Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiMail 7.6.0 CLI Reference
    7.6.0
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    cloud-api policy

    cloud-api policy

    Use this command to configure Microsoft 365 and Google Workspace scan policies. You must have domain administrator privileges to access Microsoft 365 or Google Workspace.

    Syntax

    config cloud-api policy

    edit <policy_index>

    set status {enable | disable}

    set account <account_name>

    set source-type {geoip-group | ip-address | ip-group}

    set source-ip-address {<client_ipv4mask> | <client_ipv6mask>}

    set source-ip-group <ip-group_name>

    set source-geoip-group <geoip-group_name>

    set sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard}

    set sender-name <username_str>

    set sender-domain <sender_fqdn>

    set sender-ad-group-attr {custom | displayname | mail}

    set sender-ad-group-attr-name <attribute-name_str>

    set sender-ad-group-attr-value <attribute-value_str>

    set sender-email-group <group_name>

    set sender-ldap-profile <profile_name>

    set sender-pattern-regex <sender_pattern>

    set recipient-type {ad-group | email-group | ldap-group | regex | wildcard}

    set recipient-name <username_str>

    set recipient-domain <recipient_fqdn>

    set recipient-ad-group-attr {custom | displayname | mail}

    set recipient-ad-group-attr-name <attribute-name_str>

    set recipient-ad-group-attr-value <attribute-value_str>

    set recipient-email-group <group_name>

    set recipient-ldap-profile <profile_name>

    set recipient-pattern-regex <recipient_pattern>

    set profile-antispam <profile_name>

    set profile-antivirus <profile_name>

    set profile-content <profile_name>

    set profile-dlp <profile_name>

    end

    Variable

    Description

    Default

    <policy_index>

    Enter an index number for the policy in the table.

    account <account_name>

    Select the name of a Microsoft 365 or Google Workspace account.

    comment "<comment_str>"

    Enter a description or comment.

    profile-antispam <profile_name> Select which antispam profile this policy will apply.

    profile-antivirus <profile_name> Select which antivirus profile this policy will apply.

    profile-content <profile_name> Select which content profile this policy will apply.

    profile-dlp <profile_name> Select which DLP profile this policy will apply.

    recipient-ad-group-attr {custom | displayname | mail}

    Select which attribute contains email addresses in your Microsoft Azure Entra ID (formerly Active Directory) directory schema, either:

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ad-group.

    displayname

    recipient-ad-group-attr-name <attribute-name_str>

    Enter the name of the custom attribute.

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ad-group and recipient-ad-group-attr {custom | displayname | mail} is custom.

    recipient-ad-group-attr-value <attribute-value_str>

    Enter the attribute value that will match this policy.

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ad-group.

    recipient-domain <recipient_fqdn> Enter the domain part of the recipient email address.

    *

    recipient-email-group <group_name>

    Select an email address group.

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is email-group.

    recipient-ldap-profile <profile_name>

    Select an LDAP profile.

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ldap-group.

    recipient-name <username_str>

    Depending on how you chose to define matching email addresses, enter either the:

    • Local part (username) of the email address, or a wild card pattern.

      Wild card patterns allow you to match multiple email addresses. An asterisk (*) matches one or more characters; a question mark (?) matches any one character.

    • Group's full or partial membership attribute value, as it appears in your LDAP directory.

      Depending on the schema and group-relative-name {enable | disable}, the format is either:

      • admins

      • cn=admins,ou=Groups,dc=example,dc=com

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is wildcard or ldap-group.

    *

    recipient-pattern-regex <recipient_pattern>

    Enter a regular expression that matches only email addresses that this policy should apply to.

    See also regular expression syntax and examples in the FortiMail Administration Guide.

    Tip: To test and validate the regular expression, you can use the FortiMail GUI.

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is regex.

    recipient-type {ad-group | email-group | ldap-group | regex | wildcard}

    Select how you want to define the recipient email addresses that match this policy, either:

    wildcard

    sender-ad-group-attr {custom | displayname | mail}

    Select which attribute contains email addresses in your Microsoft Azure Entra ID (formerly Active Directory) directory schema, either:

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ad-group.

    displayname

    sender-ad-group-attr-name <attribute-name_str>

    Enter the name of the custom attribute.

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ad-group and sender-ad-group-attr {custom | displayname | mail} is custom.

    sender-ad-group-attr-value <attribute-value_str>

    Enter the attribute value that will match this policy.

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ad-group.

    sender-domain <sender_fqdn> Enter the domain part of the sender email address.

