Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiMail 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.7
    6.2.0
    6.0.6
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    Configuring scanning policies

    Configuring scanning policies

    After you connect to Microsoft 365/Exchange or Google Workspace and create profiles, you can scan certain email according to the criteria you specify. These can be real-time scans, or on-demand scheduled scans and searches.

    Enabling and configuring real-time scanning

    Real-time scanning allows you to apply security profiles and their actions to only those emails that match certain criteria specified in a real-time scan policy. These criteria are based on source, sender, and recipient information.

    Before you can configure real-time scan policies, you must first enable the feature, and define the base URL for the FortiMail unit to receive notifications from Microsoft 365/Exchange or Google Workspace.

    1. Go to View > Microsoft & Google API View.
    2. Go to Policy > Real-time Scan > Setting.
    3. Select Enable.

    4. Verify the Base URL to receive notification field, which is based on the local host and domain name of the FortiMail unit. To define this URL:

      1. Go to View > Advanced View.
      2. Go to System > Mail Setting > Mail Server Settings.
      3. Under Local Host, enter the Host name and Local domain name of the FortiMail unit, and click Apply.
    5. Select an appropriate Service endpoint from the dropdown menu, depending on your geographic location.
    6. Determine whether you want to Log all email, or only those emails that match a policy.
    To configure real-time scan policy:
    1. Go to View > Microsoft & Google API View.
    2. Go to Policy > Real-time Scan > Policy.

    3. Click New and configure the following:

      GUI item

      Description

      Enable

      Enter a descriptive name.

      Account

      Select a Microsoft 365/Exchange or Google Workspace account.
      Source Select either IP/Netmask, IP Group, or GeoIP Group, and enter the appropriate source information.
      Sender Define the sender type, entering the type's settings as required.

      Recipient

      Define the recipient type, entering the type's settings as required.

      Profiles

      Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.

    4. Click Create.

      For full configuration and procedural details, see Real-time scanning of Microsoft 365 email in FortiMail.

    Hide email on arrival (Microsoft 365 only)

    With real-time scanning, there is still a small risk that users may open dangerous emails in Microsoft 365 before the FortiMail unit can finish scanning the email, especially if the email contains large attachments. To mitigate this risk, you can enable a feature that automatically moves email to a hidden folder on arrival for it to be subjected to real-time scanning. After the email is scanned and deemed safe, it is then removed from the hidden folder and put into the user's mailbox.

    Note

    This feature (disabled by default) can only be enabled using the CLI Console.

    To enable this feature, open the CLI Console and enter the following:

    config cloud-api setting

    set hide-email-on-arrival enable

    end

    Release system quarantine email (Microsoft 365 only)

    You can enable a feature that automatically stores FortiMail system quarantined email, both original and modified copies, in Microsoft 365. All the tenant, user, and message GUIDs are stored in the FortiMail system quarantine. After the email is scanned and deemed safe, it is then released and redelivered to the user.

    Note

    This feature (enabled by default) can only be enabled using the CLI Console.

    To enable this feature, open the CLI Console and enter the following:

    config cloud-api setting

    set system-quarantine-release-original enable

    end

    Configuring scheduled scan

    In addition to automatic scanning, you can also search for specific email on Microsoft 365 or Google Workspace and manual apply actions.

    To scan email on demand for Microsoft 365/Exchange or Google Workspace:

    1. Go to View > Microsoft & Google API View.
    2. Go to Policy > Scheduled Scan & Search > Scan.

    3. Click New and configure the following:

      GUI item

      Description

      Description

      Enter a descriptive name.
      Account Select to scan All accounts, or specify specific accounts to scan.
      Mailbox Select to scan All mailboxes, or specify specific mailboxes to scan.

      Schedule

      Specify a scheduled time and email start and end time range.

      Profiles

      Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.

      Condition

      Specify the search criteria.
    4. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
    5. The scanning status of all the scan tasks will be displayed: either Running, Done, Scheduled, or Stopped.
    6. After the scan process is done, you can double click on the scan task to view the details.

    Configuring scheduled search

    To search for email and take manual actions:

    1. Go to View > Microsoft & Google API View.
    2. Go to Policy > Scheduled Scan & Search > Search.

    3. Click New and configure the following:

      GUI item

      Description

      Description

      Enter a descriptive name.
      Account Select to search All accounts, or specify specific accounts to search.
      Mailbox Select to search All mailboxes, or specify specific mailboxes to search.

      Schedule

      Specify a scheduled time and email start and end time range.

      Search Action

      Select an action profile to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profile.

      Condition

      Specify the search criteria.
    4. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
    5. The search status of all the search tasks will be displayed: either Running, Done, Scheduled, or Stopped.
    6. After the search process is done, you can double click on the search task to view the details.
    7. To take any action towards a specific email (if the search task has not already applied an action), from the search result list, select the email and select the action from the Apply Action dropdown list. For action definitions, see Configuring action profiles.
    Previous
    Next

    Configuring scanning policies

    Configuring scanning policies

    After you connect to Microsoft 365/Exchange or Google Workspace and create profiles, you can scan certain email according to the criteria you specify. These can be real-time scans, or on-demand scheduled scans and searches.

