Configuring content profiles and content action profiles

Configuring content profiles and content action profiles

The Content sub-menu lets you configure content profiles for incoming and outgoing content-based scanning. The available options vary depending on the chosen directionality.

This topic includes:

• Configuring content profiles
• Configuring file filters
• Configuring file passwords
• Configuring content action profiles

Configuring content profiles

The Content tab lets you create content profiles, which you can use to match email based upon its subject line, message body, and attachments.

Unlike antispam profiles, which deal primarily with spam, content profiles match any other type of email.

You can use content profiles to apply content-based encryption to email, or to restrict prohibited content, such as words or phrases, file names, and file attachments that are not permitted by your network usage policy. You can apply content profiles to email that you want to protect and email that you want to prevent.

To view and configure content profiles

1. Go to Profile > Content > Content.

   GUI item	Description
   Clone (button)	Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.
   Domain (dropdown list)	Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.
   Profile Name	Displays the name of the profile.
   Domain Name (column)	Displays either System or the name of a protected domain.
   (Green dot in column heading)	Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

2. Either click New to add a profile or double-click a profile to modify it.
3. For a new profile, from the Domain dropdown, select either System to see profiles that apply to the entire FortiMail unit, or select the name of a protected domain.
4. For a new profile, enter its name. The profile name is editable later.
5. In Action, select a content action profile to use. For details, see Configuring content action profiles.

6. Configure the following sections:

   • Configuring attachment scan rules
   • Configuring scan options
   • Configuring content disarm and reconstruction (CDR)
   • Configuring archive handling
   • Configuring password decryption options
   • Configuring content monitor and filtering
7. Click Create or OK to save the content profile.

Configuring attachment scan rules

The attachment scan rules define what actions will be taken if the specified files types are found in email attachments.

Before you can configure the scan rule, you must configure the file filters. See Configuring file filters.

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

1. Go to Profile > Content > Content.
2. Click New to create a new profile or double click on an existing profile to edit it.
3. Click the arrow to expand the Attachment Scan Rules section.

4. Click New to add a rule:

   GUI item	Description
   Enabled	Select to enable the rule.
   File filter	Select the file filter. See Configuring file filters.
   Operator	Select Is or Is Not. If Is is selected, the below action will be taken. If Is Not is selected, the below action will not be taken. You can use the Is Not option to safelist some attachment types. For example, if you want to reject all file types except for the PDF files, you can specify that PDF Is Not Reject.
   Action	Specify the action. Or click New to create a new action profile.

Configuring scan options

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

1. Go to Profile > Content > Content.
2. Click New to create a new profile or double click on an existing profile to edit it.

3. Click the arrow to expand Scan Options and configure the following:

   GUI item	Description
   Bypass scan on SMTP authentication	Enable to omit content profile scanning if the SMTP session is authenticated.
   Detect fragmented email	Enable to detect and block fragmented email. Some mail user agents, such as Microsoft Outlook, can fragment big emails into multiple sub-messages. This is used to bypass oversize limits and scanning.
   Detect password protected Office/PDF document	Enable to apply the block action configured in the content action profile if an attached Microsoft Office, OpenOffice, or PDF document is password-protected, and therefore cannot be decompressed in order to scan its contents.
   Attempt to decrypt Office/PDF document	Enable to decrypt Microsoft Office, Open Office, or PDF attachments using the predefined or user-defined passwords. For details, see Configuring file passwords.
   Detect embedded component	Specify which option(s) to use when scanning documents with embedded files such as Microsoft Office, Microsoft Visio, OpenOffice.org , and PDF documents. Similar to an archive, documents can sometimes contain video, graphics, sounds, and other files that are used by the document. By wrapping files within a document instead of linking to the file on a separate, external location, a document becomes more portable. However, it also means that documents with other files embedded can be used to hide infected files.
   Policy match	Enable to defer mail delivery from specific senders configured in the policy. By sending low-priority, bandwidth-consuming email such as newsletter digest or marketing campaigns at scheduled times, you can conserve bandwidth at peak time so that high priority email can be sent more quickly. For information on policy, see How to use policies. For information on scheduling deferred delivery, see Configuring mail server settings.
   Maximum number of attachment	Enter how many attachments are allowed in one email message. The valid range is from 1 to 100.
   Maximum size	Enter the maximum size threshold in kilobytes for email or attachments.
   Adult image analysis	If you have purchase the adult image scan license, you can enable it to scan for adult images. You can also configure the scan sensitivity and image sizes. Go to System > FortiGuard > Adult Image Analysis. For details, see Configuring adult image analysis.

