Configuring system time, options, and other system options
The System > Configuration submenu lets you configure the system time, various global GUI settings (such as idle timeout), and SNMP access.
This topic includes:
- Configuring the time and date
- Configuring system options
- Configuring SNMP queries and traps
- Configuring REST API and other web service settings
Configuring the time and date
For many features to work, including scheduling, logging, and certificate-dependent features, the FortiMail system time must be accurate.
Go to System > Configuration > Time to configure the system time and date of the FortiMail unit.
You can either manually set the FortiMail system time or configure the FortiMail unit to automatically keep its system time correct by synchronizing with Network Time Protocol (NTP) servers.
|
NTP is recommended to achieve better time accuracy.See also Appendix C: Port Numbers. |
|
|
FortiMail units support daylight savings time (DST), including recent changes in the USA, Canada and Western Australia. |
Configuring system options
The System > Configuration > Option tab lets you set the following global settings:
- system idle timeout
- LCD panel and button access restriction (for the models that have front LCD panel and control buttons)
- login disclaimer
- password enforcement policy
- administration port numbers on the interfaces
To view and configure the system options
- Go to System > Configuration > Option.
- Configure the following:
|
GUI item |
Description |
|
|
Idle timeout |
Enter the amount of time that an administrator may be inactive before the FortiMail unit automatically logs out the administrator. |
|
|
LCD Panel (models with LCD panels) |
|
|
|
|
PIN Protection |
Enable to require administrators to first enter the PIN before using the LCD display panel and control buttons on the FortiMail unit, then enter the 6-digit PIN number. This option appears only on FortiMail models whose hardware includes an LCD panel. Caution: For better security, always configure an LCD PIN; otherwise, anyone with physical access can reconfigure the unit. |
|
Login Disclaimer Setting |
The disclaimer message appears when an administrator or user logs in to the FortiMail unit GUI, the FortiMail Webmail, or the FortiMail unit to view the IBE encrypted email. |
|
|
|
Login disclaimer |
|
|
|
Reset To Default (button) |
If you have customized the disclaimer text but want to use the default text, select this button. |
|
|
Apply to login page |
|
|
Password Policy |
Enable the password policy for administrators, FortiMail Webmail users, and IBE encrypted email users. |
|
|
|
Minimum password length |
Set the minimum acceptable length (8) for passwords. |
|
|
Password must contain |
Select any of the following special character types to require in a password. Each selected type must occur at least once in the password.
|
|
|
Apply password policy to |
Select where to apply the password policy:
|
|
Enter the TCP/UDP port numbers for administrative access on the network interfaces. See also Appendix C: Port Numbers. |
||
See also
Customizing the GUI appearance
Configuring the network interfaces
Configuring SNMP queries and traps
Go to System > Configuration > SNMP to configure SNMP to monitor FortiMail system events and thresholds, such as high availability (HA) cluster failover messages.
You can also use SNMP to monitor some models which have monitored power supplies and RAID controllers. When a monitored power supply or a RAID controller is removed or added, the FortiMail unit will send configured notification for those events by log messages, alert email messages, and/or SNMP traps.
To monitor FortiMail system information and receive FortiMail traps, you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). For more information, see FortiMail SNMP MIB files. For information on HA-specific MIB and trap MIB fields, see About logging, alert email, and SNMP for HA.
The FortiMail SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiMail system information and can receive FortiMail traps.
The FortiMail SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Before you can use its SNMP queries, you must enable SNMP access on the network interfaces that SNMP managers will use to access the FortiMail unit. For more information, see Editing network interfaces.
This section includes:
Configuring an SNMP threshold
Configure under what circumstances an event is triggered.
To set SNMP thresholds
- Go System > Configuration > SNMP.
- Click the plus sign to expand the SNMP Threshold area.
