Fortinet black logo

Administration Guide

Configuring content disarming and reconstruction

Configuring content disarming and reconstruction

System-wide attachment and URL sanitization settings that are used by all content profiles are configured in Security > Disarm & Reconstruction.

About content disarming and reconstruction (CDR)

In an email and attachments, there may be risky URLs and HTML tags such as hyperlinks and JavaScript. Similarly, Microsoft Office and PDF attachments may have macros, links, and other active content that also can be used by spyware or malware. Zero-day or spear phishing attacks that have been specially crafted initially do not have matching virus signatures or URL ratings yet. Some email clients automatically display HTML and attachments, increasing the risk.

Content disarming and reconstruction (CDR) in content profiles (see Configuring content disarm and reconstruction (CDR)) allows you to remove or mitigate risky content and then reconstruct and still deliver the sanitized email, without affecting the integrity of the text in the email.

For example, HTML email, you could select an action in the content action profile to warn email users by tagging email that contains potentially dangerous HTML content. Alternatively, if you select to remove the HTML tags, then users can safely read the email to decide whether or not it is legitimate.

Configuring CDR attachment settings

For each CDR that content profiles can perform on attached files, configure how FortiMail should disarm or remove the files.

  1. Go to Security > Disarm & Reconstruction > Attachment.

  2. Configuring the following:

    GUI item

    Description

    Attachment handling for deferred email

    Configure the following:

    • Send notification: Enable for the recipient to receive a notification if an email attachment is subjected to deferred scanning.

      • Remove all: Send the notification with all the attachments removed.
      • Disarm Office/PDF and remove others: Send notification with the disarmed Microsoft Office or PDF attachments. Remove all other attachments that are not supported by CDR.
    • Verdict threshold to disarm on delivery: Enter the threshold at which attachments will be disarmed. For example, if set to Medium, the attachments with Medium, High, and Malicious verdicts will all be disarmed.

    Attachment scan by FortiSandbox

    By default, if content disarmament succeeds, then the FortiSandbox scan is bypassed. Enable Continue FortiSandbox scan on successful content disarm if you want to allow FortiSandbox to scan the attachment even after successful CDR.

  3. Click Apply.

  4. To use these settings as actions, select it in a content profile. See Configuring content disarm and reconstruction (CDR).

Configuring CDR URL click protection and removal options

If you do not configure CDR in the content profile to remove URLs, then users can click them. To protect users from malicious or spam URLs, such as phishing or advertising web sites, you can configure FortiMail to use the FortiGuard URL filter service and FortiSandbox to scan the URLs when users click them. Depending on the results from FortiGuard and FortiSandbox, you can decide if you want to allow users to go to the URLs or block them.

You can also integrate with FortiIsolator to isolate threats. FortiIsolator is a browser isolation solution, which protects users against zero day malware and phishing threats that are delivered over the web and email. These threats may result in data loss, compromise, or ransomware. To protect users, FortiIsolator creates a virtual air gap between users' browsers and websites. Web content is executed in a remote disposable container and displayed to users visually, without running code from the website on their computer.

For each CDR action that content profiles can perform on URLs, configure how FortiMail should change or remove the URLs.

To configure URL click protection options

  1. Go to Security > Disarm & Reconstruction > URL.

  2. Configure the following:

    GUI item

    Description

    URL Click Protection Option

    URL Rewrite

    Category

    Select which URL rating category a URL must match in order to be rewritten. See also Configuring the FortiGuard URL filter.

    Base URL

    Enter the prefix https:// and then the FQDN or IP address of FortiMail. When users click a hyperlink, they will be directed to the rewritten URL on FortiMail first.

    Note: The https:// protocol prefix is required.

    Tip: The URL is rewritten in the format:

    https://example.com/fmlurlsvc/?fewReq/baseValue&url=originalUrlEscaped

    where originalUrlEscaped is the original URL in URL-encoded format. If you want to convert it back to see the original URL, you can use a text editor or online service such as:

    https://www.urldecoder.org

    URL Click Handling

    Category

    Select which URL rating category a URL must match in order to receive click handling. See also Configuring the FortiGuard URL filter.

    Action

    Select how the link will behave when click handling applies, and a user clicks a link: either Block or Allow with Confirmation.

    FortiSandbox Scan

    For all other URL categories not selected in Category, enable this setting if you want to send them to FortiSandbox for scanning (see Using FortiSandbox antivirus inspection).