Configuring content disarm and reconstruction (CDR)

Configure these settings to sanitize email that contains hyperlinks and scripts, including in attachments, in order to reduce risk of spam, malware, and tracking. For more information about CDR, see Configuring content disarming and reconstruction.

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

1. Go to Profile > Content > Content.

2. Click New to create a new profile or double click on an existing profile to edit it.

3. Expand Content Disarm and Reconstruction and configure the following:

   GUI item	Description
   Action	Select an action. See Configuring content action profiles.
   HTML content	Enable to detect risky hypertext markup language (HTML) tags in an HTML email body, and then select how FortiMail will sanitize the email: Convert to text: Convert the HTML email to plain text. Modify content: Modify the HTML content, using the following settings: Active content: Select to either Keep or Removeactive content such as JavaScript. URL: Select whether to: Keep: Keep the URL or script. Do not remove or modify it. Remove: Remove the URL or script. Redirect to FortiIsolator: Redirect the user to FortiIsolator so that the user will be browsing indirectly, protected through FortiIsolator. To view the settings for URL click protection and FortiIsolator, click View settings. Redirect to Click Protection: Rewrite the URL. If the user clicks on the URL, scan the URL and then perform click protection action configured in Configuring CDR URL click protection and removal options. Redirect to Click Protection + FortiIsolator: Rewrite the URL and if the user clicks on it, redirect the URL to FortiMail for scanning. If the URL is malicious, it will be blocked; if the URL passes the scan, then it is rewritten to point to FortiIsolator, and the user will browse through FortiIsolator. Neutralize: Modify the URL to make it inactive when clicked, but still easy to determine what the original URL was. For example, a link to: https://www.example.com is changed to: hxxps:\\www[.]example[.]com Then in Apply to, select whether CDR modifications should apply to either Tag attribute (for example, the href attribute in hyperlinks such as <a href="https://example.com">), Tag text content, or both. FortiMail will also add: X-FEAS-ATTACHMENT-FILTER: Contains HTML tags. to the message headers.
   Text content	Enable to detect risky URLs in a plain text email body, and then in URL, select how FortiMail will sanitize the email (the options are similar to URL for HTML email).
   MS Office	Enable to disarm and reconstruct Microsoft Office attachments. This also includes ZIP files that are compressed (nested compression is not supported).
   PDF	Enable to disarm and reconstruct the PDF attachments. This also includes ZIP files that are compressed (nested compression is not supported).

Configuring archive handling

For email with archive attachments, you can decide what to do with them. Currently, FortiMail supports ZIP, PKZIP, GZIP, BZIP, TAR, RAR, JAR, CAB, 7Z, and EGG for content inspection.