    Enabling and configuring real-time scanning

    Real-time scanning allows you to apply security profiles and their actions to only those emails that match certain criteria specified in a real-time scan policy. These criteria are based on source, sender, and recipient information.

    Before you can configure real-time scan policies, you must first enable the feature, and define the base URL for the FortiMail unit to receive notifications from Microsoft 365/Exchange or Google Workspace.

    1. Go to View > Microsoft & Google API View.
    2. Go to Policy > Real-time Scan > Setting.
    3. Select Enable.

    4. Verify the Base URL to receive notification field, which is based on the local host and domain name of the FortiMail unit. To define this URL:

      1. Go to View > Advanced View.
      2. Go to System > Mail Setting > Mail Server Settings.
      3. Under Local Host, enter the Host name and Local domain name of the FortiMail unit, and click Apply.
    5. Select an appropriate Service endpoint from the dropdown menu, depending on your geographic location.
    6. Determine whether you want to Log all email, or only those emails that match a policy.
    To configure real-time scan policy:
    1. Go to View > Microsoft & Google API View.
    2. Go to Policy > Real-time Scan > Policy.

    3. Click New and configure the following:

      GUI item

      Description

      Enable

      Enter a descriptive name.

      Account

      Select a Microsoft 365/Exchange or Google Workspace account.
      Source Select either IP/Netmask, IP Group, or GeoIP Group, and enter the appropriate source information.
      Sender Define the sender type, entering the type's settings as required.

      Recipient

      Define the recipient type, entering the type's settings as required.

      Profiles

      Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.

    4. Click Create.

      For full configuration and procedural details, see Real-time scanning of Microsoft 365 email in FortiMail.

    Hide email on arrival (Microsoft 365 only)

    With real-time scanning, there is still a small risk that users may open dangerous emails in Microsoft 365 before the FortiMail unit can finish scanning the email, especially if the email contains large attachments. To mitigate this risk, you can enable a feature that automatically moves email to a hidden folder on arrival for it to be subjected to real-time scanning. After the email is scanned and deemed safe, it is then removed from the hidden folder and put into the user's mailbox.

    Note

    This feature (disabled by default) can only be enabled using the CLI Console.

    To enable this feature, open the CLI Console and enter the following:

    config cloud-api setting

    set hide-email-on-arrival enable

    end

    Release system quarantine email (Microsoft 365 only)

    You can enable a feature that automatically stores FortiMail system quarantined email, both original and modified copies, in Microsoft 365. All the tenant, user, and message GUIDs are stored in the FortiMail system quarantine. After the email is scanned and deemed safe, it is then released and redelivered to the user.

    Note

    This feature (enabled by default) can only be enabled using the CLI Console.

    To enable this feature, open the CLI Console and enter the following:

    config cloud-api setting

    set system-quarantine-release-original enable

    end

    Configuring scheduled scan

    In addition to automatic scanning, you can also search for specific email on Microsoft 365 or Google Workspace and manual apply actions.

    To scan email on demand for Microsoft 365/Exchange or Google Workspace:

    1. Go to View > Microsoft & Google API View.
    2. Go to Policy > Scheduled Scan & Search > Scan.

    3. Click New and configure the following:

      GUI item

      Description

      Description

      Enter a descriptive name.
      Account Select to scan All accounts, or specify specific accounts to scan.
      Mailbox Select to scan All mailboxes, or specify specific mailboxes to scan.

      Schedule

      Specify a scheduled time and email start and end time range.

      Profiles

      Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.

      Condition

      Specify the search criteria.
    4. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
    5. The scanning status of all the scan tasks will be displayed: either Running, Done, Scheduled, or Stopped.
    6. After the scan process is done, you can double click on the scan task to view the details.

    Configuring scheduled search

    To search for email and take manual actions:

    1. Go to View > Microsoft & Google API View.
    2. Go to Policy > Scheduled Scan & Search > Search.

    3. Click New and configure the following:

      GUI item

      Description

      Description

      Enter a descriptive name.
      Account Select to search All accounts, or specify specific accounts to search.
      Mailbox Select to search All mailboxes, or specify specific mailboxes to search.

      Schedule

      Specify a scheduled time and email start and end time range.

      Search Action

      Select an action profile to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profile.

      Condition

      Specify the search criteria.
    4. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
    5. The search status of all the search tasks will be displayed: either Running, Done, Scheduled, or Stopped.
    6. After the search process is done, you can double click on the search task to view the details.
    7. To take any action towards a specific email (if the search task has not already applied an action), from the search result list, select the email and select the action from the Apply Action dropdown list. For action definitions, see Configuring action profiles.
    Previous
    Next