Category Archives: FortiOS 6.2

DLP watermarking

DLP watermarking

Watermarking marks files with a digital pattern to designate them as proprietary to a specific company. A small pattern is added to the file that is recognized by the DLP watermark filter, but is invisible to the end user (except for text files).

FortiExplorer client, or a Linux-based command line tool, can be used to add a watermark to the following file types: l .txt

.doc and .docx
.pdf
.ppt and .pptx
.xls and .xlsx

The following information is covered in this section:

Watermarking a file with FortiExplorer. l Watermarking a file with the Linux tool. l Configuring a DLP sensor to detect watermarked files.

FortiExplorer

In this example, a watermark will be added to small text file. The content of the file is:

This is to show how DLP watermarking is done using FortiExplorer.

FortiExplorer can also be used to watermark an entire directory.

To watermark the text file with FortiExplorer:

Open the FortiExplorer client.
Select DLP Watermark from the left side bar.
Set Apply Watermark To to Select File.
Browse for the file, copy the file’s path into the Select File
Set the Sensitivity Level. The available options are: Critical, Private, and Warning.
Enter a company identifier in the Identifier
Select the Output Directory where the watermarked file will be saved.
Click Apply Watermark. The file is watermarked.
The watermarked file content is changed to:

This is to show how DLP watermarking is done using FortiExplorer.=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=identifier=FortiDemo sensitivity=Critical=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=

Linux-based command line tool

A Linux-based command line tool can be used to watermark files. The tool can be executed is a Linux environment by passing in files or directories of files.

To download the tool:

Log in to Fortinet Service and Support. A valid support contract is required.
Go to Download > Firmware Images.
Select the Download tab, and go to FortiGate/v5.00/5.0/5.0.0/WATERMARK.
Download the fortinet-watermark-linux.out

To run the tool:

Enter the following to run the tool on a file:

watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level> Enter the following to run the tool on a directory:

watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>

The following options are available:

-h	Print this help.
-I	Watermark the file in place (don’t make a copy of the file).
-o	The output file or directory.
-e	Encode <to non-readable>.
-i	Add a watermark identifier.
-l	Add a watermark sensitivity level.
-D	Delete a watermark identifier.
-L	Delete a watermark sensitivity level.

DLP watermark sensor

A DLP watermark sensor must be configured to detect watermarked files.

To configure a DLP watermark sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter>

set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} <– Pro-

tocol to inspect set filter-by watermark

set sensitivity {Critical | Private | Warning}

set company-identifier <string>

set action {allow | log-only | block | ban | quarantine-ip}

end

next end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

DLP fingerprinting

Leave a reply

DLP fingerprinting

DLP fingerprinting can be used to detect sensitive data. The file that the DLP sensor will filter for is uploaded and the

FortiGate generates and stores a checksum fingerprint. The FortiGate unit generates a fingerprint for all of the files that

are detected in network traffic, and compares all of the checksums stored in its database. If a match is found, the configured action is taken.

Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

To use fingerprinting:

Select the files to be fingerprinted by targeting a document source. l Add fingerprinting filters to DLP sensors.
Add the sensors to firewall policies that accept traffic that the fingerprinting will be applied on.

To configure a DLP fingerprint document:

config dlp fp-doc-source edit <name_str> set server-type smb set server <string>

set period {none | daily | weekly | monthly} set vdom {mgmt | current} set scan-subdirectories {enable | disable} set remove-deleted {enable | disable} set keep-modified {enable | disable} set username <string> set password <password> set file-path <string> set file-pattern <string>

set sensitivity <Critical | Private | Warning> set tod-hour <integer> set tod-min <integer>