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

1. Go to Profile > Content > Content.

2. Click New to create a new profile or double click on an existing profile to edit it.

3. Expand Archive Handling and configure the following:

   GUI Item	Description
   Check archive content	Enable to determine which action to perform with the archive attachments. blocking password protected archives if you have selected Detect Password Protected Archive blocking archives that could not be successfully decompressed if you have selected Detect on Failure to Decompress passing/blocking by comparing the depth of nested archives with the nesting depth threshold configured in Max Level of Compression By default, archives with less than 10 levels of compression will be blocked if they cannot be successfully decompressed or are password-protected. Depending on the nesting depth threshold and the attachment’s depth of nested archives, the FortiMail unit may also consider the file types of files within the archive when determining which action to perform. For details, see the section below. If disabled, the FortiMail unit will perform the Block/Pass action solely based upon whether an email contains an archive. It will disregard the depth of nesting, password protection, successful decompression, and the file types of contents within the archive.
   Detect archive bomb and decompression failure	Enable to apply the block action configured in the content action profile if an attached archive cannot be successfully decompressed, such as if the compression algorithm is unknown, and therefore cannot be decompressed in order to scan its contents. This option is available only if Check archive content is enabled.
   Detect password protected archive	Enable to apply the block action configured in the content action profile if an attached archive is password-protected, and therefore cannot be decompressed in order to scan its contents. This option is available only if Check archive content is enabled.
   Attempt to decrypt archive	Enable to decrypt and scan the archives, using the passwords configured in Configuring password decryption options. If it fails, the email will be passed. This option is available only if Check archive content is enabled.
   Max level of compression	Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit uses one of the following methods to determine if it should block or pass the email. Max Level of Compression is 0, or attachment’s depth of nesting equals or is less than Max Level of Compression: If the attachment contains a file that matches one of the other file types, perform the action configured for that file type, either block or pass. Attachment’s depth of nesting is greater than Max Level of Compression: Apply the block action, unless you have deselected the check box for Max Level of Compression, in which case it will pass the file type content filter. Block actions are specified in the content action profile. The specified compression value is always considered if Check Archive Content is enabled, but has an effect only if the threshold is exceeded. This option is available only if Check archive content is enabled.

Configuring password decryption options

For password-protected PDF and archive attachments, if you want to decrypt and scan them, you can specify what kind of passwords you want to use to decrypt the files.

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

1. Go to Profile > Content > Content.
2. Click New to create a new profile or double click on an existing profile to edit it.
3. Expand File Password Decryption Options.
4. Specify the type of passwords to use:

• Words in email content: Enable and enter the Number of adjacent word to keyword to specify how many words before and after the keywords to try as the password for file decryption. For example, in an email, there could be a sentence such as: “To open the document, please use password 123456. If you cannot open it, please contact us.” If you specify to use two words before and after the keyword, then “please”, “use” (two words before the keyword “password”), “123456”, and “If” (two words after the keyword “password”) would be used as one by one as the password to decrypt the attachments. If no keyword exists, any words in the email body may be tried as the password.
• Built-in password list: Enable this option to use the predefined passwords.
• User-defined password list: Enable this option to use the passwords defined under Profile > Content > File Password. For details, see Configuring file passwords.

Configuring content monitor and filtering

The monitor profile uses the dictionary profile to determine matching email messages, and the actions that will be performed if a match is found.

You can also select to scan Microsoft Office, PDF, or archived email attachments.

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles.

To configure a content monitor profile

1. Go to Profile > Content > Content.

2. Click New to create a new profile or double click on an existing profile to edit it.

3. Click the arrow to expand Content Monitor and Filtering.

   GUI item	Description
   Move (button)	Mark a check box to select a content monitor profile, then click this button. Choose Up or Down from the pop-up menu. Content monitor profiles are evaluated for a match in order of their appearance in this list. Usually, content monitor profiles should be ordered from most specific to most general, and from accepting or quarantining to rejecting.
   Delete (button)	Mark a check box to select a content monitor profile, then click this button to remove it. Note: Deletion does not take effect immediately; it occurs when you save the content profile.

4. Click New for a new monitor profile or double-click an existing profile to modify it.

   A dialog appears.

