Configuring system time, options, and other system options

The System > Configuration submenu lets you configure the system time, various global GUI settings (such as idle timeout), and SNMP access.

This topic includes:

• Configuring the time and date
• Configuring system options
• Configuring SNMP queries and traps
• Configuring REST API and other web service settings

Configuring the time and date

For many features to work, including scheduling, logging, encryption, and certificate validation, the FortiMail system time must be accurate.

Go to System > Configuration > Time to configure the system time and date of the FortiMail unit.

You can either manually set the FortiMail system time or configure the FortiMail unit to automatically keep its system time correct by synchronizing with Network Time Protocol (NTP) servers.

NTP is recommended to achieve better time accuracy. See also Appendix C: Port Numbers.

FortiMail units support daylight savings time (DST), including recent changes in the USA, Canada and Western Australia.

Configuring system options

The System > Configuration > Option tab lets you set the following global settings:

• system idle timeout
• LCD panel and button access restriction (for the models that have front LCD panel and control buttons)
• login disclaimer
• password enforcement policy
• administration port numbers on the interfaces

To configure the system options

1. Go to System > Configuration > Option.

2. Configure the following:

   GUI item		Description
   Idle timeout		Enter the amount of time that an administrator may be inactive before the FortiMail unit automatically logs out the administrator. For better security, use a low idle timeout value.
   LCD Panel (models with LCD panels)
   	PIN Protection	Enable to require administrators to enter the PIN before using the LCD display panel and control buttons on the FortiMail unit, then enter the 6-digit PIN number. This option appears only on FortiMail models whose hardware includes an LCD panel. For better security, always configure an LCD PIN. Otherwise, anyone with physical access can reconfigure the FortiMail unit.
   Login Disclaimer Setting
   	Login disclaimer	Enter text that you want to prompt the user to agree, such as an IT policy or legal disclaimer, then also configure when to display it: Display pre-login banner Display post-login banner
   	Reset To Default (button)	If you have customized the disclaimer text but want to use the default text, click this button.
   	Display pre-login banner	Enable to display the text in Login disclaimer before the login dialog.
   	Display post-login banner	Enable to display the text inLogin disclaimer after the login dialog, but before the GUI menu or CLI command prompt appears. Select which users receive the disclaimer: Admin — Administrators. Webmail — : Webmail and quarantine users. IBE — : Encrypted email users.
   Password Policy
   	Enforce password policy	Enable to require strong passwords, as configured in Minimum password length and Password must contain. If any password does not meet the requirements, FortiMail requires that user to change the password during the next login. Set a strong password policy, especially for administrator accounts. If you don't, unauthorized persons could log into FortiMail and compromise security. Short, simple, and easily-guessed passwords are a security risk. Password policy settings only apply to accounts that are local (defined on FortiMail). See also Authentication type.
   	Allow empty password	Enable to ignore Minimum password length and Password must contain and allow empty passwords. Empty passwords effectively disable authentication, and are a security risk.
   	Minimum password length	Enter the minimum number of characters that a password must contain. The default value is 8.
   	Password must contain	Select which types of characters are required to ensure password complexity: Uppercase letter Lowercase letter Number (0-9) Non alphanumeric character — Any character that is not a letter of the US-ASCII alphabet nor a number, such as: é ! ~ @ # %
   	Apply password policy to	Select which accounts to apply the password policy to: Administrators — Administrators. IBE users — Encrypted email users. Local mail users — : Webmail and quarantine users.
   Administration Ports		Enter the TCP/UDP port numbers for administrative access on the network interfaces. See also Appendix C: Port Numbers.

See also

Customizing the GUI appearance

Configuring the network interfaces

Configuring SNMP queries and traps

You can configure the FortiMail appliance's simple network management protocol (SNMP) agent to allow queries for system information and to send traps (alarms or event messages) to an SNMP manager. In this way you can use an SNMP manager to monitor the FortiMail appliance.

Monitoring can include system events and thresholds, such as high availability (HA) cluster failover messages. On models which have monitored power supplies and RAID controllers, more event types are available. When a monitored power supply or a RAID controller is removed or added, the FortiMail unit will send configured notification for those events by log messages, alert email messages, and/or SNMP traps.

The FortiMail SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiMail system information and can receive FortiMail traps.

To configure SNMP traps and queries

1. On your SNMP manager:

   • Download the FortiMail management information blocks (MIBs) files from the Fortinet Support website. Load the Fortinet proprietary and standard MIBs into your SNMP manager. For instructions, see the documentation for your SNMP manager.