    • Enable: Enable or disable the FortiSandbox scan.

    • Action: Select how the link will behave when a link is clicked during a FortiSandbox scan, either:

      • Allow with Confirmation : Allow access with warning.
      • Block: Block access.
      • Submit only: Allow access while sending the URLs for scanning.
    • Timeout: When the URLs are sent to FortiSandbox for scanning, it can take some time to get the results. Enter how long (in seconds) to wait for FortiSandbox scan results. If FortiMail does not get a reply in this time, then click handling instead uses the action in Timeout action.

    • Timeout action: Select how the link will behave when a user clicks a link after a FortiSandbox scan timeout, either:

      • Allow
      • Allow with Confirmation
      • Block

    FortiIsolator Integration

    Category

    Select which URL rating category a URL must match in order to be reached through FortiIsolator. See Configuring the FortiGuard URL filter.

    Base URL

    Enter the prefix https:// and then the FQDN or IP address of FortiIsolator.

    Note: The https:// protocol prefix is required.

    URL Removal

    Category

    Select which URL rating category a URL must match in order to be removed. See Configuring the FortiGuard URL filter.

    URL Neutralization

    Category

    Select which URL rating category a URL must match in order to be neutralized. See Configuring the FortiGuard URL filter.

    Include image source attribute

    Enable to neutralize URLs of images that are stored on remote web servers.

    Newsletters often do not embed images in email in order to keep the email file size small so that email can be sent to many people quickly. Instead, the image files are stored on a web server or CDN. Email clients download and display the image later, when each person reads their email. Normal newsletters often include a plain text version or a link to a web page to fall back if the images cannot be displayed in the email.

    Spammers and malware, however, can abuse remotely stored images to detect valid recipient addresses even when SMTP recipient verification is disabled, and to bypass email antispam and antivirus scans by transmitting the content over HTTPS instead of SMTP.

    Note: When you update FortiMail firmware from a previous version, default values are applied to any new settings. If this setting is new, the default results in a change in behavior. If you prefer the previous behavior, then enable this setting.

  3. Click Apply.

  4. To use these settings as actions, select it in a content profile. See Configuring content disarm and reconstruction (CDR).

Configuring content disarming and reconstruction

System-wide attachment and URL sanitization settings that are used by all content profiles are configured in Security > Disarm & Reconstruction.

About content disarming and reconstruction (CDR)

In an email and attachments, there may be risky URLs and HTML tags such as hyperlinks and JavaScript. Similarly, Microsoft Office and PDF attachments may have macros, links, and other active content that also can be used by spyware or malware. Zero-day or spear phishing attacks that have been specially crafted initially do not have matching virus signatures or URL ratings yet. Some email clients automatically display HTML and attachments, increasing the risk.

Content disarming and reconstruction (CDR) in content profiles (see Configuring content disarm and reconstruction (CDR)) allows you to remove or mitigate risky content and then reconstruct and still deliver the sanitized email, without affecting the integrity of the text in the email.

For example, HTML email, you could select an action in the content action profile to warn email users by tagging email that contains potentially dangerous HTML content. Alternatively, if you select to remove the HTML tags, then users can safely read the email to decide whether or not it is legitimate.

Configuring CDR attachment settings

For each CDR that content profiles can perform on attached files, configure how FortiMail should disarm or remove the files.

  1. Go to Security > Disarm & Reconstruction > Attachment.

  2. Configuring the following:

    GUI item

    Description

    Attachment handling for deferred email

    Configure the following:

    • Send notification: Enable for the recipient to receive a notification if an email attachment is subjected to deferred scanning.

      • Remove all: Send the notification with all the attachments removed.
      • Disarm Office/PDF and remove others: Send notification with the disarmed Microsoft Office or PDF attachments. Remove all other attachments that are not supported by CDR.
    • Verdict threshold to disarm on delivery: Enter the threshold at which attachments will be disarmed. For example, if set to Medium, the attachments with Medium, High, and Malicious verdicts will all be disarmed.

    Attachment scan by FortiSandbox

    By default, if content disarmament succeeds, then the FortiSandbox scan is bypassed. Enable Continue FortiSandbox scan on successful content disarm if you want to allow FortiSandbox to scan the attachment even after successful CDR.

  3. Click Apply.

  4. To use these settings as actions, select it in a content profile. See Configuring content disarm and reconstruction (CDR).

