Fortinet black logo

Administration Guide

Home FortiMail 7.4.2 Administration Guide

Configuring scanning policies

7.4.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.7
6.2.0
6.0.6
6.0.4
6.0.3
6.0.1
6.0.0
5.4.10
5.4.8
5.4.5
5.4.4
5.4.3
5.4.0
Copy Link
Copy Doc ID 17589ac2-bedf-11ee-8673-fa163e15d75b:286969
Download PDF

Configuring scanning policies

After you connect to Microsoft 365 or Google Workspace and create profiles, you can scan certain email according to the criteria you specify. These can be real-time scans, or on-demand scheduled scans and searches.

Enabling and configuring real-time scanning

Real-time scanning allows you to apply security profiles and their actions to only those emails that match certain criteria specified in a real-time scan policy. These criteria are based on source, sender, and recipient information.

Before you can configure real-time scan policies, you must first enable the feature, and define the base URL for the FortiMail unit to receive notifications from Microsoft 365 or Google Workspace.

  1. Go to View > Microsoft 365 & Google Workspace.
  2. Go to Policy > Real-time Scan > Setting.
  3. Select Enable.
  4. Verify the Base URL to receive notification field, which is based on the local host and domain name of the FortiMail unit. To define this URL:
    1. Go to View > Advanced View.
    2. Go to System > Mail Setting > Mail Server Settings.
    3. Under Local Host, enter the Host name and Local domain name of the FortiMail unit, and click Apply.

      4. This displays the FortiMail unit’s fully qualified domain name (FQDN) in the format:

  5. Select an appropriate Service endpoint from the dropdown menu, depending on your geographic location.
  6. Determine whether you want to Log all email, or only those emails that match a policy.
To configure real-time scan policy:
  1. Go to View > Microsoft 365 & Google Workspace.
  2. Go to Policy > Real-time Scan > Policy.
  3. Click New and configure the following:

    4. GUI item

    Description

    Enable

    Enter a descriptive name.

    Account

    Select a Microsoft 365 or Google Workspace account.
    Source Select either IP/Netmask, IP Group, or GeoIP Group, and enter the appropriate source information.
    Sender Define the sender type, entering the type's settings as required.

    Recipient

    Define the recipient type, entering the type's settings as required.

    Profiles

    Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.
  4. Click Create.

For full configuration and procedural details, see the Cookbook recipe Real-time scanning of Microsoft 365 email in FortiMail.

Hide email on arrival (Microsoft 365 only)

With real-time scanning, there is still a small risk that users may open dangerous emails in Microsoft 365 before the FortiMail unit can finish scanning the email, especially if the email contains large attachments. To mitigate this risk, you can enable a feature that automatically moves email to a hidden folder on arrival for it to be subjected to real-time scanning. After the email is scanned and deemed safe, it is then removed from the hidden folder and put into the user's mailbox.

Note

This feature (disabled by default) can only be enabled using the CLI Console.

To enable this feature, open the CLI Console and enter the following:

config cloud-api setting

set hide-email-on-arrival enable

end

Release system quarantine email (Microsoft 365 only)

You can enable a feature that automatically stores FortiMail system quarantined email, both original and modified copies, in Microsoft 365. All the tenant, user, and message GUIDs are stored in the FortiMail system quarantine. After the email is scanned and deemed safe, it is then released and redelivered to the user.

Note

This feature (enabled by default) can only be enabled using the CLI Console.

To enable this feature, open the CLI Console and enter the following:

config cloud-api setting

set system-quarantine-release-original enable

end

Configuring scheduled scan

To scan email on demand for Microsoft 365 or Google Workspace:

  1. Go to View > Microsoft 365 & Google Workspace.
  2. Go to Policy > Scheduled Scan & Search > Scan.
  3. Click New and configure the following:

    4. GUI item

    Description

    Description

    Enter a descriptive name.
    Account Select to scan All accounts, or specify specific accounts to scan.
    Mailbox Select to scan All mailboxes, or specify specific mailboxes to scan.

    Schedule

    Specify a scheduled time and email start and end time range.

    Profiles

    Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.

    Condition

    Specify the search criteria.
  4. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
  5. The scanning status of all the scan tasks will be displayed: either Running, Done, Scheduled, or Stopped.
  6. After the scan process is done, you can double click on the scan task to view the details.

In addition to automatic scanning, you can also search for specific email on Microsoft 365 or Google Workspace and manual apply actions.

Configuring scheduled search

To search for email and take manual actions:

  1. Go to View > Microsoft 365 & Google Workspace.
  2. Go to Policy > Scheduled Scan & Search > Search.
  3. Click New and configure the following:

    4. GUI item

    Description

    Description

    Enter a descriptive name.
    Account Select to search All accounts, or specify specific accounts to search.
    Mailbox Select to search All mailboxes, or specify specific mailboxes to search.

    Schedule

    Specify a scheduled time and email start and end time range.

    Search Action

    Select an action profile to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profile.