set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set date <integer>

next end

Command	Description
server-type smb	The protocol used to communicate with document server. Only Samba (SMB) servers are supported.
server <string>	IPv4 or IPv6 address of the server.
period {none \| daily \| weekly \| monthly}	The frequency that the FortiGate checks the server for new or changed files.
vdom {mgmt \| current}	The VDOM that can communicate with the file server.
scan-subdirectories {enable \| disable}	Enable/disable scanning subdirectories to find files.
Command		Description
remove-deleted {enable \| disable}		Enable/disable keeping the fingerprint database up to date when a file is deleted from the server.
keep-modified {enable \| disable}		Enable/disable keeping the old fingerprint and adding a new one when a file is changed on the server.
username <string>		The user name required to log into the file server.
password <password>		The password required to log into the file server.
file-path <string>		The path on the server to the fingerprint files.
file-pattern <string>		Files matching this pattern on the server are fingerprinted.
sensitivity <Critical \| Private \| Warning>		The sensitivity or threat level for matches with this fingerprint database.
tod-hour <integer>		Set the hour of the day. This option is only available when period is not none.
tod-min <integer>		Set the minute of the hour. This option is only available when period is not none.
weekday {sunday \| monday \| tuesday \| wednesday \| thursday \| friday \| saturday}		Set the day of the week. This option is only available when period is weekly.
date <integer>		Set the day of the month. This option is only available when period is monthly.

To configure a DLP fingerprint sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter> set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} set filter-by fingerprint

set sensitivity {Critical | Private | Warning}

set match-percentage <integer>

set action {allow | log-only | block | ban | quarantine-ip}

end

next end

Command	Description
proto {smtp \| pop3 \| imap http-get \| http-post \| ftp \| nntp \| mapi}	The protocol to inspect.
filter-by fingerprint	Match against a fingerprint sensitivity.
sensitivity {Critical \| Private \| Warning}	Select a DLP file pattern sensitivity to match.
match-percentage <integer>	The percentage of the checksum required to match before the sensor
Command	Description
	is triggered.
action {allow \| log-only \| block \| ban \| quarantine-ip}	The action to take with content that this DLP sensor matches.

View the DLP fingerprint database on the FortiGate

The CLI debug command diagnose test application dlpfingerprint can be used to display the fingerprint information that is on the FortiGate.

Fingerprint Daemon Test Usage;

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1 : This menu

: Dump database
: Dump all files
: Dump all chunk
: Refresh all doc sources in all VDOMs
: Show the db file size and the limit
: Display stats
: Clear stats

99 : Restart this daemon

For example, option 3 will dump all fingerprinted files:

DLP_WANOPT-CLT (global) # diagnose test application dlpfingerprint 3 DLPFP diag_test_handler called File DB: ————————————— id, filename, vdom, archive, deleted, scanTime, docSourceSrvr,
sensitivity, chunkCnt, reviseCnt,
1, /fingerprint/upload/1.txt, vdom1, 1, 0,	0,	0,	1494868196, 1,	2,
2, /fingerprint/upload/30percentage.xls, vdom1, 13, 0,	0,	0,	1356118250, 1,	2,
3, /fingerprint/upload/50.pdf, vdom1, 122, 0,	0,	0,	1356118250, 1,	2,
4, /fingerprint/upload/50.pdf.tar.gz, vdom1, 114, 0,	0,	0,	1356118250, 1,	2,
5, /fingerprint/upload/check-list_AL-SIP_HA.xls, 2, 32, 0,	vdom1,	0,	0, 1356118251,	1,
6, /fingerprint/upload/clean.zip, vdom1, 1, 0,	0,	0,	1356118251, 1,	2,
7, /fingerprint/upload/compare.doc, vdom1, 18, 0,	0,	0,	1522097410, 1,	2,
8, /fingerprint/upload/dlpsensor-watermark.pdf, 2, 11, 0,	vdom1,	0,	0, 1356118250,	1,
9, /fingerprint/upload/eicar.com, vdom1, 1, 0,	0,	0,	1356118250, 1,	2,
10, /fingerprint/upload/eicar.zip, vdom1, 1, 0,	0,	0,	1356118250, 1,	2,
11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt, 2, 11, 0,	vdom1,	0,	0, 1356118250,	1,
12, /fingerprint/upload/encrypt.zip, vdom1, 77, 0,	0,	0,	1356118250, 1,	2,
13, /fingerprint/upload/extension_7_8_1.crx, 2, 2720, 0,	vdom1,	0,	0, 1528751781,	1,
14, /fingerprint/upload/fingerprint.txt, vdom1,	0,	0,	1498582679, 1,	2,