Configuring CDR URL click protection and removal options

If you do not configure CDR in the content profile to remove URLs, then users can click them. To protect users from malicious or spam URLs, such as phishing or advertising web sites, you can configure FortiMail to use the FortiGuard URL filter service and FortiSandbox to scan the URLs when users click them. Depending on the results from FortiGuard and FortiSandbox, you can decide if you want to allow users to go to the URLs or block them.

You can also integrate with FortiIsolator to isolate threats. FortiIsolator is a browser isolation solution, which protects users against zero day malware and phishing threats that are delivered over the web and email. These threats may result in data loss, compromise, or ransomware. To protect users, FortiIsolator creates a virtual air gap between users' browsers and websites. Web content is executed in a remote disposable container and displayed to users visually, without running code from the website on their computer.

For each CDR action that content profiles can perform on URLs, configure how FortiMail should change or remove the URLs.

To configure URL click protection options

  1. Go to Security > Disarm & Reconstruction > URL.

  2. Configure the following:

    GUI item

    Description

    URL Click Protection Option

    URL Rewrite

    Category

    Select which URL rating category a URL must match in order to be rewritten. See also Configuring the FortiGuard URL filter.

    Base URL

    Enter the prefix https:// and then the FQDN or IP address of FortiMail. When users click a hyperlink, they will be directed to the rewritten URL on FortiMail first.

    Note: The https:// protocol prefix is required.

    Tip: The URL is rewritten in the format:

    https://example.com/fmlurlsvc/?fewReq/baseValue&url=originalUrlEscaped

    where originalUrlEscaped is the original URL in URL-encoded format. If you want to convert it back to see the original URL, you can use a text editor or online service such as:

    https://www.urldecoder.org

    URL Click Handling

    Category

    Select which URL rating category a URL must match in order to receive click handling. See also Configuring the FortiGuard URL filter.

    Action

    Select how the link will behave when click handling applies, and a user clicks a link: either Block or Allow with Confirmation.

    FortiSandbox Scan

    For all other URL categories not selected in Category, enable this setting if you want to send them to FortiSandbox for scanning (see Using FortiSandbox antivirus inspection).

    • Enable: Enable or disable the FortiSandbox scan.

    • Action: Select how the link will behave when a link is clicked during a FortiSandbox scan, either:

      • Allow with Confirmation : Allow access with warning.
      • Block: Block access.
      • Submit only: Allow access while sending the URLs for scanning.
    • Timeout: When the URLs are sent to FortiSandbox for scanning, it can take some time to get the results. Enter how long (in seconds) to wait for FortiSandbox scan results. If FortiMail does not get a reply in this time, then click handling instead uses the action in Timeout action.

    • Timeout action: Select how the link will behave when a user clicks a link after a FortiSandbox scan timeout, either:

      • Allow
      • Allow with Confirmation
      • Block

    FortiIsolator Integration

    Category

    Select which URL rating category a URL must match in order to be reached through FortiIsolator. See Configuring the FortiGuard URL filter.

    Base URL

    Enter the prefix https:// and then the FQDN or IP address of FortiIsolator.

    Note: The https:// protocol prefix is required.

    URL Removal

    Category

    Select which URL rating category a URL must match in order to be removed. See Configuring the FortiGuard URL filter.

    URL Neutralization

    Category

    Select which URL rating category a URL must match in order to be neutralized. See Configuring the FortiGuard URL filter.

    Include image source attribute

    Enable to neutralize URLs of images that are stored on remote web servers.

    Newsletters often do not embed images in email in order to keep the email file size small so that email can be sent to many people quickly. Instead, the image files are stored on a web server or CDN. Email clients download and display the image later, when each person reads their email. Normal newsletters often include a plain text version or a link to a web page to fall back if the images cannot be displayed in the email.

    Spammers and malware, however, can abuse remotely stored images to detect valid recipient addresses even when SMTP recipient verification is disabled, and to bypass email antispam and antivirus scans by transmitting the content over HTTPS instead of SMTP.

    Note: When you update FortiMail firmware from a previous version, default values are applied to any new settings. If this setting is new, the default results in a change in behavior. If you prefer the previous behavior, then enable this setting.

  3. Click Apply.

  4. To use these settings as actions, select it in a content profile. See Configuring content disarm and reconstruction (CDR).