Fortinet white logo
Fortinet white logo

CLI Reference

profile content

profile content

Use this command to create content profiles, which you can use to match email based upon its subject line, message body, and attachments.

Unlike antispam profiles, which deal primarily with spam, content profiles match any other type of email.

Content profiles can be used to apply content-based encryption to email. They can also be used to restrict prohibited content, such as words or phrases, file names, and file attachments that are not permitted by your network usage policy. As such, content profiles can be used both for email that you want to protect, and for email that you want to prevent.

Syntax

config profile content

edit <profile_name>

[set comment <comment_str>

set action-default <content-action-profile_name>

set defersize <KB_int>

config attachment-scan

edit <index_int>

set action <content-action-profile_name>

set operator {is | is-not}

set patterns {archive audio encrypted executable_windows image msoffice openoffice script video}

set status {enable | disable}

set scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}

set embedded-scan-options {check-msoffice check-msoffice-vba check-msvisio check-openoffice check-pdf}

set max-num-of-attachment <limit_int>

set max-size-status {enable | disable}

set max-size-option {message | attachment}

set max-size <KB_int>

set action-max-size <content-action-profile_name>

set action-policy-match <content-action-profile_name>

set image-analysis-scan {enable | disable}

set action-image-analysis <content-action-profile_name>

set decrypt-password-archive {enable | disable}

set decrypt-password-office {enable | disable}

set decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}

set decrypt-password-num-of-words <words_int>

set action-cdr <content-action-profile_name>

set html-content-action {convert-to-text | modify-content}

set html-content-url-action {click-protection | click-protection-isolator | isolator | keep | neutralize | remove}

set html-content-url-selection {tag-attribute tag-content}

set remove-active-content {enable | disable}

set text-content-action {click-protection | click-protection-isolator | isolator | neutralize | remove-url}

set cdr-file-type-options {office pdf}

set archive-scan-options {block-on-failure-to-decompress block-password-protected block-recursive}

set archive-max-recursive-level <threshold_int>

config monitor

edit <index_int>

set action <content-action-profile_name>

set dict-score <threshold_int>

set dictionary-group <dictionary-group_name>

set dictionary-profile <dictionary-profile_name>

set dictionary-type {group | profile}

set scan-office {enable | disable}

set scan-pdf {enable | disable}

set status {enable | disable}

end

Variable

Description

Default

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

<index_int>

Enter the index number of the attachment scan profile.

If the profile does not currently exist, it will be created.

action <content-action-profile_name>

Select which content action profile to use for the attachment scan. See profile content-action.

operator {is | is-not}

Select either:

  • is: Match the file types that are selected
  • is-not: Match the file types that are not selected

in patterns {archive audio encrypted executable_windows image msoffice openoffice script video}.

is

patterns {archive audio encrypted executable_windows image msoffice openoffice script video}

Select which file types of attachments will be scanned or omitted from the scan, depending on your configuration of operator {is | is-not}.

For multiple file types, separate each entry with a space.

This setting applies only if status {enable | disable} is enable.

status {enable | disable}

Enable or disable patterns {archive audio encrypted executable_windows image msoffice openoffice script video}.

enable

<index_int>

Enter the index number of the content monitoring profile.

If the profile does not currently exist, it will be created.

action <content-action-profile_name>

Select which content action profile to use for the content monitor scan. See profile content-action.

dict-score <threshold_int>

Enter the number of times that an email must match the content monitor profile before it will receive the antispam action.

1

dictionary-group <dictionary-group_name>

Enter the dictionary profile group that this content monitor profile will use. See profile dictionary-group.

The FortiMail unit will compare content in the subject line and message body of the email message with words and patterns in the dictionary profiles. If it locates matching content, the FortiMail unit will perform the actions configured for this monitor profile.

For information on dictionary profiles, see the FortiMail Administration Guide.

dictionary-profile <dictionary-profile_name>

Enter the dictionary profile that this content monitor profile will use.

The FortiMail unit will compare content in the subject line and message body of the email message with words and patterns in the dictionary profile. If it locates matching content, the FortiMail unit will perform the actions configured for this monitor profile in profile content-action.