37, 0,
15, /fingerprint/upload/fingerprint90.txt, vdom1, 37, 0,	0,	0,	1498582679, 1,		2,
16, /fingerprint/upload/fo2.pdf, vdom1, 1, 0,	0,	0,	1450488049, 1,		2,
17, /fingerprint/upload/foo.doc, vdom1, 9, 0,	0,	0,	1388538131, 1,		2,
18, /fingerprint/upload/fortiauto.pdf, vdom1, 146, 0,	0,	0,	1356118251, 1,		2,
19, /fingerprint/upload/image.out, vdom1, 5410, 0,	0,	0,	1531802940, 1,		2,
20, /fingerprint/upload/jon_file.txt, vdom1, 1, 0,	0,	0,	1536596091, 1,		2,
21, /fingerprint/upload/machotest, vdom1, 19, 0,	0,	0,	1528751955, 1,		2,
22, /fingerprint/upload/nntp-server.doc, vdom1, 17, 0,	0,	0,	1356118250, 1,		2,
23, /fingerprint/upload/notepad++.exe, vdom1, 1061, 0,	0,	0,	1456090734, 1,		2,
24, /fingerprint/upload/nppIExplorerShell.exe, 2, 5, 0,	vdom1,	0,	0, 1438559930,		1,
25, /fingerprint/upload/NppShell_06.dll, vdom1, 111, 0,	0,	0,	1456090736, 1,		2,
26, /fingerprint/upload/PowerCollections.chm, 2, 728, 0,	vdom1,	0,	0, 1533336889,		1,
27, /fingerprint/upload/reflector.dmg, vdom1, 21117, 0,	0,	0,	1533336857,	1,	2,
28, /fingerprint/upload/roxio.iso, vdom1, 49251,0,	0,	0,	1517531765,	1,	2,
29, /fingerprint/upload/SciLexer.dll, vdom1, 541, 0,	0,	0,	1456090736,	1,	2,
30, /fingerprint/upload/screen.jpg, vdom1, 55, 0,	0,	0,	1356118250,	1,	2,
31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc, 1356118251, 1, 2, 31, 0,			vdom1, 0,	0,
32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea, 0, 1529019743, 1, 2, 1, 0,				vdom1,	0,
33, /fingerprint/upload/test.pdf, vdom1, 0, 0, 1356118250, 5, 0,				1,	2,
34, /fingerprint/upload/test.tar, vdom1, 0, 0, 1356118251, 3, 0,				1,	2,
35, /fingerprint/upload/test.tar.gz, vdom1, 0, 0, 1356118250, 1, 0,				1,	2,
36, /fingerprint/upload/test1.txt, vdom1, 0, 0, 1540317547, 1, 0,				1,	2,
37, /fingerprint/upload/thousand-files.zip, vdom1, 0, 0, 1536611774, 241, 0,				1,	2,
38, /fingerprint/upload/Thumbs.db, vdom1, 0, 0, 1445878135, 3, 0,				1,	2,
39, /fingerprint/upload/widget.pdf, vdom1, 0, 0, 1356118251, 18, 0,				1,	2,
40, /fingerprint/upload/xx00-xx01.tar, vdom1, 0, 0, 1356118250, 5, 0,				1,	2,
41, /fingerprint/upload/xx02-xx03.tar.gz, vdom1, 0, 0, 1356118251, 1, 0,				1,	2,

Basic DLP filter types

1 Reply

Basic DLP filter types

File type and name

A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list.