5. Configure the following:

   GUI item	Description
   Enable	Enable to use the content monitor to inspect email for matching email and perform the configured action.
   Dictionary	Select either Profile or Group, then select the name of a dictionary profile or group from the dropdown list next to it. If no profile or group exists, click New to create one, or select an existing profile or group and click Edit to modify it. A dialog appears. For information on creating and editing dictionary profiles and groups, see Configuring dictionary profiles.
   Minimum score	Displays the number of times that an email must match the dictionary profile before it will receive the action configured in Action. Note that the score value is based on individual dictionary profile matches, not the dictionary group matches.
   Action	Displays action that the FortiMail unit will perform if the content of the email message matches words or patterns from the dictionary profile. If no action exists, click New to create one, or select an existing action and click Edit to modify it. A dialog appears. For information on action profiles, see Configuring content action profiles.
   Scan Condition	Select the content type(s) to scan: PDF files Microsoft Office files Archived PDF and MS Office files. If you select this option, you can also use the following CLI commands to specify the maximum levels to decompress and the maximum file size to decompress: config mailsetting mail-scan-options set decompress-max-level <level_1-16> set decompress-max-size <MB_int> end

6. Click Create or OK.

Configuring file filters

File filters are used in the attachment scan rules (see Configuring attachment scan rules. File filters defines the email attachment file types and file extensions to be scanned.

Wildcards can be used in file filters. For details, see Appendix D: Wildcards and regular expressions.

The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see Configuring content profiles and content action profiles.

1. Go to Profile > Content > File Filter.

2. Click New to create a new filter or double click on an existing filter to edit it.

   GUI item	Description
   Domain	The new filter can applied to a domain or system wide.
   Name	Enter a name for the filter.
   Description	Optionally enter a description.
   File Type	Either select from the predefined types and/or specify your own.
   File Extension	Either select from the predefined extensions and/or specify your own.

Encrypted email content cannot be scanned for spam, viruses, or banned content.

Unlike other attachment types, archives may receive an action other than your Block/Pass selection, depending on your configuration in the Scan Conditions (see Action).

For each file type, you can use an action profile to overwrite the default action profile used by the content profile. For example, if you want to redirect encrypted email to a third party server (such as a PGP Universal Server) for decryption, You can: Create a content action profile and enable the Send to alternate host option in the action profile. Enter the PGP server as the alternate host. For details about how create a content action profile, see Configuring content action profiles. Select to block the encrypted/pgp file type under document/encrypted. “Block” means to apply an action profile. Select the action profile for the document/encrypted file type. This action profile will overwrite the action profile you select for the entire content profile.

Configuring file passwords

When you configure a content profile, you can choose to decrypt documents (see Configuring scan options) and archived files (see Configuring archive handling). To decrypt the documents, you need passwords. See also Configuring password decryption options.

To configure user-defined passwords

1. Go to Profile > Content > File Password.
2. Click New.
3. Enter the password that will be used to decrypt documents.
4. Click Create.

Configuring content action profiles

The Action tab in the Content submenu lets you define content action profiles. Use these profiles to apply content-based encryption.

Alternatively, content action profiles can define one or more things that the FortiMail unit should do if the content profile determines that an email contains prohibited words or phrases, file names, or file types.

For example, you might have configured most content profiles to match prohibited content, and therefore to use a content action profile named quar_profile which quarantines email to the system quarantine for review.

However, you have decided that email that does not pass the dictionary scan named financial_terms is always prohibited, and should be rejected so that it does not require manual review. To do this, first configure a second action profile, named rejection_profile, which rejects email. You would then override quar_profile specifically for the dictionary-based content scan in each profile by selecting rejection_profile for content that matches financial_terms.

To view and manage the list of content action profiles

1. Go to Profile > Content > Action.

   GUI item	Description
   Domain (dropdown list)	Select Systemto see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.
   Profile Name	Displays the name of the profile.
   Domain (column)	Displays either System or a domain name.
   (Green dot in column heading)	Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

2. Either click New to add a profile or double-click an existing profile to modify it.

   A dialog appears.