For information on dictionary profiles, see the FortiMail Administration Guide.

dictionary-type {group | profile}

Select either:

group

scan-office {enable | disable}

Enable or disable Microsoft Word document scanning for this profile.

disable

scan-pdf {enable | disable}

Enable or disable PDF document scanning for this profile.

disable

status {enable | disable}

Enable or disable this monitor profile.

disable

action-cdr <content-action-profile_name>

Select the action profile to use for CDR. See also profile content-action.

action-default <content-action-profile_name>

Select a content action profile. See profile content-action.

This default setting applies only to sub-scans that do not have their own individually configured action, such as action-cdr <content-action-profile_name>.

action-image-analysis <content-action-profile_name>

For the image email file type, you can use a content action profile to override action-default <content-action-profile_name>.

action-max-size <content-action-profile_name>

Select the content action profile to use if an email or attachment exceeds max-size <KB_int>.

archive-max-recursive-level <threshold_int>

Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit will use one of the following methods to determine whether it should block or pass the email.

  • If the archive-max-recursive-level is 0, or attachment’s depth of nesting is equal to or less than archive-max-recursive-level: If the attachment contains a file that matches one of the other file types, perform the action configured for that file type, either block or pass.
  • If the attachment’s depth of nesting is greater than archive-max-recursive-level: Apply the block action, unless you have not selected block-recursive in archive-scan-options {block-on-failure-to-decompress block-password-protected block-recursive}, in which case it will pass the file type content filter. Block actions are specified in the profile content-action.

This setting applies only if pcheck-archive-content is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

12

action-policy-match <content-action-profile_name>

Select the content action profile to use if an email triggers a policy match.

This setting applies only if policy-match is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

archive-scan-options {block-on-failure-to-decompress
block-password-protected
block-recursive}

Select what option(s) to use when scanning archives:

  • block-on-failure-to-decompress: Apply the action configured in profile content-action if an attached archive cannot be successfully decompressed in order to scan its contents.
  • block-password-protected: Apply the action configured inprofile content-action if an attached archive is password-protected.
  • block-recursive: Block archive attachments whose depth of nested archives exceeds the value defined under archive-max-recursive-level <threshold_int>.

Separate multiple options with a space.

This setting applies only if check-archive-content is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

cdr-file-type-options {office pdf}

Select which file type(s) to apply content disarming and reconstruction (CDR) to:

  • office: Microsoft Office files.
  • pdf: PDF files.

See also file content-disarm-reconstruct.

comment <comment_str>

Enter a descriptive comment.

decrypt-password-archive {enable | disable}

Enable or disable to decrypt password protected archives. Also configure decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}.

disable

decrypt-password-num-of-words <words_int>

Enter the number of words adjacent to the keyword to try for file decryption.

For example, in an email, there could be a sentence such as: “To open the document, please use password 123456. If you cannot open it, please contact us.” If you specify to use two words before and after the keyword, then “please”, “use” (two words before the keyword “password”), “123456”, and “If” (two words after the keyword “password”) would be used as one by one as the password to decrypt the attachments. If no keyword exists, any words in the email body may be tried as the password.

5

decrypt-password-office {enable | disable}

Enable to decrypt password protected Microsoft Office files. Also configure decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}.

disable

decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}

Select which kind of password to use to decrypt files.

This setting applies only if decrypt-password-archive {enable | disable}is enable and you have configured file decryption password.

words-in-email-content

defersize <KB_int>

Enter the attachment size threshold in kilobytes for deferred delivery.

To disable the limit, enter 0.

See also defer-delivery-starttime <time_str> and defer-delivery {enable | disable}.

Tip: Alternatively, configure max-size <KB_int>.

0

embedded-scan-options {check-msoffice check-msoffice-vba check-msvisio check-openoffice check-pdf}

Specify which option(s) to use when scanning documents with embedded files.

  • check-msoffice: Scan embedded files in Microsoft Office documents.
  • check-msoffice-vba: Scan embedded files in Microsoft Office Visual Basic documents.
  • check-msvisio: Scan embedded files in Microsoft Visio documents.
  • check-openoffice: Scan embedded files in OpenOffice.org documents.
  • check-pdf: Scan embedded files in PDF documents.