    *

    sender-email-group <group_name>

    Select an email group.

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is email-group.

    sender-ldap-profile <profile_name>

    Select an LDAP profile.

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ldap-group.

    sender-name <username_str>

    Depending on how you chose to define matching email addresses, enter either the:

    • Local part (username) of the email address, or a wild card pattern.

      Wild card patterns allow you to match multiple email addresses. An asterisk (*) matches one or more characters; a question mark (?) matches any one character.

    • Group's full or partial membership attribute value, as it appears in your LDAP directory.

      Depending on the schema and group-relative-name {enable | disable}, the format is either:

      • admins

      • cn=admins,ou=Groups,dc=example,dc=com

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is wildcard or ldap-group.

    *

    sender-pattern-regex <sender_pattern>

    Enter a regular expression that matches only email addresses that this policy should apply to.

    See also regular expression syntax and examples in the FortiMail Administration Guide.

    Tip: To test and validate the regular expression, you can use the FortiMail GUI.

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is regex.

    sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard}

    Select how you want to define the sender email addresses that match this policy, either:

    wildcard
    source-ip-address {<client_ipv4mask> | <client_ipv6mask>}

    Enter the SMTP client IP address and netmask.

    To match all clients, enter 0.0.0.0/0.

    Note: This setting is only available when source-type {geoip-group | ip-address | ip-group} is ip-address.

    0.0.0.0/0

    source-ip-group <ip-group_name>

    Select which IP address group to use.

    Note: This setting is only available when source-type {geoip-group | ip-address | ip-group} is ip-group.

    source-geoip-group <geoip-group_name>

    Select which GeoIP group to use.

    Note: This setting is only available when source-type {geoip-group | ip-address | ip-group} is geoip-group.

    source-type {geoip-group | ip-address | ip-group}

    Select how you want to define the source IP addresses of SMTP clients that will match this policy, either:

    • IP address and netmask
    • IP address group
    • GeoIP group

    ip-address
    status {enable | disable} Enable or disable the policy.

    disable

    Related topics

    domain

    profile antispam

    profile antivirus

    profile content

    profile dlp

    profile geoip-group

    profile ip-address-group

    profile ldap

    policy recipient

    Previous
    Next

    cloud-api policy

    cloud-api policy

    Use this command to configure Microsoft 365 and Google Workspace scan policies. You must have domain administrator privileges to access Microsoft 365 or Google Workspace.

    Syntax

    config cloud-api policy

    edit <policy_index>

    set status {enable | disable}

    set account <account_name>

    set source-type {geoip-group | ip-address | ip-group}

    set source-ip-address {<client_ipv4mask> | <client_ipv6mask>}

    set source-ip-group <ip-group_name>

    set source-geoip-group <geoip-group_name>

    set sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard}

    set sender-name <username_str>

    set sender-domain <sender_fqdn>

    set sender-ad-group-attr {custom | displayname | mail}

    set sender-ad-group-attr-name <attribute-name_str>

    set sender-ad-group-attr-value <attribute-value_str>

    set sender-email-group <group_name>

    set sender-ldap-profile <profile_name>

    set sender-pattern-regex <sender_pattern>

    set recipient-type {ad-group | email-group | ldap-group | regex | wildcard}

    set recipient-name <username_str>

    set recipient-domain <recipient_fqdn>

    set recipient-ad-group-attr {custom | displayname | mail}

    set recipient-ad-group-attr-name <attribute-name_str>

    set recipient-ad-group-attr-value <attribute-value_str>

    set recipient-email-group <group_name>

    set recipient-ldap-profile <profile_name>

    set recipient-pattern-regex <recipient_pattern>

    set profile-antispam <profile_name>

    set profile-antivirus <profile_name>

    set profile-content <profile_name>

    set profile-dlp <profile_name>

    end

    Variable

    Description

    Default

    <policy_index>

    Enter an index number for the policy in the table.

    account <account_name>

    Select the name of a Microsoft 365 or Google Workspace account.

    comment "<comment_str>"

    Enter a description or comment.

    profile-antispam <profile_name> Select which antispam profile this policy will apply.

    profile-antivirus <profile_name> Select which antivirus profile this policy will apply.

    profile-content <profile_name> Select which content profile this policy will apply.

    profile-dlp <profile_name> Select which DLP profile this policy will apply.

    recipient-ad-group-attr {custom | displayname | mail}

    Select which attribute contains email addresses in your Microsoft Azure Entra ID (formerly Active Directory) directory schema, either:

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ad-group.

    displayname

    recipient-ad-group-attr-name <attribute-name_str>

    Enter the name of the custom attribute.