To configure file type and name filtering using the CLI:

Create a file pattern to filter files based on the file name patter or file type:

config dlp filepattern edit <filepatern_entry_integer> set name <string> config entries edit <file pattern> set filter-type <type | pattern> set file-type <file type>

end

For example, to filter for GIFs and PDFs:

config dlp filepattern edit 11 set name “sample_config” config entries edit “*.gif” set filter-type pattern

next edit “pdf” set filter-type type set file-type pdf

end

Attach the file pattern to a DLP sensor, and specify the protocols and actions:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set file-type 11 <– Previously configured filepattern set action <allow | log-only| block | quarantine-ip>

end

next end

To configure file type and name filtering using the GUI:

Go to Security Profiles > Data Leak Prevention.
Click Create New. The New DLP Sensor page opens.
Click Add Filter in the filter table. The New Filter pane opens.
Set Type to Files and select Specify File Types.
Add file types by clicking in the File Types field and select file types from the side pane.
Add file name patterns by clicking in the File Name Patterns field:
1. In the side pane that opens, enter the pattern in the search bar.
2. Click Create.
3. Select the newly created pattern.

File size

A file size filter checks for files that exceed the specific size, and performs the DLP sensor’s configured action on them.

To configure file size filtering using the CLI:

set file-type 11 <– Previously configured filepattern set action <allow | log-only| block | quarantine-ip>

end

To configure file size filtering using the GUI:

Go to Security Profiles > Data Leak Prevention.
Click Create New. The New DLP Sensor page opens.
Click Add Filter in the filter table. The New Filter pane opens.
Set Type to Files and select File size over.
Enter the maximum file size, in kilobytes, in the File size over field, then click OK.

Regular expression

A regular expression filter is used to filter files or messages based on the configured regular expression pattern.

To configure regular expression filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set type <file | message> <– Check contents of a file or of messages, web

end

To configure regular expression filtering using the GUI:

Go to Security Profiles > Data Leak Prevention.
Click Create New. The New DLP Sensor page opens.
Click Add Filter in the filter table. The New Filter pane opens.
For filtering regular expressions in files, set Type to Files. For filtering in messages, set Type to Messages.
Select RegularExpression.
Enter the regular expression string in the RegularExpression field, then click OK.

Credit card and SSN

The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It can be used to filter files or messages.

The SSN sensor can be used to filter files or messages for Social Security Numbers.

To configure credit card or SSN filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set type <file | message> <– Check contents of a file, or of messages, web

numbers

set action <allow | log-only| block | quarantine-ip>

end

To configure credit card or SSN filtering using the GUI:

Go to Security Profiles > Data Leak Prevention.
Click Create New. The New DLP Sensor page opens.
Click Add Filter in the filter table. The New Filter pane opens.
For filtering in files, set Type to Files. For filtering in messages, set Type to Messages.
Select Containing.
Select Credit Card # or SSN from the Containing drop-down list, then click OK.

Data leak prevention

1 Reply

Data leak prevention

The FortiGate Data Leak Prevention (DLP) system prevents sensitive data from leaving your network. Data matching defined sensitive data patterns are blocked, logged, or allowed when passing through the FortiGate unit.

The DLP system is configured by creating individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule in a DLP sensor, and assigning the sensor to a security policy.

A DLP sensor is made of filters that are configured within it. The filters examine traffic for:

Known files used DLP Fingerprints l Known files using DLP Watermark l Files of a particular type l Files with a particular name l Files larger than a specified size l Data matching a specified regular expression l Credit card and SSN numbers

When a match to a filter is detected, the possible actions include:

Allow: No action is taken, even if the pattern specified in the filter is matched. l Log: The filter match is logged. l Block: Traffic matching the filter is blocked. l Quarantine IP address: Traffic matching the filter is blocked, and the client initiating the traffic is soure IP banned.