Similar to an archive, documents can sometimes contain video, graphics, sounds, and other files that are used by the document. By wrapping files within a document instead of linking to the file on a separate, external location, a document becomes more portable. However, it also means that documents with other files embedded can be used to hide infected files.

html-content-action {convert-to-text | modify-content}

Select either:

This setting applies only if check-html-content is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

modify-content

html-content-url-action {click-protection | click-protection-isolator | isolator | keep | neutralize | remove}

If html-content-action {convert-to-text | modify-content} is modify-content, select how FortiMail will modify the HTML:

  • click-protection: Rewrite the URL. If the user clicks on the URL, perform the click protection action configured in system fortiguard url-protection.
  • click-protection-isolator: Rewrite the URL and if the user clicks on it, redirect the URL to FortiMail for scanning. If the URL is malicious, it will be blocked; if the URL passes the scan, then it is rewritten to point to FortiIsolator, and the user will browse through FortiIsolator.
  • isolator: Redirect the user to FortiIsolator so that the user will be browsing indirectly, protected through FortiIsolator.
  • keep: Keep the URL or script. Do not remove or modify it.
  • neutralize: Modify the URL to make it inactive when clicked, but still easy to determine what the original URL was. For example, a link to:

    https://www.example.com

    is changed to:

    hxxps:\\www[.]example[.]com

  • remove: Remove the URL or script.

This setting applies only if check-html-content is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

click-protection

html-content-url-selection {tag-attribute tag-content}

Select where CDR modifications should apply:

  • tag-attribute: HTML tag attributes. For example, modify the href attribute in hyperlinks such as in <a href="https://example.com/">.
  • tag-content: HTML tag text contents.

Separate multiple options with a space.

This setting applies only if html-content-action {convert-to-text | modify-content} is modify-content.

tag-attribute

image-analysis-scan {enable | disable}

If you have purchased the image scan feature license, you can enable the scan for image categories that you may want to block, such as violence and adult images.

You can also configure the scan sensitivity and image fie size threshold. Seeantispam image-analysis.

disable

max-num-of-attachment <limit_int>

Enter how many attachments are allowed in one email message. The valid range is from 1 to 100.

This setting applies only if check-max-num-of-attachment is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

10

max-size <KB_int>

Enter the maximum size threshold in kilobytes. Also configure action-max-size <content-action-profile_name>.

To disable deferred delivery, enter 0.

This setting applies only if max-size-status {enable | disable} is enable.

10240

max-size-option {message | attachment}

Select to apply max-size <KB_int> to either the body of the email message or attachments.

message

max-size-status {enable | disable}

Enable to apply max-size <KB_int>.

disable

remove-active-content {enable | disable}

Enable to remove active content such as JavaScript.

This setting applies only if html-content-action {convert-to-text | modify-content} is modify-content.

Caution: If you want to convert HTML to plain text, then you must also enable replace-content {enable | disable}. Otherwise, the FortiMail unit will keep the HTML tags and only apply whichever other action(s) in the content action profile.

If you enable replace-content {enable | disable}, then all HTML tags will be removed, except for the minimum required by the HTML document type definition (DTD):

  • <html>
  • <head>
  • <body>

Body text will be stripped of other surrounded by <pre> tags, which is typically rendered in a monospace font, causing the appearance to mimic plain text.

For linked files, which are hosted on an external web server for subsequent download rather than directly embedded or attached to the email, the FortiMail unit will download and attach the file to the email before removing the <img> or <embed> tag. In this way, while the format is converted to plain text, attachments and linked files which may be relevant to the content are still preserved.

For example, in an email that is a mixture of HTML and plain text (Content‑Type: multipart/alternative), and if replace-content {enable | disable} is enable, the FortiMail unit would remove hyperlink, font, and other HTML tags in the sections labeled with Content-Type: text/html. Linked images would be converted to attachments. The MIME Content‑Type: text/html label itself, however, would not be modified.

enable

scan-options {block-fragmented-email
block-password-protected-office
bypass-on-smtp-auth
check-archive-content
check-embedded-content
check-html-content
check-max-num-of-attachment check-text-content
policy-match}

Select which option(s) to use:

  • block-fragmented-email: Detect and block fragmented email. Some mail user agents, such as Microsoft Outlook, can fragment big emails into multiple sub-messages. This is used to bypass oversize limits and scanning.
  • block-password-protected-office: Detect if an attached Microsoft Office document is password-protected, and cannot be decompressed in order to scan its contents. Apply the block or other action selected in the content action profile.
  • bypass-on-smtp-auth: Omit antispam scans when an SMTP sender is authenticated.

