Configuring scanning policies
After you connect to Microsoft 365 or Google Workspace and create profiles, you can scan certain email according to the criteria you specify. These can be real-time scans, or on-demand scheduled scans and searches.
Enabling and configuring real-time scanning
Real-time scanning allows you to apply security profiles and their actions to only those emails that match certain criteria specified in a real-time scan policy. These criteria are based on source, sender, and recipient information.
Before you can configure real-time scan policies, you must first enable the feature, and define the base URL for the FortiMail unit to receive notifications from Microsoft 365 or Google Workspace.
- Go to View > Microsoft 365 & Google Workspace.
- Go to Policy > Real-time Scan > Setting.
- Select Enable.
- Verify the Base URL to receive notification field, which is based on the local host and domain name of the FortiMail unit. To define this URL:
- Select an appropriate Service endpoint from the dropdown menu, depending on your geographic location.
- Determine whether you want to Log all email, or only those emails that match a policy.
To configure real-time scan policy:
- Go to View > Microsoft 365 & Google Workspace.
- Go to Policy > Real-time Scan > Policy.
- Click New and configure the following:
- Click Create.
GUI item |
Description |
---|---|
Enable |
Enter a descriptive name. |
Account |
Select a Microsoft 365 or Google Workspace account. |
Source | Select either IP/Netmask, IP Group, or GeoIP Group, and enter the appropriate source information. |
Sender | Define the sender type, entering the type's settings as required. |
Recipient |
Define the recipient type, entering the type's settings as required. |
Profiles |
Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles. |
For full configuration and procedural details, see the Cookbook recipe Real-time scanning of Microsoft 365 email in FortiMail.
Hide email on arrival (Microsoft 365 only)
With the introduction of real-time scanning to FortiMail 6.4.0, there is still the inherent risk that user's may open potentially dangerous emails in Microsoft 365 before the FortiMail unit has had the opportunity to scan the email, especially if the email contains large attachments. To mitigate this risk, you can enable a feature that automatically moves email to a hidden folder on arrival for it to be subjected to real-time scanning. After the email is scanned and deemed safe, it is then removed from the hidden folder and placed into the user's mailbox.
This feature (disabled by default) can only be enabled using the CLI Console. |
To enable this feature, open the CLI Console and enter the following:
config cloud-api setting
set hide-email-on-arrival enable
end
Release system quarantine email (Microsoft 365 only)
You can enable a feature that automatically stores FortiMail system quarantined email, both original and modified copies, in Microsoft 365. All the tenant, user, and message GUIDs are stored in the FortiMail system quarantine. After the email is scanned and deemed safe, it is then released and redelivered to the user.
This feature (enabled by default) can only be enabled using the CLI Console. |
To enable this feature, open the CLI Console and enter the following:
config cloud-api setting
set system-quarantine-release-original enable
end
Configuring scheduled scan
To scan email on-demand on Microsoft 365 or Google Workspace:
- Go to View > Microsoft 365 & Google Workspace.
- Go to Policy > Scheduled Scan & Search > Scan.
- Click New and configure the following:
- If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
- The scanning status of all the scan tasks will be displayed: either Running, Done, Scheduled, or Stopped.
- After the scan process is done, you can double click on the scan task to view the details.
GUI item |
Description |
---|---|
Description |
Enter a descriptive name. |
Account | Select to scan All accounts, or specify specific accounts to scan. |
Mailbox | Select to scan All mailboxes, or specify specific mailboxes to scan. |
Schedule |
Specify a scheduled time and email start and end time range. |
Profiles |
Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles. |
Condition |
Specify the search criteria. |
In addition to automatic scanning, you can also search for specific email on Microsoft 365 or Google Workspace and manual apply actions.
Configuring scheduled search
To search for email and take manual actions:
- Go to View > Microsoft 365 & Google Workspace.
- Go to Policy > Scheduled Scan & Search > Search.
- Click New and configure the following:
- If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
- The search status of all the search tasks will be displayed: either Running, Done, Scheduled, or Stopped.
- After the search process is done, you can double click on the search task to view the details.
- To take any action towards a specific email (if the search task has not already applied an action), from the search result list, select the email and select the action from the Apply Action dropdown list. For action definitions, see Configuring action profiles.
GUI item |
Description |
---|---|
Description |
Enter a descriptive name. |
Account | Select to search All accounts, or specify specific accounts to search. |
Mailbox | Select to search All mailboxes, or specify specific mailboxes to search. |
Schedule |
Specify a scheduled time and email start and end time range. |
Search Action |
Select an action profile to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profile. |
Condition |
Specify the search criteria. |