- Configure the following:
|
GUI item |
Description |
|
|
SNMP agent enable |
Enable to activate the FortiMail SNMP agent. This must be enabled to accept queries from SNMP managers or send traps from the FortiMail unit. |
|
|
Enter a descriptive name for the FortiMail unit. |
||
|
Enter the location of the FortiMail unit. |
||
|
Enter administrator contact information. |
||
|
SNMP Threshold |
To change a value in the four editable columns, select the value in any row. It becomes editable. Change the value and click outside of the field. A red triangle appears in the field’s corner and remains until you click Apply. |
|
|
|
Trap Type |
|
|
|
Trigger |
You can enter either the percent of the resource in use or the number of times the trigger level must be reached before it is triggered. For example, using the default value, if the mailbox disk is 90% or more full, it will trigger. |
|
|
Threshold |
Sets the number of triggers that will result in an SNMP trap. For example, if the CPU level exceeds the set trigger percentage once before returning to a lower level, and the threshold is set to more than one, an SNMP trap will not be generated until that minimum number of triggers occurs during the sample period. |
|
|
Sample Period(s) |
Sets the time period in seconds during which the FortiMail unit SNMP agent counts the number of triggers that occurred. This value should not be less than the Sample Freq(s) value. |
|
|
Sample Freq(s) |
Sets the interval in seconds between measurements of the trap condition. You will not receive traps faster than this rate, depending on the selected sample period. This value should be less than the Sample Period(s) value. |
|
Community |
Displays the list of SNMP communities (for SNMP v1 and v2c) added to the FortiMail configuration. For information on configuring a community, see either Configuring an SNMP v1 and v2c community or Configuring an SNMP v3 user. |
|
|
|
Name |
Displays the name of the SNMP community. The SNMP Manager must be configured with this name. |
|
|
Status |
A green check mark icon indicates that the community is enabled. |
|
|
Queries |
A green check mark icon indicates that queries are enabled. |
|
|
Traps |
A green check mark icon indicates that traps are enabled. |
|
User |
Displays the list of SNMP v3 users added to the FortiMail configuration. For information on configuring a v3 user, see Configuring an SNMP v3 user. |
|
|
|
Name |
Displays the name of the SNMP v3 user. The SNMP Manager must be configured with this name. |
|
|
Status |
A green check mark icon indicates that the user is enabled. |
|
|
Queries |
A green check mark icon indicates that queries are enabled. |
|
|
Traps |
A green check mark icon indicates that traps are enabled. |
|
|
Security level |
Displays the security level. |
See also
Configuring an SNMP v1 and v2c community
Configuring an SNMP v1 and v2c community
An SNMP community is a grouping of equipment for network administration purposes. You can add up to three SNMP communities so that SNMP managers can connect to the FortiMail unit to view system information and receive SNMP traps. You can configure each community differently for SNMP traps and to monitor different events. You can add the IP addresses of up to eight SNMP managers to each community.
To configure an SNMP community
- Go to System > Configuration > SNMP.
- Under Community, click New to add a community or select a community and click Edit.
- Configure the following:
The SNMP Community page appears.
|
GUI item |
Description |
|
|
Name |
Enter a name to identify the SNMP community. If you are editing an existing community, you cannot change the name. You can add up to 16 communities. |
|
|
Enable |
Enable to send traps to and allow queries from the community’s SNMP managers. |
|
|
Community Hosts |
Lists SNMP managers that can use the settings in this SNMP community to monitor the FortiMail unit. Click Create to create a new entry. You can add up to 16 hosts. |
|
|
|
IP Address |
Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP community. |
|
|
Delete (button) |
Click to remove this SNMP manager. |
|
|
Create (button) |
Click to add a new default entry to the Hosts list that you can edit as needed. |
|
Queries |
Enter the Port number that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiMail unit. Mark the Enable check box to activate queries for each SNMP version. See also Appendix C: Port Numbers. |
|
|
Traps |
Enter the Local Port and Remote Port numbers that the FortiMail unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Enable traps for each SNMP version that the SNMP managers use. |
|
|
SNMP Event |
Enable each SNMP event for which the FortiMail unit should send traps to the SNMP managers in this community. Note: Since FortiMail checks its status in a scheduled interval, not all the events will trigger traps. For example, FortiMail checks its hardware status every 60 seconds. This means that if the power is off for a few seconds but is back on before the next status check, no system event trap will be sent. |
|
See also
Configuring global disclaimers
Customizing GUI, custom messages, email templates, and Security Fabric
Customizing the GUI appearance
Configuring an SNMP v3 user
SNMP v3 adds more security by using authentication and privacy encryption. You can specify an SNMP v3 user on FortiMail so that SNMP managers can connect to the FortiMail unit to view system information and receive SNMP traps.
To configure an SNMP v3 user
- Go to System > Configuration > SNMP.
- Under Users, click New to add a user or select a user and click Edit.
- Configure the following:
The SNMPv3 User page appears.