  • check-archive-content: Scan archives. Also configure archive-max-recursive-level <threshold_int> etc.
  • check-embedded-content: Scan embedded files. Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector.
  • check-html-content: Detect hypertext markup language (HTML) email and perform content disarming and reconstruction (CDR). FortiMail will also add:

    X-FEAS-ATTACHMENT-FILTER: Contains HTML tags.

    to the message headers. Also configure action-cdr <content-action-profile_name>etc.

  • check-max-num-of-attachment: Limit the number of attaches. Also configure max-num-of-attachment <limit_int> .
  • check-text-content: Detect URLs and perform content disarming and reconstruction (CDR) in plain text email. Also configure action-cdr <content-action-profile_name> and text-content-action {click-protection | click-protection-isolator | isolator | neutralize | remove-url}.
  • policy-match: Defer mail delivery from specific senders configured in the policy. By sending low-priority, bandwidth-consuming email such as newsletter digest or marketing campaigns at scheduled times, you can conserve bandwidth at peak time so that high priority email can be sent more quickly. See also mailsetting preference and action-policy-match <content-action-profile_name>.

Separate multiple options with a space.

text-content-action {click-protection | click-protection-isolator | isolator | neutralize | remove-url}

Select how FortiMail will modify the HTML:

  • click-protection: Rewrite the URL. If the user clicks on the URL, perform the click protection action configured in system fortiguard url-protection.

  • click-protection-isolator: Rewrite the URL and if the user clicks on it, redirect the URL to FortiMail for scanning. If the URL is malicious, it will be blocked; if the URL passes the scan, then it is rewritten to point to FortiIsolator, and the user will browse through FortiIsolator.

  • isolator: Redirect the user to FortiIsolator so that the user will be browsing indirectly, protected through FortiIsolator.

  • neutralize: Modify the URL to make it inactive when clicked, but still easy to determine what the original URL was. For example, a link to:

    https://www.example.com

    is changed to:

    hxxps:\\www[.]example[.]com

  • remove-url: Remove the URL.

This setting applies only if check-text-content is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

click-protection

Related topics

antispam image-analysis

file content-disarm-reconstruct

file decryption password

profile content-action

system fortiguard url-protection

profile content

profile content

Use this command to create content profiles, which you can use to match email based upon its subject line, message body, and attachments.

Unlike antispam profiles, which deal primarily with spam, content profiles match any other type of email.

Content profiles can be used to apply content-based encryption to email. They can also be used to restrict prohibited content, such as words or phrases, file names, and file attachments that are not permitted by your network usage policy. As such, content profiles can be used both for email that you want to protect, and for email that you want to prevent.

Syntax

config profile content

edit <profile_name>

[set comment <comment_str>

set action-default <content-action-profile_name>

set defersize <KB_int>

config attachment-scan

edit <index_int>

set action <content-action-profile_name>

set operator {is | is-not}

set patterns {archive audio encrypted executable_windows image msoffice openoffice script video}

set status {enable | disable}

set scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}

set embedded-scan-options {check-msoffice check-msoffice-vba check-msvisio check-openoffice check-pdf}

set max-num-of-attachment <limit_int>

set max-size-status {enable | disable}

set max-size-option {message | attachment}

set max-size <KB_int>

set action-max-size <content-action-profile_name>

set action-policy-match <content-action-profile_name>

set image-analysis-scan {enable | disable}

set action-image-analysis <content-action-profile_name>

set decrypt-password-archive {enable | disable}

set decrypt-password-office {enable | disable}

set decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}

set decrypt-password-num-of-words <words_int>

set action-cdr <content-action-profile_name>

set html-content-action {convert-to-text | modify-content}

set html-content-url-action {click-protection | click-protection-isolator | isolator | keep | neutralize | remove}

set html-content-url-selection {tag-attribute tag-content}

set remove-active-content {enable | disable}

set text-content-action {click-protection | click-protection-isolator | isolator | neutralize | remove-url}

set cdr-file-type-options {office pdf}

set archive-scan-options {block-on-failure-to-decompress block-password-protected block-recursive}

set archive-max-recursive-level <threshold_int>

config monitor

edit <index_int>

set action <content-action-profile_name>

set dict-score <threshold_int>

set dictionary-group <dictionary-group_name>

set dictionary-profile <dictionary-profile_name>

set dictionary-type {group | profile}

set scan-office {enable | disable}

set scan-pdf {enable | disable}

set status {enable | disable}

end

Variable

Description

Default

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

<index_int>

Enter the index number of the attachment scan profile.