   • Get the name of the community that the SNMP manager belongs to. If you use SNMPv3, also get the names of SNMP users that should have access to information from FortiMail.

2. On FortiMail, for the network interface that connects to the SNMP manager, enable SNMP access. See Access.

3. Go System > Configuration > SNMP.

4. Expand the SNMP Threshold section.

5. Configure the following:

   GUI item		Description
   SNMP agent enable		Enable the SNMP service on the FortiMail unit.
   Description		Optional. Type a comment about the FortiMail appliance. The description can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
   Location		Type the physical location of the FortiMail appliance, such as floor2. The location can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
   Contact		Type contact information for the administrator or other person responsible for this FortiMail appliance. The contact information can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

6. Expand the SNMP Threshold section.

7. For each trap that occurs when a threshold is reached (CPU Usage Threshold etc.; see Configuring an SNMP community and Configuring SNMP users), configure the settings:

   GUI item	Description
   Trigger	Enter the acceptable limit for resource usage. For example, you may want to monitor that FortiMail CPU usage remains under 80%, except for temporary spikes. You configure Trigger to be 80%, Threshold to 3, Sample Freq (s) to 30 seconds, and Sample Period (s) to 600 seconds (10 minutes). If CPU usage exceeds 80% temporarily, but then decreases again before the next measurement and remains under the limit during the 10 minute period, then FortiMail does not send an SNMP trap. During another period, if the limit is exceeded 3 or more times, then FortiMail sends a trap. Multiple traps occur if the limit is exceeded more than 3 times.
   Threshold	Enter the number of times that Trigger must be equaled or exceeded in order to reach the trap threshold.
   Sample Period (s)	Enter the time period in seconds during which the FortiMail unit SNMP agent counts triggers. Note: Sample Period (s) must be greater than or equal to Sample Freq (s).
   Sample Freq (s)	Enter the interval in seconds between measurements of the limit. This is the maximum rate at which FortiMail sends traps.

8. Click Apply.

9. Add at least one SNMP manager ("host") that is allowed to query, and which hosts will receive traps. Depending on your SNMP version, you may also need to configure users. See Configuring an SNMP community and Configuring SNMP users.

Configuring an SNMP community

By default, FortiMail belongs to the community named public. Your FortiMail appliance must belong to at least one community. The FortiMail appliance will not respond to SNMP managers whose queries do not contain a matching community name. Similarly, traps from the FortiMail appliance will include community name, and an SNMP manager may not accept the trap if its community name does not match.

You can add up to 16 communities. Each community can be configured differently to receive different traps. Each community can have up to 8 SNMP managers.

To configure SNMPv1 or v2C access

1. Go to System > Configuration > SNMP.

2. Enable SNMP access. For details, see Configuring SNMP queries and traps.

3. Expand the Community section.

4. Either click New to add a community, or select a community and click Edit.

5. Configure the following:

   GUI item		Description
   Name		Type the name of the SNMP community to which at least one SNMP manager belongs. Caution: For better security, change the default community name, and only enable SNMP on trusted networks. The default community name public is a popular, well-known default. Attackers will often try this name first, and SNMP v2c and older does not support authentication nor encryption.
   Enable		Enable to send traps to and allow queries from this community’s SNMP managers.
   Community Hosts IP Address		Double-click the entry to edit it, or click Create to add an entry. Type the IP address and subnet mask of the SNMP managers in this community. Note: By default, there is one entry: 0.0.0.0/0. You must add the IP address of at least one specific SNMP manager. If there are no other host IP entries, queries from all IP addresses will be accepted, but traps are effectively disabled because there is no specific destination. Caution: For better security, change the default of 0.0.0.0/0, which includes all IP addresses. FortiMail sends security-sensitive traps, which should be sent only over a trusted network, and only to administrative devices.
   Queries		Enable the SNMP v1 and/or v2c versions that you want FortiMail to accept for queries. Then in Port, enter the listening port on the FortiMail unit. See also Appendix C: Port Numbers.
   Traps		Enable the SNMP v1 and/or v2c versions that you want FortiMail to use to send traps. Then in Local Port, enter the source port number from which FortiMail sends traps, and in Remote Port, enter the destination port number (listening port number) on the SNMP managers. See also Appendix C: Port Numbers.
   SNMP Event		Enable the types of SNMP traps that you want the FortiMail appliance to send to the SNMP managers in this community. For more information on supported traps and queries, see SNMP MIB fields. Event types include: System Event — FortiMail reboot, reload, upgrade, log disk formatting RAID Event — Local storage. HA Event Remote Storage Event Interface IPChanged Camera Event — Enabling cameras, disabling, communication failure, recording failure, IP address change, and camera reboot. Notification While most traps are sent each time an event occrs, the following events occur only when a threshold has been exceeded: CPU Usage Threshold Memory Usage Threshold Log Disk Usage Threshold Mailbox Disk Usage Threshold Video Disk Usage Threshold Deferred Queue Threshold Detected Virus Threshold Detected Spam Threshold To configure their thresholds, see Configuring SNMP queries and traps. Note: For events that don't have a configurable threshold, FortiMail examines the status at a regular interval. Therefore it may not always send a trap. For example, hardware status is examined every 60 seconds.Therefore if the power is off for a few seconds but returns before the next status check, no system event trap is sent.

