Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    7.6.3
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.7
    6.2.0
    6.0.6
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    System utility

    System utility

    Go to System > Utility to use various system utilities.

    FortiGuard query

    Go to System > Utility > FortiGuard Query if you need to manually query the FortiGuard Antispam service by entering an IP address, URL, or a hash value of an email message. See also Configuring FortiGuard Antispam service.

    Traffic capture

    When troubleshooting networks, it helps to look inside the contents of the packets. This helps to determine if the packets, route, and destination are all what you expect. Traffic capture can also be called packet sniffing, a network tap, or logic analyzing.

    Packet sniffing tells you what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:

    • finding missing traffic
    • seeing if sessions are setting up properly
    • locating ARP problems such as broadcast storm sources and causes
    • confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks
    • confirming routing is working as you expect
    • intermittent missing PING packets.

    If you are running a constant traffic application such as ping, packet sniffing can tell you if the traffic is reaching the destination, how the port enters and exits the FortiRecorder unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. You can also use packet switching to verify that NAT or other configuration is translating addresses or routing traffic the way that you want it to.

    Before you start sniffing packets, you need to have a good idea of what you are looking for. Sniffing is used to confirm or deny your ideas about what is happening on the network. If you try sniffing without a plan to narrow your search, you could end up with too much data to effectively analyze. On the other hand, you need to sniff enough packets to really understand all of the patterns and behavior that you are looking for.

    To capture the traffic
    1. Go to System > Utility > Traffic Capture.
    2. Click New.
    3. Enter a description for the file generated from the captured traffic.
    4. Enter the time period for performing the packet capture.
    5. Specify which interface you want to capture.
    6. If you want to limit the scope of traffic capture, in the IP/HOST field, enter a maximum of 3 IP addresses or host names for which you want to capture.
    7. Select the filter for the traffic capture:
      • Use protocol: Only UDP or TCP traffic on the specified port number will be captured.
      • Capture all: All network traffic will be captured.
    8. For Exclusion, enter the IP addresses/host names and port numbers for which do not want to capture.
    9. Click Create.

    Regular expression validator

    Go to System > Utility > Regex Validator to validate and test regular expressions and string text. See also Syntax.

    Message file converter

    Go to System > Utility > Msg Converter to convert .msg files to .eml files. Since .msg is only used by Microsoft Outlook, you can use the converter to allow other email programs to work with the .msg file content, once converted to the more universal .eml format.

    To evade email attachment inspection, a sender may use the Outlook file format .msg to hide malicious links, since FortiMail couldn't scan the content of an email attachment with .msg files attached.

    On-demand DMARC reports

    If DMARC checks and DMARC reports are enabled (see DMARC section and DMARC Report Generation), then FortiMail automatically periodically sends DMARC reports.

    If you have the feature license for it (see DMARC report analysis), then you can also manually trigger FortiMail to generate the report at any time. Additional report settings are also available.

    To send a DMARC report

    1. Go to System > Utility > DMARC.

    2. Configure the following settings:

      GUI item

      Description

      Date

      Select a date from within the previous month.

      This filters the report so that it only shows email that FortiMail processed on this date. After 30 days, DMARC data expires and is not available for reports anymore.
      Policy domain

      Select a sender domain name that matched a policy where DMARC was applied.

      This filters the report so that it only shows email from this sender domain. Available options vary by your selection in Date.
      Report from domain

      Select the domain name that the FortiMail unit will use as its sender email address (From:) when it sends the DMARC report email.

      Available options vary by your selection in Date and Policy domain. (In the original email that had a DMARC check, the sender tried to send email to one or more protected domains. Available options are one of those recipient protected domains.)

      Report from address

      Optional. Enter the local part (username) that the FortiMail unit will use as its sender email address (From:) when it sends the DMARC report email.

      Default is noreply. Change it if, for example, an administrator wants replies about this DMARC report.

      For the equivalent setting in DMARC reports that are sent automatically, see Sender address local part or From address local part.

      Report to address

      Select which recipient email address to send the DMARC report to, either:

      • RUA AddressFortiMail automatically queries the DNS server about the sender domain in Policy domain to determine that domain's authorized DMARC report recipient.

        Note: If a sender does not have a valid DMARC RUA/RUF configured in the domain's DNS TXT record, then FortiMail cannot send them because there is no report recipient email address.

      • Other Address — Manually configure another DMARC report recipient in Email address.

        Tip: This option can be useful if, for example, the sender domain's DMARC record is misconfigured, and you want to send a report to show them how many email were rejected due to failed DMARC checks.

      Email address

      Enter the recipient email address where FortiMail will send the DMARC report.

      This setting applies only if Report to address is Other Address.

    3. Click Send Report.

      This button is not available until you have configured all required settings.

    Trace log

    If Fortinet Technical Support requests a trace log for system analysis purposes, you can download one using the GUI.

    Trace logs are compressed into an archive (.gz), and contain information that is supplementary to debug-level log files.

    To download a trace file

    1. Go to System > Utility > Trace Log.

    2. At the bottom of the tab, click Download Trace Log.

    Previous
    Next

    System utility

    System utility

    Go to System > Utility to use various system utilities.