If the profile does not currently exist, it will be created.

action <content-action-profile_name>

Select which content action profile to use for the attachment scan. See profile content-action.

operator {is | is-not}

Select either:

  • is: Match the file types that are selected
  • is-not: Match the file types that are not selected

in patterns {archive audio encrypted executable_windows image msoffice openoffice script video}.

is

patterns {archive audio encrypted executable_windows image msoffice openoffice script video}

Select which file types of attachments will be scanned or omitted from the scan, depending on your configuration of operator {is | is-not}.

For multiple file types, separate each entry with a space.

This setting applies only if status {enable | disable} is enable.

status {enable | disable}

Enable or disable patterns {archive audio encrypted executable_windows image msoffice openoffice script video}.

enable

<index_int>

Enter the index number of the content monitoring profile.

If the profile does not currently exist, it will be created.

action <content-action-profile_name>

Select which content action profile to use for the content monitor scan. See profile content-action.

dict-score <threshold_int>

Enter the number of times that an email must match the content monitor profile before it will receive the antispam action.

1

dictionary-group <dictionary-group_name>

Enter the dictionary profile group that this content monitor profile will use. See profile dictionary-group.

The FortiMail unit will compare content in the subject line and message body of the email message with words and patterns in the dictionary profiles. If it locates matching content, the FortiMail unit will perform the actions configured for this monitor profile.

For information on dictionary profiles, see the FortiMail Administration Guide.

dictionary-profile <dictionary-profile_name>

Enter the dictionary profile that this content monitor profile will use.

The FortiMail unit will compare content in the subject line and message body of the email message with words and patterns in the dictionary profile. If it locates matching content, the FortiMail unit will perform the actions configured for this monitor profile in profile content-action.

For information on dictionary profiles, see the FortiMail Administration Guide.

dictionary-type {group | profile}

Select either:

group

scan-office {enable | disable}

Enable or disable Microsoft Word document scanning for this profile.

disable

scan-pdf {enable | disable}

Enable or disable PDF document scanning for this profile.

disable

status {enable | disable}

Enable or disable this monitor profile.

disable

action-cdr <content-action-profile_name>

Select the action profile to use for CDR. See also profile content-action.

action-default <content-action-profile_name>

Select a content action profile. See profile content-action.

This default setting applies only to sub-scans that do not have their own individually configured action, such as action-cdr <content-action-profile_name>.

action-image-analysis <content-action-profile_name>

For the image email file type, you can use a content action profile to override action-default <content-action-profile_name>.

action-max-size <content-action-profile_name>

Select the content action profile to use if an email or attachment exceeds max-size <KB_int>.

archive-max-recursive-level <threshold_int>

Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit will use one of the following methods to determine whether it should block or pass the email.

  • If the archive-max-recursive-level is 0, or attachment’s depth of nesting is equal to or less than archive-max-recursive-level: If the attachment contains a file that matches one of the other file types, perform the action configured for that file type, either block or pass.
  • If the attachment’s depth of nesting is greater than archive-max-recursive-level: Apply the block action, unless you have not selected block-recursive in archive-scan-options {block-on-failure-to-decompress block-password-protected block-recursive}, in which case it will pass the file type content filter. Block actions are specified in the profile content-action.

This setting applies only if pcheck-archive-content is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

12

action-policy-match <content-action-profile_name>

Select the content action profile to use if an email triggers a policy match.

This setting applies only if policy-match is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

archive-scan-options {block-on-failure-to-decompress
block-password-protected
block-recursive}

Select what option(s) to use when scanning archives:

  • block-on-failure-to-decompress: Apply the action configured in profile content-action if an attached archive cannot be successfully decompressed in order to scan its contents.
  • block-password-protected: Apply the action configured inprofile content-action if an attached archive is password-protected.
  • block-recursive: Block archive attachments whose depth of nested archives exceeds the value defined under archive-max-recursive-level <threshold_int>.

Separate multiple options with a space.

This setting applies only if check-archive-content is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

cdr-file-type-options {office pdf}

Select which file type(s) to apply content disarming and reconstruction (CDR) to:

  • office: Microsoft Office files.
  • pdf: PDF files.

See also file content-disarm-reconstruct.

comment <comment_str>

Enter a descriptive comment.

decrypt-password-archive {enable | disable}

Enable or disable to decrypt password protected archives. Also configure decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}.

disable

decrypt-password-num-of-words <words_int>

Enter the number of words adjacent to the keyword to try for file decryption.