6. Click OK.

7. To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiMail appliance, test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional. To test queries, from your SNMP manager, query the FortiMail appliance. To test traps, cause one of the events that should trigger a trap.

Configuring SNMP users

Similar to SNMP v1 and v2C, SNMP v3 also requires that you define SNMP managers. However it provides some better security features.

If your SNMP manager supports SNMP v3, you can use authentication to specify which of its user accounts is permitted to access information about your FortiMail appliance. This provides more control over who can access potentially sensitive system information. You can add up to 16 SNMP users.

SNMP v3 also provides better security by supporting privacy (encryption in transit).

To configure SNMPv3 access

1. Go to System > Configuration > SNMP.

2. Enable SNMP access. For details, see Configuring SNMP queries and traps.

3. Expand the User section.

4. Under Users, click New to add a user or select a user and click Edit.

5. Configure the following:

   GUI item		Description
   User name		Enter the name of an SNMP user. This must match the name of the account as it is configured on your SNMP manager.
   Enable		Enable to send traps to and allow queries from the user’s SNMP managers.
   Security level		Select either: No authentication, no privacy — No encryption (privacy) and no authentication, similar to SNMP v1 and v2. Caution: For better security, do not use this option, except on management networks isolated from the rest of your network. Attackers could easily eavesdrop on sensitive system information and/or mimic a legitimate SNMP user. Authentication, no privacy — Authentication only. No encryption (privacy). Also configure Authentication protocol. Caution: For better security, do not use this option, except on management networks isolated from the rest of your network. Attackers could easily eavesdrop on sensitive system information. Authentication, privacy — Both encryption (secrecy) and authentication. Also configure Authentication protocol and Privacy protocol.
   Authentication protocol		Select the hash to use for authentication, either: SHA-1 MD5 Also configure a salt in Password. Both the protocol and password on the SNMP manager and FortiMail must match. This option appears only if Security level is either Authentication, no privacy or Authentication, privacy.
   Privacy protocol		Select the encryption algorithm, either: AES DES Also configure a salt in Password. Both the protocol and password on the SNMP manager and FortiMail must match. This option appears only if Security level is Authentication, privacy.

6. Similar to configuring the SNMP community, configure the other settings to specify the destination IP address for sending traps, allowed source IP addresses for receiving queries, and trap events. See Configuring an SNMP community.

7. Click OK.

8. To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiMail appliance, test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional. To test queries, from your SNMP manager, query the FortiMail appliance. To test traps, cause one of the events that should trigger a trap.

FortiMail SNMP MIB files

FortiMail management information blocks (MIB) support most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II).

To view a trap or query's name, object identifier (OID), and description, open its MIB file in a plain text editor.

MIB file name	Description
fortimail.mib	Displays the proprietary Fortinet MIB includes detailed FortiMail system configuration information. Your SNMP manager requires this information to monitor FortiMail configuration settings. For more information, see SNMP MIB fields.
fortimail.trap.mib	Displays the proprietary Fortinet trap MIB includes FortiMail trap information. Your SNMP manager requires this information to receive traps from the FortiMail SNMP agent. For more information, see SNMP traps.

See also

SNMP traps

SNMP MIB fields

SNMP traps

All traps sent by FortiMail include the trap message as well as the FortiMail unit serial number and host name.

Trap	Description
fmlTrapCpuHighThreshold	Trap sent if CPU usage becomes too high.
fmlTrapMemLowThreshold	Trap sent if memory usage becomes too high.
fmlTrapLogDiskHighThreshold	Trap sent if log disk usage becomes too high.
fmlTrapMailDiskHighThreshold	Trap sent if mailbox disk usage becomes too high.
fmlTrapMailDeferredQueueHighThreshold	Trap sent if the number of deferred email messages becomes too great.
fmlTrapAvThresholdEvent	Trap sent when the number of detected viruses reaches the threshold.
fmlTrapSpamThresholdEvent	Trap sent when the number of spam email messages reaches the threshold.
fmlTrapSystemEvent	Trap sent when system shuts down, reboots, upgrades, etc.
fmlTrapRAIDEvent	Trap sent for RAID operations.
fmlTrapHAEvent	Trap sent when an HA event occurs. This trap includes the contents of the fmlSysSerial, fmlHAEventId, fmlHAUnitIp, and fmlHAEventReason MIB fields.
fmlTrapArchiveEvent	Trap sent when remote archive event occurs.
fmlTrapIpChange	Trap sent when the IP address of the network interface has been changed.