You can add up to 16 users.
|
GUI item |
Description |
|
|
User name |
Enter a name to identify the SNMP user. If you are editing an existing user, you cannot change the name. |
|
|
Enable |
Enable to send traps to and allow queries from the user’s SNMP managers. |
|
|
Security level |
Choose one of the three security levels:
|
|
|
|
Authentication Protocol |
For Security level, if you select either Authentication option, you must specify the authentication protocol and password. Both the authentication protocol and password on the SNMP manager and FortiMail must match. |
|
|
Privacy protocol |
For Security level, if you select Privacy, you must specify the encryption protocol and password. Both the encryption protocol and password on the SNMP manager and FortiMail must match. |
|
Notification Hosts |
Lists the SNMP managers that FortiMail will send traps to. Click Create to create a new entry. You can add up to 16 host. |
|
|
|
IP Address |
Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP user. |
|
|
Delete (button) |
Click to remove this SNMP manager. |
|
|
Create (button) |
Click to add a new default entry to the Hosts list that you can edit as needed. |
|
Enter the Port number that the SNMP managers use for SNMP v3 queries about configuration information to the FortiMail unit. Select the Enable check box to activate queries. See also Appendix C: Port Numbers. |
||
|
Enter the Local Port and Remote Port numbers (162 local, 162 remote by default; see also Appendix C: Port Numbers) that the FortiMail unit uses to send SNMP v3 traps to the SNMP managers. Select the Enable check box to activate traps. |
||
|
SNMP Event |
Enable each SNMP event for which the FortiMail unit should send traps to the SNMP managers. Note: Since FortiMail checks its status in a scheduled interval, not all the events will trigger traps. For example, FortiMail checks its hardware status every 60 seconds. This means that if the power is off for a few seconds but is back on before the next status check, no system event trap will be sent. |
|
See also
Configuring global disclaimers
Customizing GUI, custom messages, email templates, and Security Fabric
Customizing the GUI appearance
FortiMail SNMP MIB files
The FortiMail SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiMail unit configuration.
The FortiMail MIBs are listed in the following table. You can obtain these MIB files from Fortinet Technical Support. To communicate with the SNMP agent, you must compile these MIBs into your SNMP manager.
Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
|
MIB file name |
Description |
|
fortimail.mib |
Displays the proprietary Fortinet MIB includes detailed FortiMail system configuration information. Your SNMP manager requires this information to monitor FortiMail configuration settings. For more information, see SNMP MIB fields. |
|
fortimail.trap.mib |
Displays the proprietary Fortinet trap MIB includes FortiMail trap information. Your SNMP manager requires this information to receive traps from the FortiMail SNMP agent. For more information, see SNMP traps. |
See also
SNMP traps
The FortiMail unit’s SNMP agent can send traps to SNMP managers that you have added to SNMP communities. To receive traps, you must load and compile the FortMail trap MIB into the SNMP manager.
All traps sent include the trap message as well as the FortiMail unit serial number and host name.
|
Trap |
Description |
|
fmlTrapCpuHighThreshold |
Trap sent if CPU usage becomes too high. |
|
fmlTrapMemLowThreshold |
Trap sent if memory usage becomes too high. |
|
fmlTrapLogDiskHighThreshold |
Trap sent if log disk usage becomes too high. |
|
fmlTrapMailDiskHighThreshold |
Trap sent if mailbox disk usage becomes too high. |
|
fmlTrapMailDeferredQueueHighThreshold |
Trap sent if the number of deferred email messages becomes too great. |
|
fmlTrapAvThresholdEvent |
Trap sent when the number of detected viruses reaches the threshold. |
|
fmlTrapSpamThresholdEvent |
Trap sent when the number of spam email messages reaches the threshold. |
|
fmlTrapSystemEvent |
Trap sent when system shuts down, reboots, upgrades, etc. |
|
fmlTrapRAIDEvent |
Trap sent for RAID operations. |
|
Trap sent when an HA event occurs. This trap includes the contents of the |
|
|
fmlTrapArchiveEvent |
Trap sent when remote archive event occurs. |
|
fmlTrapIpChange |
Trap sent when the IP address of the network interface has been changed. |
See also
SNMP MIB fields
The Fortinet MIB contains fields reporting current FortiMail unit status information. The tables below list the names of the MIB fields and describe the status information available for each. You can view more details about the information available from all Fortinet MIB fields by compiling the MIB file into your SNMP manager and browsing the MIB fields.