For example, in an email, there could be a sentence such as: “To open the document, please use password 123456. If you cannot open it, please contact us.” If you specify to use two words before and after the keyword, then “please”, “use” (two words before the keyword “password”), “123456”, and “If” (two words after the keyword “password”) would be used as one by one as the password to decrypt the attachments. If no keyword exists, any words in the email body may be tried as the password.

5

decrypt-password-office {enable | disable}

Enable to decrypt password protected Microsoft Office files. Also configure decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}.

disable

decrypt-password-options {built-in-password-list | user-defined-password-list | words-in-email-content}

Select which kind of password to use to decrypt files.

This setting applies only if decrypt-password-archive {enable | disable}is enable and you have configured file decryption password.

words-in-email-content

defersize <KB_int>

Enter the attachment size threshold in kilobytes for deferred delivery.

To disable the limit, enter 0.

See also defer-delivery-starttime <time_str> and defer-delivery {enable | disable}.

Tip: Alternatively, configure max-size <KB_int>.

0

embedded-scan-options {check-msoffice check-msoffice-vba check-msvisio check-openoffice check-pdf}

Specify which option(s) to use when scanning documents with embedded files.

  • check-msoffice: Scan embedded files in Microsoft Office documents.
  • check-msoffice-vba: Scan embedded files in Microsoft Office Visual Basic documents.
  • check-msvisio: Scan embedded files in Microsoft Visio documents.
  • check-openoffice: Scan embedded files in OpenOffice.org documents.
  • check-pdf: Scan embedded files in PDF documents.

Similar to an archive, documents can sometimes contain video, graphics, sounds, and other files that are used by the document. By wrapping files within a document instead of linking to the file on a separate, external location, a document becomes more portable. However, it also means that documents with other files embedded can be used to hide infected files.

html-content-action {convert-to-text | modify-content}

Select either:

This setting applies only if check-html-content is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

modify-content

html-content-url-action {click-protection | click-protection-isolator | isolator | keep | neutralize | remove}

If html-content-action {convert-to-text | modify-content} is modify-content, select how FortiMail will modify the HTML:

  • click-protection: Rewrite the URL. If the user clicks on the URL, perform the click protection action configured in system fortiguard url-protection.
  • click-protection-isolator: Rewrite the URL and if the user clicks on it, redirect the URL to FortiMail for scanning. If the URL is malicious, it will be blocked; if the URL passes the scan, then it is rewritten to point to FortiIsolator, and the user will browse through FortiIsolator.
  • isolator: Redirect the user to FortiIsolator so that the user will be browsing indirectly, protected through FortiIsolator.
  • keep: Keep the URL or script. Do not remove or modify it.
  • neutralize: Modify the URL to make it inactive when clicked, but still easy to determine what the original URL was. For example, a link to:

    https://www.example.com

    is changed to:

    hxxps:\\www[.]example[.]com

  • remove: Remove the URL or script.

This setting applies only if check-html-content is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

click-protection

html-content-url-selection {tag-attribute tag-content}

Select where CDR modifications should apply:

  • tag-attribute: HTML tag attributes. For example, modify the href attribute in hyperlinks such as in <a href="https://example.com/">.
  • tag-content: HTML tag text contents.

Separate multiple options with a space.

This setting applies only if html-content-action {convert-to-text | modify-content} is modify-content.

tag-attribute

image-analysis-scan {enable | disable}

If you have purchased the image scan feature license, you can enable the scan for image categories that you may want to block, such as violence and adult images.

You can also configure the scan sensitivity and image fie size threshold. Seeantispam image-analysis.

disable

max-num-of-attachment <limit_int>

Enter how many attachments are allowed in one email message. The valid range is from 1 to 100.

This setting applies only if check-max-num-of-attachment is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

10

max-size <KB_int>

Enter the maximum size threshold in kilobytes. Also configure action-max-size <content-action-profile_name>.

To disable deferred delivery, enter 0.

This setting applies only if max-size-status {enable | disable} is enable.

10240

max-size-option {message | attachment}

Select to apply max-size <KB_int> to either the body of the email message or attachments.

message

max-size-status {enable | disable}

Enable to apply max-size <KB_int>.

disable

remove-active-content {enable | disable}

Enable to remove active content such as JavaScript.

This setting applies only if html-content-action {convert-to-text | modify-content} is modify-content.