See also

FortiMail SNMP MIB files

SNMP MIB fields

SNMP MIB fields

The tables below list the names of the query fields and describe the status information available for each OID in the MIB.

System options MIB field

MIB field	Description
fmlSysModel	FortiMail model number, such as 400 for the FortiMail-400.
fmlSysSerial	FortiMail unit serial number.
fmlSysVersion	The firmware version currently running on the FortiMail unit.
fmlSysVersionAv	The antivirus definition version installed on the FortiMail unit.
fmlSysOpMode	The operation mode (gateway, transparent, or server) of the FortiMail unit.
fmlSysCpuUsage	The current CPU usage (%).
fmlSysMemUsage	The current memory utilization (%).
fmlSysLogDiskUsage	The log disk usage (%).
fmlSysMailDiskUsage	The mail disk usage (%).
fmlSysSesCount	The current IP session count.
fmlSysEventCode	System component events.
fmlRAIDCode	RAID system events.
fmlRAIDDevName	RAID device name.
fmlHAEventId	The ID of the most recent HA event. See also Using high availability (HA).
fmlHAUnitIp	The IP address of the port1 network interface on the FortiMail unit where the HA event occured.
fmlHAEffectiveMode	The effective role (applies to active-passive HA only), either as the primary unit or as the secondary unit. The effective role matches the configured mode of operation unless a failover has occurred.
fmlHAEventReason	The reason for the HA event.
fmlArchiveServerIp	IP address of the remote archive server.
fmlArchiveFilename	Archive mail file name.

System options MIB field

MIB field	Description
fmlSysOptIdleTimeout	Idle period after which the administrator is automatically logged out off the system.
fmlSysOptAuthTimeout	Authentication idle timeout value.
fmlSysOptsLan	Web administration language.
fmlSysOptsLcdProt	Whether LCD control buttons protection is enabled or disabled.

System session MIB fields

MIB field	Description
fmlIpSessTable	FortiMail IP sessions table.
fmlIpSessEntry	Particular IP session information.
fmlIpSessIndex	An index value that uniquely identifies an IP session.
fmlIpSessProto	The protocol of the connection.
fmlIpSessFromAddr	The session source IP address,
fmlIpSessFromPort	The session source port number.
fmlIpSessToAddr	The session destination IP address.
fmlIpSessToPort	The session destination port number. See also Appendix C: Port Numbers.
fmlIpSessExp	Time (in seconds) until the session expires.

Mail options MIB fields

MIB field	Description
fmlMailOptionsDeferQueue	The current number of deferred email messages.

Configuring REST API and other web service settings

You can enable the REST API. You can also configure rate limiting for HTTPS requests to the FortiMail unit, including REST API requests.

1. Go to System > Configuration > Web Service.

2. Configure the following and click Apply:

   GUI item		Description
   Redirect HTTP to HTTPS		Enable to redirect HTTP web access to HTTPS.
   Redirect to host		Enter the hostname of the FortiMail unit.
   REST API		Enable REST API requests.
   Rate Control		Expand Rate Control to define the maximum concurrent requests, maximum active sessions, and maximum request rate per second for the administrative GUI, webmail, Microsoft 365, and REST API access. Note that the ranges vary depending on FortiMail model: VM08 supports a maximum of 400. VM16 and higher supports a maximum of 500.
   Repeat Offender Control		Enable to block the IP addresses that keep sending bad HTTP requests to FortiMail and causing FortiMail to return HTTP 404 or 405 errors. Offending request count: Specify the number limit of bad requests within a specified period of time that will trigger offender IP blocking. The valid range is 1 to 50, and the default value is 3. Additionally, click Exempt IP to add those IP addresses you wish to exempt from the repeat offender block. Time period (minutes): Specify the period of time (in minutes) to count the bad requests. The valid range is 1 to 120, and the default value is 5. Use the default value as an example: if within a 5-minute interval, the bad requests from an IP address reach 3, the IP address will be blocked for the remaining of the 5-minutes interval. After the interval expires, the counter will restart for the next interval.