Fortinet white logo
Fortinet white logo

Administration Guide

Configuring content disarm and reconstruction

Configuring content disarm and reconstruction

Content disarm and reconstruction (CDR) allows the FortiMail unit to decide what action to take on emails with attachments that contain any active content in them, such as hyperlinks, embedded media, JavaScript, and macros from the files, without affecting the integrity of its textual content.

Configuring CDR attachment settings

  1. Go to Security > Disarm & Reconstruction > Attachment.
  2. Configuring the following:

GUI item

Description

Attachment handling for deferred email

Configure the following:

  • Send notification: Enable for recipient to receive a notification for any time an email attachment is subjected to deferred scanning.

    • Disarm: Send notification with the disarmed Office/PDF attachments and remove all other non-CDR supported attachments.
    • Remove: Send the notification with all the attachments removed.
  • Verdict threshold to disarm on delivery: The defined level and higher verdict at which attachments will be disarmed. For example, if set to Medium, the attachments with Medium, High, and Malicious will all be disarmed.

Attachment scan by FortiSandbox

If your FortiMail unit is running 7.0 or newer releases, the FortiSandbox scan on successful content disarm is bypassed by default. Enable Continue FortiSandbox scan on successful content disarm if you want to allow FortiSandbox to scan the attachment upon successful CDR.

If your FortiMail unit is running 6.4 or older firmware, even on successful CDR, FortiSandbox scanning for the attachment will not be bypassed.

Configuring URL click protection and removal options

When configuring the content profiles (see Configuring content disarm and reconstruction (CDR)), you can choose what to do with the URLs contained in the email messages: either remove them or leave them.

However, if the URLs are not removed, there is a chance that email users may click and follow them. To protect users from harmful or spam URLs, such as phishing or advertising web sites, FortiMail uses FortiGuard URL filter service (see Configuring heuristic options) and FortiSandbox to scan the URLs after the users click the URLs. Depending on the inspection results from FortiGuard and FortiSandbox, you can decide if you would allow the users to access the URLs or block them.

Starting from 6.2 release, you can also choose to use FortiIsolator to isolate threats. FortiIsolator is a browser isolation solution, which protects users against zero day malware and phishing threats that are delivered over the web and email. These threats may result in data loss, compromise, or ransomware. This protection is achieved by creating a visual air gap between users' browsers and websites, which prevents content from breaching the gap. With FortiIsolator, web content is executed in a remote disposable container and displayed to users visually.

To configure URL click protection options

Go to Security > Disarm & Reconstruction > URL and configure the following:

GUI item

Description

URL Click Protection Option

Configure the following URL click protection options.

URL Rewrite

FortiMail must rewrite URLs to ensure that the URLs will be directed to FortiMail first when users click the URLs.

Category

Specify what URL categories will be rewritten.

Base URL

Enter prefix “https://” and the FortiMail FQDN or IP address. Note that without the prefix, the URL will not work.

The rewritten URL will be in this format:

https://company.com/fmlurlsvc/?fewReq/baseValue&url=originalUrlEscaped

Using the originalUrlEscaped part, you can get the original URL with the help of a URL decoding web site, such as https://www.urldecoder.org.

URL Click Handling

When users click the URLs in the email messages, you can choose to block or allow their access.

Category

Choose the URL category for the below action. For information about URL categories, see Configuring heuristic options.

Action

Specify either to Block or Allow with Confirmation for the above URL category.

FortiSandbox Scan

For all other URL categories not specified above, you can choose to send them to FortiSandbox (see Using FortiSandbox antivirus inspection) for further scanning.

  • Enable: Toggle to enable or disable FortiSandbox scan.

  • Action: Allow with Confirmation means to allow access with warning; Block means to block access; and Submit only means to allow access while sending the URLs for scanning.

  • Timeout action: When the URLs are sent to FortiSandbox for scanning, it may take a while to get the results back. You should specify how long you want to wait for the results before you take Block, Allow, or Allow with Confirmation actions.

  • Timeout: Specify how long (in seconds) you want to wait for FortiSandbox scan results before you take Block, Allow, or Allow with Confirmation actions.

FortiIsolator Integration

Category

Specify what URL categories will be going through FortiIsolator. For information about URL categories, see Configuring heuristic options.

Base URL

Enter prefix “https://” and the FortiIsolator FQDN or IP address. Note that without the prefix, the URL will not work.

URL Removal

You can also choose to remove the URLs in the specified category.

Category

Specify the URL category to remove the URLs. For information about URL categories, see Configuring heuristic options.

URL Neutralization

Category

Select which URL rating category a URL must match in order to be neutralized. See Configuring heuristic options.

Include image source attribute

Enable to neutralize URLs of images that are stored on remote web servers.

Newsletters often do not embed images in email in order to keep the email file size small so that email can be sent to many people quickly. Instead, the image files are stored on a web server or CDN. Email clients download and display the image later, when each person reads their email. Normal newsletters often include a plain text version or a link to a web page to fall back if the images cannot be displayed in the email.

Spammers and malware, however, can abuse remotely stored images to detect valid recipient addresses even when SMTP recipient verification is disabled, and to bypass email antispam and antivirus scans by transmitting the content over HTTPS instead of SMTP.

Note: When you update FortiMail firmware from a previous version, default values are applied to any new settings. If this setting is new, the default results in a change in behavior. If you prefer the previous behavior, then enable this setting.