Caution: If you want to convert HTML to plain text, then you must also enable replace-content {enable | disable}. Otherwise, the FortiMail unit will keep the HTML tags and only apply whichever other action(s) in the content action profile.

If you enable replace-content {enable | disable}, then all HTML tags will be removed, except for the minimum required by the HTML document type definition (DTD):

  • <html>
  • <head>
  • <body>

Body text will be stripped of other surrounded by <pre> tags, which is typically rendered in a monospace font, causing the appearance to mimic plain text.

For linked files, which are hosted on an external web server for subsequent download rather than directly embedded or attached to the email, the FortiMail unit will download and attach the file to the email before removing the <img> or <embed> tag. In this way, while the format is converted to plain text, attachments and linked files which may be relevant to the content are still preserved.

For example, in an email that is a mixture of HTML and plain text (Content‑Type: multipart/alternative), and if replace-content {enable | disable} is enable, the FortiMail unit would remove hyperlink, font, and other HTML tags in the sections labeled with Content-Type: text/html. Linked images would be converted to attachments. The MIME Content‑Type: text/html label itself, however, would not be modified.

enable

scan-options {block-fragmented-email
block-password-protected-office
bypass-on-smtp-auth
check-archive-content
check-embedded-content
check-html-content
check-max-num-of-attachment check-text-content
policy-match}

Select which option(s) to use:

  • block-fragmented-email: Detect and block fragmented email. Some mail user agents, such as Microsoft Outlook, can fragment big emails into multiple sub-messages. This is used to bypass oversize limits and scanning.
  • block-password-protected-office: Detect if an attached Microsoft Office document is password-protected, and cannot be decompressed in order to scan its contents. Apply the block or other action selected in the content action profile.
  • bypass-on-smtp-auth: Omit antispam scans when an SMTP sender is authenticated.

  • check-archive-content: Scan archives. Also configure archive-max-recursive-level <threshold_int> etc.
  • check-embedded-content: Scan embedded files. Documents, similar to an archive, can sometimes contain video, graphics, sounds, and other files that are used by the document. By embedding the required file within itself instead of linking to such files externally, a document becomes more portable. However, it also means that documents can be used to hide infected files that are the real attack vector.
  • check-html-content: Detect hypertext markup language (HTML) email and perform content disarming and reconstruction (CDR). FortiMail will also add:

    X-FEAS-ATTACHMENT-FILTER: Contains HTML tags.

    to the message headers. Also configure action-cdr <content-action-profile_name>etc.

  • check-max-num-of-attachment: Limit the number of attaches. Also configure max-num-of-attachment <limit_int> .
  • check-text-content: Detect URLs and perform content disarming and reconstruction (CDR) in plain text email. Also configure action-cdr <content-action-profile_name> and text-content-action {click-protection | click-protection-isolator | isolator | neutralize | remove-url}.
  • policy-match: Defer mail delivery from specific senders configured in the policy. By sending low-priority, bandwidth-consuming email such as newsletter digest or marketing campaigns at scheduled times, you can conserve bandwidth at peak time so that high priority email can be sent more quickly. See also mailsetting preference and action-policy-match <content-action-profile_name>.

Separate multiple options with a space.

text-content-action {click-protection | click-protection-isolator | isolator | neutralize | remove-url}

Select how FortiMail will modify the HTML:

  • click-protection: Rewrite the URL. If the user clicks on the URL, perform the click protection action configured in system fortiguard url-protection.

  • click-protection-isolator: Rewrite the URL and if the user clicks on it, redirect the URL to FortiMail for scanning. If the URL is malicious, it will be blocked; if the URL passes the scan, then it is rewritten to point to FortiIsolator, and the user will browse through FortiIsolator.

  • isolator: Redirect the user to FortiIsolator so that the user will be browsing indirectly, protected through FortiIsolator.

  • neutralize: Modify the URL to make it inactive when clicked, but still easy to determine what the original URL was. For example, a link to:

    https://www.example.com

    is changed to:

    hxxps:\\www[.]example[.]com

  • remove-url: Remove the URL.

This setting applies only if check-text-content is selected in scan-options {block-fragmented-email block-password-protected-office bypass-on-smtp-auth check-archive-content check-embedded-content check-html-content check-max-num-of-attachment check-text-content policy-match}.

click-protection

Related topics

antispam image-analysis

file content-disarm-reconstruct

file decryption password

profile content-action

system fortiguard url-protection