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ad-group and recipient-ad-group-attr {custom | displayname | mail} is custom.

    recipient-ad-group-attr-value <attribute-value_str>

    Enter the attribute value that will match this policy.

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ad-group.

    recipient-domain <recipient_fqdn> Enter the domain part of the recipient email address.

    *

    recipient-email-group <group_name>

    Select an email address group.

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is email-group.

    recipient-ldap-profile <profile_name>

    Select an LDAP profile.

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ldap-group.

    recipient-name <username_str>

    Depending on how you chose to define matching email addresses, enter either the:

    • Local part (username) of the email address, or a wild card pattern.

      Wild card patterns allow you to match multiple email addresses. An asterisk (*) matches one or more characters; a question mark (?) matches any one character.

    • Group's full or partial membership attribute value, as it appears in your LDAP directory.

      Depending on the schema and group-relative-name {enable | disable}, the format is either:

      • admins

      • cn=admins,ou=Groups,dc=example,dc=com

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is wildcard or ldap-group.

    *

    recipient-pattern-regex <recipient_pattern>

    Enter a regular expression that matches only email addresses that this policy should apply to.

    See also regular expression syntax and examples in the FortiMail Administration Guide.

    Tip: To test and validate the regular expression, you can use the FortiMail GUI.

    Note: This setting is only available when recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is regex.

    recipient-type {ad-group | email-group | ldap-group | regex | wildcard}

    Select how you want to define the recipient email addresses that match this policy, either:

    wildcard

    sender-ad-group-attr {custom | displayname | mail}

    Select which attribute contains email addresses in your Microsoft Azure Entra ID (formerly Active Directory) directory schema, either:

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ad-group.

    displayname

    sender-ad-group-attr-name <attribute-name_str>

    Enter the name of the custom attribute.

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ad-group and sender-ad-group-attr {custom | displayname | mail} is custom.

    sender-ad-group-attr-value <attribute-value_str>

    Enter the attribute value that will match this policy.

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ad-group.

    sender-domain <sender_fqdn> Enter the domain part of the sender email address.

    *

    sender-email-group <group_name>

    Select an email group.

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is email-group.

    sender-ldap-profile <profile_name>

    Select an LDAP profile.

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ldap-group.

    sender-name <username_str>

    Depending on how you chose to define matching email addresses, enter either the:

    • Local part (username) of the email address, or a wild card pattern.

      Wild card patterns allow you to match multiple email addresses. An asterisk (*) matches one or more characters; a question mark (?) matches any one character.

    • Group's full or partial membership attribute value, as it appears in your LDAP directory.

      Depending on the schema and group-relative-name {enable | disable}, the format is either:

      • admins

      • cn=admins,ou=Groups,dc=example,dc=com

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is wildcard or ldap-group.

    *

    sender-pattern-regex <sender_pattern>

    Enter a regular expression that matches only email addresses that this policy should apply to.

    See also regular expression syntax and examples in the FortiMail Administration Guide.

    Tip: To test and validate the regular expression, you can use the FortiMail GUI.

    Note: This setting is only available when sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is regex.

    sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard}

    Select how you want to define the sender email addresses that match this policy, either:

    wildcard
    source-ip-address {<client_ipv4mask> | <client_ipv6mask>}

    Enter the SMTP client IP address and netmask.

    To match all clients, enter 0.0.0.0/0.

    Note: This setting is only available when source-type {geoip-group | ip-address | ip-group} is ip-address.

    0.0.0.0/0

    source-ip-group <ip-group_name>

    Select which IP address group to use.

    Note: This setting is only available when source-type {geoip-group | ip-address | ip-group} is ip-group.

    source-geoip-group <geoip-group_name>

    Select which GeoIP group to use.

    Note: This setting is only available when source-type {geoip-group | ip-address | ip-group} is geoip-group.

    source-type {geoip-group | ip-address | ip-group}

    Select how you want to define the source IP addresses of SMTP clients that will match this policy, either:

    • IP address and netmask
    • IP address group
    • GeoIP group

    ip-address
    status {enable | disable} Enable or disable the policy.

    disable

    Related topics

    domain

    profile antispam

    profile antivirus

    profile content

    profile dlp

    profile geoip-group

    profile ip-address-group

    profile ldap

    policy recipient

    Previous
    Next