Configuring content disarm and reconstruction

Configuring content disarm and reconstruction

Content disarm and reconstruction (CDR) allows the FortiMail unit to decide what action to take on emails with attachments that contain any active content in them, such as hyperlinks, embedded media, JavaScript, and macros from the files, without affecting the integrity of its textual content.

Configuring CDR attachment settings

  1. Go to Security > Disarm & Reconstruction > Attachment.
  2. Configuring the following:

GUI item

Description

Attachment handling for deferred email

Configure the following:

  • Send notification: Enable for recipient to receive a notification for any time an email attachment is subjected to deferred scanning.

    • Disarm: Send notification with the disarmed Office/PDF attachments and remove all other non-CDR supported attachments.
    • Remove: Send the notification with all the attachments removed.
  • Verdict threshold to disarm on delivery: The defined level and higher verdict at which attachments will be disarmed. For example, if set to Medium, the attachments with Medium, High, and Malicious will all be disarmed.

Attachment scan by FortiSandbox

If your FortiMail unit is running 7.0 or newer releases, the FortiSandbox scan on successful content disarm is bypassed by default. Enable Continue FortiSandbox scan on successful content disarm if you want to allow FortiSandbox to scan the attachment upon successful CDR.

If your FortiMail unit is running 6.4 or older firmware, even on successful CDR, FortiSandbox scanning for the attachment will not be bypassed.

Configuring URL click protection and removal options

When configuring the content profiles (see Configuring content disarm and reconstruction (CDR)), you can choose what to do with the URLs contained in the email messages: either remove them or leave them.

However, if the URLs are not removed, there is a chance that email users may click and follow them. To protect users from harmful or spam URLs, such as phishing or advertising web sites, FortiMail uses FortiGuard URL filter service (see Configuring heuristic options) and FortiSandbox to scan the URLs after the users click the URLs. Depending on the inspection results from FortiGuard and FortiSandbox, you can decide if you would allow the users to access the URLs or block them.

Starting from 6.2 release, you can also choose to use FortiIsolator to isolate threats. FortiIsolator is a browser isolation solution, which protects users against zero day malware and phishing threats that are delivered over the web and email. These threats may result in data loss, compromise, or ransomware. This protection is achieved by creating a visual air gap between users' browsers and websites, which prevents content from breaching the gap. With FortiIsolator, web content is executed in a remote disposable container and displayed to users visually.

To configure URL click protection options

Go to Security > Disarm & Reconstruction > URL and configure the following:

GUI item

Description

URL Click Protection Option

Configure the following URL click protection options.

URL Rewrite

FortiMail must rewrite URLs to ensure that the URLs will be directed to FortiMail first when users click the URLs.

Category

Specify what URL categories will be rewritten.

Base URL

Enter prefix “https://” and the FortiMail FQDN or IP address. Note that without the prefix, the URL will not work.

The rewritten URL will be in this format:

https://company.com/fmlurlsvc/?fewReq/baseValue&url=originalUrlEscaped

Using the originalUrlEscaped part, you can get the original URL with the help of a URL decoding web site, such as https://www.urldecoder.org.

URL Click Handling

When users click the URLs in the email messages, you can choose to block or allow their access.

Category

Choose the URL category for the below action. For information about URL categories, see Configuring heuristic options.

Action

Specify either to Block or Allow with Confirmation for the above URL category.

FortiSandbox Scan

For all other URL categories not specified above, you can choose to send them to FortiSandbox (see Using FortiSandbox antivirus inspection) for further scanning.

  • Enable: Toggle to enable or disable FortiSandbox scan.

  • Action: Allow with Confirmation means to allow access with warning; Block means to block access; and Submit only means to allow access while sending the URLs for scanning.

  • Timeout action: When the URLs are sent to FortiSandbox for scanning, it may take a while to get the results back. You should specify how long you want to wait for the results before you take Block, Allow, or Allow with Confirmation actions.

  • Timeout: Specify how long (in seconds) you want to wait for FortiSandbox scan results before you take Block, Allow, or Allow with Confirmation actions.

FortiIsolator Integration

Category

Specify what URL categories will be going through FortiIsolator. For information about URL categories, see Configuring heuristic options.

Base URL

Enter prefix “https://” and the FortiIsolator FQDN or IP address. Note that without the prefix, the URL will not work.

URL Removal

You can also choose to remove the URLs in the specified category.

Category

Specify the URL category to remove the URLs. For information about URL categories, see Configuring heuristic options.

URL Neutralization

Category

Select which URL rating category a URL must match in order to be neutralized. See Configuring heuristic options.

Include image source attribute

Enable to neutralize URLs of images that are stored on remote web servers.

Newsletters often do not embed images in email in order to keep the email file size small so that email can be sent to many people quickly. Instead, the image files are stored on a web server or CDN. Email clients download and display the image later, when each person reads their email. Normal newsletters often include a plain text version or a link to a web page to fall back if the images cannot be displayed in the email.

Spammers and malware, however, can abuse remotely stored images to detect valid recipient addresses even when SMTP recipient verification is disabled, and to bypass email antispam and antivirus scans by transmitting the content over HTTPS instead of SMTP.

Note: When you update FortiMail firmware from a previous version, default values are applied to any new settings. If this setting is new, the default results in a change in behavior. If you prefer the previous behavior, then enable this setting.