The primary use of the DLP feature is to stop sensitive data from the leaving the network. It can also be used to prevent unwanted data from entering the network, and to archive some or all of the content that is passing through the FortiGate device. DLP archiving is configured per filter, allowing for a single sensor that archives only the required data.

There are two forms of DLP archiving: l Summary Only

A summary of all the activity that the sensor detected is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the web, every URL that they visit is recorded. l Full

Detailed records of all the activity that the sensor detects is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses the web, every page that they visit is archived.

Email Filter – File Filter for email filter

Leave a reply

File Filter for email filter

Introduction

File Filter is a new feature introduced in FortiOS 6.2, and provides the Email filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.

In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. In this article we will discuss Email filter File Filtering.

Currently, File Filtering in Email filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.

GUI configuration have yet to be implemented. In addition, Email filter File Filtering will only work on proxy mode policies.

File Types Supported

File Filter in Email filter profile supports the following file types:

File Type Name	Description
all	Match any file
7z	Match 7-zip files
arj	Match arj compressed files
cab	Match Windows cab files
lzh	Match lzh compressed files
rar	Match rar archives
tar	Match tar files
zip	Match zip files
bzip	Match bzip files
gzip	Match gzip files
bzip2	Match bzip2 files
xz	Match xz files
bat	Match Windows batch files
msc	Match msc files
uue	Match uue files
mime	Match mime files
base64	Match base64 files
binhex	Match binhex files
bin	Match bin files
elf	Match elf files
exe	Match Windows executable files
hta	Match hta files
html	Match html files
jad	Match jad files
class	Match class files
cod	Match cod files
javascript	Match javascript files
msoffice	Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex	Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

File Type Name	Description
fsg	Match fsg files
upx	Match upx files
petite	Match petite files
aspack	Match aspack files
prc	Match prc files
sis	Match sis files
hlp	Match Windows help files
activemime	Match activemime files
jpeg	Match jpeg files
gif	Match gif files
tiff	Match tiff files
png	Match png files
bmp	Match bmp files
ignored	Match ignored files
unknown	Match unknown files
mpeg	Match mpeg files
mov	Match mov files
mp3	Match mp3 files
wma	Match wma files
wav	Match wav files
pdf	Match pdf files
avi	Match avi files
rm	Match rm files
torrent	Match torrent files
msi	Match Windows Installer msi bzip files
mach-o	Match Mach object files
dmg	Match Apple disk image files
.net	Match .NET files
xar	Match xar archive files
chm	Match Windows compiled HTML help files
File Type Name	Description
iso	Match ISO archive files
crx	Match Chrome extension files

Configure File Filter from CLI

Using CLI, configuration for File Filtering is nested inside Email filter profile’s configuration.

In File filtering configuration, file filtering functionality and logging is independent of the Email filter profile.

To block or log a file type, we must configure file filter entries. Within each entry we can specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and if we should match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.

In the example CLI below we want to file filter the following using Email filter profile:

Block EXE files from received or sent out (filter1).
Log the sending of document files (filter2).

config emailfilter profile edit “emailfilter-file-filter” config file-filter

set status enable <— Allow user to disable/enable file fil-

tering

set log enable <— Allow user to disable/enable logging for file filtering set scan-archive-contents enable <— Allow scanning of files inside archives

such as ZIP, RAR config entries edit “filter1”

set comment “Block executable files”

set protocol smtp imap pop3 <— Inspect all email traffic set action block <— Block file once file type is matched set encryption any <— Inspect both encrypted and un-encrypted

files

set file-type “exe” <— Choosing the file type to match next edit “filter2”

set comment “Log document files”

set protocol smtp <— Inspect only SMTP traffic

set action log <— Log file once file type is matched set encryption any

set file-type “pdf” “msoffice” “msofficex” <— Multiple file types can be con-

figured in a single entry next

end

After configuring File Filter in Email filter profile, we must apply it to a firewall policy.