In brackets next to the table titles are the object identifier (OID) number for the table. The OID is unique for each field, as is the name of the field. OIDs within a table add their position in the table to the end of the table’s OID, with the first table position being 0. For example the OID of fnSysVersion is 1.3.6.1.4.1.12356.1.2 - the OID of the table, plus its position in the table.
System options MIB field
|
MIB field |
Description |
|
fmlSysModel |
FortiMail model number, such as 400 for the FortiMail-400. |
|
fmlSysSerial |
FortiMail unit serial number. |
|
fmlSysVersion |
The firmware version currently running on the FortiMail unit. |
|
fmlSysVersionAv |
The antivirus definition version installed on the FortiMail unit. |
|
fmlSysOpMode |
The operation mode (gateway, transparent, or server) of the FortiMail unit. |
|
fmlSysCpuUsage |
The current CPU usage (%). |
|
fmlSysMemUsage |
The current memory utilization (%). |
|
fmlSysLogDiskUsage |
The log disk usage (%). |
|
fmlSysMailDiskUsage |
The mail disk usage (%). |
|
fmlSysSesCount |
The current IP session count. |
|
fmlSysEventCode |
System component events. |
|
fmlRAIDCode |
RAID system events. |
|
fmlRAIDDevName |
RAID device name. |
|
The ID of the most recent HA event. See also Using high availability (HA). |
|
|
The IP address of the port1 network interface on the FortiMail unit where the HA event occured. |
|
|
The effective role (applies to active-passive HA only), either as the primary unit or as the secondary unit. The effective role matches the configured mode of operation unless a failover has occurred. |
|
|
The reason for the HA event. |
|
|
fmlArchiveServerIp |
IP address of the remote archive server. |
|
fmlArchiveFilename |
Archive mail file name. |
System options MIB field
|
MIB field |
Description |
|
fmlSysOptIdleTimeout |
Idle period after which the administrator is automatically logged out off the system. |
|
fmlSysOptAuthTimeout |
Authentication idle timeout value. |
|
fmlSysOptsLan |
|
|
fmlSysOptsLcdProt |
Whether LCD control buttons protection is enabled or disabled. |
System session MIB fields
|
MIB field |
Description |
|
fmlIpSessTable |
FortiMail IP sessions table. |
|
fmlIpSessEntry |
Particular IP session information. |
|
fmlIpSessIndex |
An index value that uniquely identifies an IP session. |
|
fmlIpSessProto |
The protocol of the connection. |
|
fmlIpSessFromAddr |
The session source IP address, |
|
fmlIpSessFromPort |
The session source port number. |
|
fmlIpSessToAddr |
The session destination IP address. |
|
fmlIpSessToPort |
The session destination port number. See also Appendix C: Port Numbers. |
|
fmlIpSessExp |
Time (in seconds) until the session expires. |
Mail options MIB fields
|
MIB field |
Description |
|
fmlMailOptionsDeferQueue |
The current number of deferred email messages. |
Configuring REST API and other web service settings
You can enable the REST API. You can also configure rate limiting for HTTPS requests to the FortiMail unit, including REST API requests.
- Go to System > Configuration > Web Service.
-
Configure the following and click Apply:
GUI item
Description
Redirect HTTP to HTTPS Enable to redirect HTTP web access to HTTPS. Redirect to host Enter the hostname of the FortiMail unit. REST API Enable REST API support. Rate Control
Expand Rate Control to define the maximum concurrent requests, maximum active sessions, and maximum request rate per second for the administrative GUI, webmail, Microsoft 365, and REST API access.
Note that the ranges vary depending on FortiMail model:
-
VM08 supports a maximum of 400.
-
VM16 and higher supports a maximum of 500.
Repeat Offender Control
Enable to block the IP addresses that keep sending bad HTTP requests to FortiMail and causing FortiMail to return HTTP 404 or 405 errors.
-
Offending request count: Specify the number limit of bad requests within a specified period of time that will trigger offender IP blocking. The valid range is 1 to 50, and the default value is 3.
Additionally, click Exempt IP to add those IP addresses you wish to exempt from the repeat offender block.
-
Time period (minutes): Specify the period of time (in minutes) to count the bad requests. The valid range is 1 to 120, and the default value is 5.
Use the default value as an example: if within a 5-minute interval, the bad requests from an IP address reach 3, the IP address will be blocked for the remaining of the 5-minutes interval. After the interval expires, the counter will restart for the next interval.
-