    Condition

    Specify the search criteria.
  4. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
  5. The search status of all the search tasks will be displayed: either Running, Done, Scheduled, or Stopped.
  6. After the search process is done, you can double click on the search task to view the details.
  7. To take any action towards a specific email (if the search task has not already applied an action), from the search result list, select the email and select the action from the Apply Action dropdown list. For action definitions, see Configuring action profiles.
Previous
Next

Configuring scanning policies

After you connect to Microsoft 365 or Google Workspace and create profiles, you can scan certain email according to the criteria you specify. These can be real-time scans, or on-demand scheduled scans and searches.

Enabling and configuring real-time scanning

Real-time scanning allows you to apply security profiles and their actions to only those emails that match certain criteria specified in a real-time scan policy. These criteria are based on source, sender, and recipient information.

Before you can configure real-time scan policies, you must first enable the feature, and define the base URL for the FortiMail unit to receive notifications from Microsoft 365 or Google Workspace.

  1. Go to View > Microsoft 365 & Google Workspace.
  2. Go to Policy > Real-time Scan > Setting.
  3. Select Enable.
  4. Verify the Base URL to receive notification field, which is based on the local host and domain name of the FortiMail unit. To define this URL:
    1. Go to View > Advanced View.
    2. Go to System > Mail Setting > Mail Server Settings.
    3. Under Local Host, enter the Host name and Local domain name of the FortiMail unit, and click Apply.

      4. This displays the FortiMail unit’s fully qualified domain name (FQDN) in the format:

  5. Select an appropriate Service endpoint from the dropdown menu, depending on your geographic location.
  6. Determine whether you want to Log all email, or only those emails that match a policy.
To configure real-time scan policy:
  1. Go to View > Microsoft 365 & Google Workspace.
  2. Go to Policy > Real-time Scan > Policy.
  3. Click New and configure the following:

    4. GUI item

    Description

    Enable

    Enter a descriptive name.

    Account

    Select a Microsoft 365 or Google Workspace account.
    Source Select either IP/Netmask, IP Group, or GeoIP Group, and enter the appropriate source information.
    Sender Define the sender type, entering the type's settings as required.

    Recipient

    Define the recipient type, entering the type's settings as required.

    Profiles

    Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.
  4. Click Create.

For full configuration and procedural details, see the Cookbook recipe Real-time scanning of Microsoft 365 email in FortiMail.

Hide email on arrival (Microsoft 365 only)

With real-time scanning, there is still a small risk that users may open dangerous emails in Microsoft 365 before the FortiMail unit can finish scanning the email, especially if the email contains large attachments. To mitigate this risk, you can enable a feature that automatically moves email to a hidden folder on arrival for it to be subjected to real-time scanning. After the email is scanned and deemed safe, it is then removed from the hidden folder and put into the user's mailbox.

Note

This feature (disabled by default) can only be enabled using the CLI Console.

To enable this feature, open the CLI Console and enter the following:

config cloud-api setting

set hide-email-on-arrival enable

end

Release system quarantine email (Microsoft 365 only)

You can enable a feature that automatically stores FortiMail system quarantined email, both original and modified copies, in Microsoft 365. All the tenant, user, and message GUIDs are stored in the FortiMail system quarantine. After the email is scanned and deemed safe, it is then released and redelivered to the user.

Note

This feature (enabled by default) can only be enabled using the CLI Console.

To enable this feature, open the CLI Console and enter the following:

config cloud-api setting

set system-quarantine-release-original enable

end

Configuring scheduled scan

To scan email on demand for Microsoft 365 or Google Workspace:

  1. Go to View > Microsoft 365 & Google Workspace.
  2. Go to Policy > Scheduled Scan & Search > Scan.
  3. Click New and configure the following:

    4. GUI item

    Description

    Description

    Enter a descriptive name.
    Account Select to scan All accounts, or specify specific accounts to scan.
    Mailbox Select to scan All mailboxes, or specify specific mailboxes to scan.

    Schedule

    Specify a scheduled time and email start and end time range.

    Profiles

    Select profile(s) to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profiles.

    Condition

    Specify the search criteria.
  4. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
  5. The scanning status of all the scan tasks will be displayed: either Running, Done, Scheduled, or Stopped.
  6. After the scan process is done, you can double click on the scan task to view the details.

In addition to automatic scanning, you can also search for specific email on Microsoft 365 or Google Workspace and manual apply actions.

Configuring scheduled search

To search for email and take manual actions:

  1. Go to View > Microsoft 365 & Google Workspace.
  2. Go to Policy > Scheduled Scan & Search > Search.
  3. Click New and configure the following:

    4. GUI item

    Description

    Description

    Enter a descriptive name.
    Account Select to search All accounts, or specify specific accounts to search.
    Mailbox Select to search All mailboxes, or specify specific mailboxes to search.

    Schedule

    Specify a scheduled time and email start and end time range.

    Search Action

    Select an action profile to be applied for emails meeting the search criteria. Actions will be taken against the infected email with the actions you specified in the profile.

    Condition

    Specify the search criteria.
  4. If Schedule is set to Now, click Scan. If Schedule is set to Later, Daily, or Weekly, click OK.
  5. The search status of all the search tasks will be displayed: either Running, Done, Scheduled, or Stopped.
  6. After the search process is done, you can double click on the search task to view the details.
  7. To take any action towards a specific email (if the search task has not already applied an action), from the search result list, select the email and select the action from the Apply Action dropdown list. For action definitions, see Configuring action profiles.
Previous
Next