3. Configure the following:

   GUI item	Description
   Domain	For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.
   Profile name	For a new profile, enter its name.
   Tag subject	Enable and enter the text that will appear in the subject line of the email, such as [PROHIBITED-CONTENT]. FortiMail prepends this text to the subject line of the email before forwarding it to the recipient. Many email clients can sort incoming email messages into separate mailboxes based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client.
   Insert header	Enable and click New to enter a message header key. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient. Many email clients can sort incoming email messages into separate mailboxes based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client. Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter: X-Content-Filter: Contains banned word. If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key. You can add multiple headers by adding them to the header table. You can also insert the predefined variables to the header value. Note: Do not enter spaces in the key portion of the header line. These are forbidden by RFC 2822.
   Remove header	Enable and click New to enter the message header name to be removed.
   Insert disclaimer	Insert disclaimer as an action, and select whether you want to insert the disclaimer at the start of the message, end of the message, or at the location of the custom message. You can modify the default disclaimer or add new disclaimers by going to System > Mail Setting > Disclaimer.
   Deliver to alternate host	Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination. You can choose to deliver the original email or the modified email.
   Deliver to original host	Enable to route the email to the original SMTP server or relay. Note the you can deliver email to both the original and alternate hosts. You can choose to deliver the original email or the modified email.
   FortiGuard spam outbreak protection	Enable to send incoming email to the deferred mail queue. See also Configuring mail server settings.
   Defer delivery	Enable to defer delivery of emails that may be resource intensive and reduce throughput of the mail server, such as large email messages, or mass email such as marketing campaign email and newsletter digest. See also. See also Configuring mail server settings.
   BCC	Enable to send a blind carbon copy (BCC) of the email. Configure BCC recipient email addresses by entering each one and clicking Create in the BCC area.
   Replace with message	Enable to replace the email’s contents with a replacement message. Then select a replacement message from the dropdown list. For more information, see Customizing GUI, custom messages, email templates, and Security Fabric.
   Archive to account	Enable to send the email to an archiving account. As long as this action is enabled, no matter if the email is delivered or rejected, it will still be archived. Click New to create a new archiving account or click Edit to modify an existing account. For details about archiving accounts, see Email archiving workflow.
   Notify with profile	Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see Configuring notification profiles and Customizing email templates.
   Final action	Select one of the following final actions listed below for the content action profile.
   Discard	Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.
   Reject	Enable to reject the email and reply to the SMTP client with SMTP reply code 550.
   Personal quarantine	For incoming email, enable to redirect the email to the recipient’s personal quarantine. For more information, see Managing the personal quarantines. For outgoing email, this action will fallback to the system quarantine. You can choose to quarantine the original email or the modified email.
   System quarantine	Enable to redirect the email to the system quarantine and specify the quarantine folder. For more information, see Managing the system quarantine. You can choose to quarantine the original email or the modified email.
   Domain quarantine	Enable to redirect email to the domain quarantine folder. For more information, see Managing the domain quarantines.
   Rewrite recipient email address	Enable to change the recipient address of any email that matches the content profile. Configure rewrites separately for the local-part (the portion of the email address before the @ symbol, typically a user name) and the domain part (the portion of the email address after the @ symbol). For each part, select either: None: No change. Prefix: Prepend the part with text that you have entered in the With field. Suffix: Append the part with the text you have entered in the With field. Replace: Substitute the part with the text you have entered in the With field.
   Encrypt with profile	Enable to apply an encryption profile, then select which encryption profile to use. For details, see Configuring encryption profiles. Note that If you select an IBE encryption profile, it will be overridden if either S/MIME or TLS or both are selected in the message delivery rule configuration (Policy > Access Control > Delivery > New). For information about message delivery rules, see Configuring delivery rules.
   Treat as spam	Enable to perform the Actions selected in the antispam profile of the policy that matches the email. For more information, see Configuring antispam action profiles.

4. To apply a content action profile, select it in the Action dropdown list of one or more antispam profiles. For details, see Managing antispam profiles.