config firewall policy edit 1 set name “client-to-internet”

set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set emailfilter profile “email-file-filter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

end

CLI Example:

File Filter action as “Block”:

1: date=2019-01-25 time=15:20:16 logid=”0554020511″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”warning” vd=”vdom1″ eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=143 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”IMAP” action=”blocked” from=”emailuser1@qa.fortinet.com” to=”emailuser2@qa.fortinet.com” recipient=”emailuser2″ direction=”incoming” subject=”EXE file block” size=”622346″ attachment=”yes” filename=”putty.exe” filtername=”filter1″ filetype=”exe” File Filter action as “Log”:

1: date=2019-01-25 time=15:23:16 logid=”0554020510″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”notice” vd=”vdom1″ eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=25 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”SMTP” pro-

file=”emailfilter-file-filter” action=”detected” from=”emailuser1@qa.fortinet.com” to=”-

“emailuser2@qa.fortinet.com” sender=”emailuser1@qa.fortinet.com” recipient=”emailuser2@qa.fortinet.com” direction=”outgoing” subject=”PDF file log” sizee=”390804″ attachment=”yes” filename=”fortiauto.pdf” filtername=”filter2″ filetype=”pdf”

Email Filter – Checking the log

Leave a reply

Checking the log

To check the email filter log in the CLI:

execute log filter category 5 execute log display

1 logs found.

1 logs returned.

1: date=2019-04-09 time=03:41:18 logid=”0510020491″ type=”utm” subtype=”emailfilter” eventtype=”imap” level=”notice” vd=”vdom1″ eventtime=1554806478647415130 policyid=1 sessionid=439 srcip=10.1.100.22 srcport=39937 srcintf=”port21″ srcintfrole=”undefined” dstip=172.16.200.45 dstport=143 dstintf=”port17″ dstintfrole=”undefined” proto=6 service=”IMAPS” profile=”822881″ action=”blocked” from=”testpc3@qa.fortinet.com” to=”testpc3@qa.fortinet.com” recipient=”testpc3″ direction=”incoming” msg=”from ip is in ip blacklist.(path black ip 172.16.200.9)” subject=”testcase822881″ size=”525″ attachment=”no”

To check the email filter log in the GUI:

Go to Log & Report > Anti-Spam.

Email Filter – Webmail

Leave a reply

Webmail

The FortiGate email filter is intended to filter standard email protocols including SMTP, POP3, IMAP, and MAPI, however, it can also be configured to detect and log emails sent through some webmail interfaces. The supported webmail interfaces include Gmail and MSN-Hotmail.

To configure webmail filtering through the CLI:

config emailfilter profile edit “myWebMailDetector” set spam-filtering enable config msn-hotmail set log enable

end config gmail set log enable

end

Protocols and actions

Leave a reply

Protocols and actions

In an email filtering profile, there are sections for SMTP, POP3, and IMAP protocols. In each section, you can set an action to either discard, tag, or pass the log for that protocol.

CLI Example:

config smtp set log enable set action tag

end

Actions available for each protocol:

Protocol	Available action
SMTP	Pass: Allow spam email to pass through.
	Tag: Tag spam email with configured text in the subject or header.
	Discard: Discards (blocks) spam email.
POP3 & IMAP MAPI:	Pass: Allow spam email to pass through.
	Tag: Tag spam email with configured text in the subject or header.
	Pass: Allow spam email to pass through.
	Discard: Discards (blocks) spam email.

MAPI email filtering

MAPI is a proprietary protocol from Microsoft. It uses HTTPS to encapsulate email requests and responses between Microsoft Outlook clients and Microsoft Exchange servers. The configuration of MAPI email filters are only possible through the CLI.

To configure the MAPI email filter in the CLI:

config emailfilter profile edit “myMapiFilter” set spam-filtering enable

set options spamfsip spamfssubmit spamfsurl spamfsphish config mapi set log enable set action “discard or pass”

end