Since MMS profiles can be used by more than one security policy, you can configure one profile for the traffic types handled by a set of security policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.
If the security policy requires authentication, do not select the MMS profile in the security policy. This type of profile is specific to the authenticating user group. For details on configuring the profile associated with the user group, see User Groups in the Authentication guide.
For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate protection profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.
Once you have configured the MMS profile, you can then apply the profile to MMS traffic by applying it to a security policy.
MMS profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS profile.
The MMS Profile page contains options for each of the following:
l MMS scanning l MMS Bulk Email Filtering Detection l MMS Address Translation l MMS Notifications l DLP Archive l Logging
MMS profile configuration settings
The following are MMS profile configuration settings in Security Profiles > MMS Profile.
|MMS Profile page
Lists each individual MMS profile that you created. On this page, you can edit, delete or create an MMS profile.
|Creates a new MMS profile. When you select Create New, you are
Create New automatically redirected to the New MMS Profile page.
|Edit Modifies settings within an MMS profile. When you select Edit, you are automatically redirected to the Edit MMS Profile.|
|Removes an MMS profile from the list on the MMS Profile page.
To remove multiple MMS profiles from within the list, on the MMS Profile page, in each of the rows of the profiles you want removed, select the
Delete check box and then select Delete.
To remove all MMS profiles from the list, on the MMS Profile page, select the check box in the check box column, and then select Delete.
|Name The name of the MMS profile.|
|Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus), 1 appears in Ref. .
To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.
To view more information about how the object is being used, use one of the following icons that is avialable within the Object Usage window:
View the list page for these objects – automatically redirects you to the Ref. list page where the object is referenced at.
Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.
View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.
|New MMS Profile page
Provides settings for configuring an MMS profile. This page also provides settings for configuring DLP archives and logging.
|Profile Name Enter a name for the profile.|
|Comments Enter a description about the profile. This is optional.|
|MMS Scanning Configure MMS Scanning options.|
|MMS Bulk Email Filtering Configure MMS Bulk Email options. Detection|
|MMS Address Translation Configure MMS Address Translation options.|
|MMS Notifications Configure MMS Notification options.|
|DLP Archive Configure DLP archive option.|
|Logging Configure logging options.|
MMS scanning options
You can configure MMS scanning protection profile options to apply virus scanning, file filtering, content filtering, carrier endpoint blocking, and other scanning to MMS messages transmitted using the MM1, MM3, MM4 and MM7 protocols.
The following are the MMS Scanning options that are available within an MMS profile. You can create an MMS profile in Security Profiles > MMS Profile or edit an existing one. You must expand MMS Scanning to access the following options.
|MMS Scanning section of the New MMS Profile page|
|Monitor Only Select to cause the unit to record log messages when MMS scanning
options find a virus, match a file name, or match content using any of the other MMS scanning options. Select this option to be able to report on viruses and other problems in MMS traffic without affecting users.
Tip: Select Remove Blocked if you want the unit to actually remove content intercepted by MMS scanning options.
|Select to scan attachments in MMS traffic for viruses.
Since MM1 and MM7 use HTTP, the oversize limits for HTTP and the
HTTP antivirus port configuration also applies to MM1 and MM7
Virus Scan scanning.
MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port configuration also applies to MM3 and MM4 scanning.
|Scan MM1 message retrieval Select to scan message retrievals that use MM1. If you enable Virus Scan for all MMS interfaces, messages are also scanned while being sent. In this case, you can disable MM1 message retrieval scanning to improve performance.|
|Select to remove blocked content from each protocol and replace it with the replacement message.
Select Constant if the unit is to preserve the length of the message
Remove Blocked when removing blocked content, as may occur when billing is affected by the length of the message.
Tip: If you only want to monitor blocked content, select Monitor Only.
|Content Filter Select to filter messages based on matching the content of the message with the words or patterns in the selected web content filter list.|
|Select to add Carrier Endpoint Filtering in this MMS profile. Select
Carrier Endpoint Block the carrier endpoint filter list to apply it to the profile.
|MMS Scanning section of the New MMS Profile page|
|MMS Content Checksum Select to add MMS Content Checksum in this MMS profile. Select the MMS content checksum list to apply it to the profile.|
|Select to pass fragmented MM3 and MM4 messages. Fragmented
Pass Fragmented Messages MMS messages cannot be scanned for viruses. If you do not select these options, fragmented MM3 and MM4 message are blocked.
|Comfort Clients Select client comforting for MM1 and MM7 sessions.
Since MM1 and MM7 messages use HTTP, MM1 and MM7 client comforting operates like HTTP client comforting.
|Select server comforting for each protocol.
Comfort Servers Similar to client comforting, you can use server comforting to prevent server connection timeouts that can occur while waiting for the unit to buffer and scan large POST requests from slow clients.
|Interval (1-900 Enter the time in seconds before client and server comforting starts seconds) after the download has begun, and the time between sending
The number of bytes sent by client or server comforting at each interval. bytes)
|Oversized MMS Message Select Block or Pass for files and email messages exceeding configured thresholds for each protocol.
The oversize threshold refers to the final size of the message, including attachments, after encoding by the client. Clients can use a variety of encoding types; some result in larger file sizes than the original attachment. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the oversize threshold.
|Enter the oversized file threshold and select KB or MB. If a file is larger than the threshold the file is passed or blocked depending on the
Threshold (1KB – 800
Oversized MMS Message setting. The web-based manager displays
MB) the allowed threshold range. The threshold maximum is 10% of the unit’s RAM.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!