    FortiGuard query

    Go to System > Utility > FortiGuard Query if you need to manually query the FortiGuard Antispam service by entering an IP address, URL, or a hash value of an email message. See also Configuring FortiGuard Antispam service.

    Traffic capture

    When troubleshooting networks, it helps to look inside the contents of the packets. This helps to determine if the packets, route, and destination are all what you expect. Traffic capture can also be called packet sniffing, a network tap, or logic analyzing.

    Packet sniffing tells you what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:

    • finding missing traffic
    • seeing if sessions are setting up properly
    • locating ARP problems such as broadcast storm sources and causes
    • confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks
    • confirming routing is working as you expect
    • intermittent missing PING packets.

    If you are running a constant traffic application such as ping, packet sniffing can tell you if the traffic is reaching the destination, how the port enters and exits the FortiRecorder unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. You can also use packet switching to verify that NAT or other configuration is translating addresses or routing traffic the way that you want it to.

    Before you start sniffing packets, you need to have a good idea of what you are looking for. Sniffing is used to confirm or deny your ideas about what is happening on the network. If you try sniffing without a plan to narrow your search, you could end up with too much data to effectively analyze. On the other hand, you need to sniff enough packets to really understand all of the patterns and behavior that you are looking for.

    To capture the traffic
    1. Go to System > Utility > Traffic Capture.
    2. Click New.
    3. Enter a description for the file generated from the captured traffic.
    4. Enter the time period for performing the packet capture.
    5. Specify which interface you want to capture.
    6. If you want to limit the scope of traffic capture, in the IP/HOST field, enter a maximum of 3 IP addresses or host names for which you want to capture.
    7. Select the filter for the traffic capture:
      • Use protocol: Only UDP or TCP traffic on the specified port number will be captured.
      • Capture all: All network traffic will be captured.
    8. For Exclusion, enter the IP addresses/host names and port numbers for which do not want to capture.
    9. Click Create.

    Regular expression validator

    Go to System > Utility > Regex Validator to validate and test regular expressions and string text. See also Syntax.

    Message file converter

    Go to System > Utility > Msg Converter to convert .msg files to .eml files. Since .msg is only used by Microsoft Outlook, you can use the converter to allow other email programs to work with the .msg file content, once converted to the more universal .eml format.

    To evade email attachment inspection, a sender may use the Outlook file format .msg to hide malicious links, since FortiMail couldn't scan the content of an email attachment with .msg files attached.

    On-demand DMARC reports

    If DMARC checks and DMARC reports are enabled (see DMARC section and DMARC Report Generation), then FortiMail automatically periodically sends DMARC reports.

    If you have the feature license for it (see DMARC report analysis), then you can also manually trigger FortiMail to generate the report at any time. Additional report settings are also available.

    To send a DMARC report

    1. Go to System > Utility > DMARC.

    2. Configure the following settings:

      GUI item

      Description

      Date

      Select a date from within the previous month.

      This filters the report so that it only shows email that FortiMail processed on this date. After 30 days, DMARC data expires and is not available for reports anymore.
      Policy domain

      Select a sender domain name that matched a policy where DMARC was applied.

      This filters the report so that it only shows email from this sender domain. Available options vary by your selection in Date.
      Report from domain

      Select the domain name that the FortiMail unit will use as its sender email address (From:) when it sends the DMARC report email.

      Available options vary by your selection in Date and Policy domain. (In the original email that had a DMARC check, the sender tried to send email to one or more protected domains. Available options are one of those recipient protected domains.)

      Report from address

      Optional. Enter the local part (username) that the FortiMail unit will use as its sender email address (From:) when it sends the DMARC report email.

      Default is noreply. Change it if, for example, an administrator wants replies about this DMARC report.

      For the equivalent setting in DMARC reports that are sent automatically, see Sender address local part or From address local part.

      Report to address

      Select which recipient email address to send the DMARC report to, either:

      • RUA AddressFortiMail automatically queries the DNS server about the sender domain in Policy domain to determine that domain's authorized DMARC report recipient.

        Note: If a sender does not have a valid DMARC RUA/RUF configured in the domain's DNS TXT record, then FortiMail cannot send them because there is no report recipient email address.

      • Other Address — Manually configure another DMARC report recipient in Email address.

        Tip: This option can be useful if, for example, the sender domain's DMARC record is misconfigured, and you want to send a report to show them how many email were rejected due to failed DMARC checks.

      Email address

      Enter the recipient email address where FortiMail will send the DMARC report.

      This setting applies only if Report to address is Other Address.

    3. Click Send Report.

      This button is not available until you have configured all required settings.

    Trace log

    If Fortinet Technical Support requests a trace log for system analysis purposes, you can download one using the GUI.

    Trace logs are compressed into an archive (.gz), and contain information that is supplementary to debug-level log files.

    To download a trace file

    1. Go to System > Utility > Trace Log.

    2. At the bottom of the tab, click Download Trace Log.

    Previous
    Next