to block or allow their access. |
|
|
|
Category |
Choose the URL category for the below action. For information about URL categories, see Configuring heuristic options. |
|
|
Action |
Specify either to Block or Allow with Confirmation for the above URL category. |
|
|
FortiSandbox Scan |
For all other URL categories not specified above, you can choose to send them to FortiSandbox (see Using FortiSandbox antivirus inspection) for further scanning.
|
|
FortiIsolator Integration |
|
|
|
|
Category |
Specify what URL categories will be going through FortiIsolator. For information about URL categories, see Configuring heuristic options. |
|
|
Base URL |
Enter prefix “https://” and the FortiIsolator FQDN or IP address. Note that without the prefix, the URL will not work. |
URL Removal |
You can also choose to remove the URLs in the specified category. |
||
|
Category |
Specify the URL category to remove the URLs. For information about URL categories, see Configuring heuristic options. |
|
URL Neutralization |
|
||
|
Category |
Select which URL rating category a URL must match in order to be neutralized. See Configuring heuristic options. |
|
|
Include image source attribute |
Enable to neutralize URLs of images that are stored on remote web servers. Newsletters often do not embed images in email in order to keep the email file size small so that email can be sent to many people quickly. Instead, the image files are stored on a web server or CDN. Email clients download and display the image later, when each person reads their email. Normal newsletters often include a plain text version or a link to a web page to fall back if the images cannot be displayed in the email. Spammers and malware, however, can abuse remotely stored images to detect valid recipient addresses even when SMTP recipient verification is disabled, and to bypass email antispam and antivirus scans by transmitting the content over HTTPS instead of SMTP. Note: When you update FortiMail firmware from a previous version, default values are applied to any new settings. If this setting is new, the default results in a change in behavior. If you prefer the previous behavior, then enable this setting. |