Sender notifications and logging
In most cases you will notify the sender that they are causing problems on the network — either by sending malware content, flooding the network, or some other unwanted activity. The notification assumes the sender is unaware of their activity and will stop or correct it when notified.
However, senders who are notified may use this information to circumvent administration’s precautions. For example if flood notification is set to 1000 messages per minute, a notified user may simply reduce their message to 990 messages per minute if this flood is intentional. For this reason, not all problems include sender notifications.
There are two methods of notifying senders:
- MMS notifications l Replacement messages
And three details to consider for logging and notifying administrators:
- Logging and reporting l MMS logging options l SNMP
MMS notifications enable you to customize notifications for many different situations and differently for all the supported MMS message protocols — MM1, MM3, MM4, and MM7.
MMS notification types include:
l Content Filter l File Block l Carrier Endpoint Block l Flood l Duplicate l MMS Content Checksum l Virus Scan
Day of Week, Window start time and Window Duration define what days and what time of day alert notifications will be sent. This allows you to control what alerts are sent on weekends. It also lets you control when to start sending notifications each day. This can be useful if system maintenance is performed at the same time each night — you might want to start alert notifications after maintenance has completed. Another reason to limit the time alert messages are sent could be to limit message traffic to business hours.
Notifications screen for FortiOS Carrier MMS Profile
For MMS Notification options, see MMS Notifications.
FortiGate units send replacement messages when messages or content is blocked, quarantined, or otherwise diverted from the receiver. In it’s place a message is sent to notify the receiver what happened.
With FortiOS Carrier MMS replacement messages, send and receive message types are supported separately and receive their own custom replacement messages. This allows the network to potentially notify both the sender and receiver of the problem.
For example the replacement message MM1 send-req file block message is sent to the device that sent one or more files that were banned. The default message that is sent is This device has sent %%NUM_ MSG%% messages containing banned files in the last %%DURATION%% hours. The two variables are replaced by the appropriate values.
Replacement messages are not as detailed or specific as MMS notifications, but they are also not as complicated to configure. They are also useful when content has been removed from an MMS message that was still delivered.
Logging and reporting
With each virus infection, or file block, a syslog message is generated. The format of this syslog message is similar to:
2005-09-22 19:15:47 deviceid=FGT5001ABCDEF1234 logid=0211060ABC type=virus subtype=infected level=warning src=10.1.2.3 dst=10.2.3.4 srcintf=port1 dstintf=port2 service=mm1 status=blocked from=”<sending MSISDN>” to=”<receiving MSISDN>” file=”eicar.com.txt” virus=”EICAR_TEST_FILE” msg=”The file eicar.com.txt is infected with EICAR_TEST_FILE. ref
Note that the from and to fields are samples and not real values.
MMS logging options
You can enable logging in an MMS protection profile to write event log messages when the MMS protection profile options that you have enabled perform an action. For example, if you enable MMS antivirus protection, you could also use the MMS protection profile logging options to write an event log message every time a virus is detected.
To record these log messages you must first configure how the FortiOS Carrier unit stores log messages.
To configure MMS content archiving, go to Security Profiles > MMS Profile. Select Create New or select the Edit icon beside an existing profile. Expand MMS Bulk AntiSpam Detection > Logging. Complete the fields as described in the following table and select OK. For more a detailed list of options, see Logging.
A simple SNMP trap will be generated to inform the operators’ alerting system that a virus has been detected. This SNMP trap could contain the sending and receiving MSISDN, however the initial solution would reflect the current behavior, i.e. only the fact that a virus has been detected will be communicated.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!