Viewing DLP archived messages

Leave a reply

Viewing DLP archived messages

If DLP Archive is a selected message flood action, the messages that exceed the threshold are saved to the MMS DLP archive. The default behavior is to save all of the offending messages, but you can configure the DLP archive setting to save only the first message that exceeds the threshold. This still provides a sample of the offending messages without requiring as requiring as much storage.

 

To select only the first message in a flood for DLP archiving – web-based manager

1. Go to Security Profiles > Carrier > MMS Profile.

2. Edit an existing MMS Profile.

3. Expand the MMS Bulk Email Filtering Detection section, the Message Flood subsection, and the desired

Flood Threshold subsection.

4. Next to DLP Archive, select First message only from the dropdown menu.

5. Select OK.

 

Order of operations: flood checking before duplicate checking

Although duplicate checking involves only examination and comparison of message contents and not the sender or recipient, and flood checking involves only totalling the number of messages sent by each subscriber regardless of the message content, there are times when a selection of messages exceed both flood and duplicate thresholds.

The Carrier-enabled FortiGate unit checks for message floods before checking for duplicate messages. Flood checking is less resource-intensive and if the flood threshold invokes a Block action, the blocked messages are stopped before duplicate checking occurs. This saves both time and FortiOS Carrier system resources.

The duplicate scanner will only scan content. It will not scan headers. Content must be exactly the same. If there is any difference at all in the content, it will not be con- sidered a duplicate.

 

Bypassing message flood protection based on user’s carrier endpoints

You can use carrier endpoint filtering to exempt MMS sessions from message flood protection. Carrier endpoint filtering matches carrier endpoints in MMS sessions with carrier endpoint patterns.

If you add a carrier endpoint pattern to a filter list and set the action to exempt from mass MMS, all messages from matching carrier endpoints bypass message flood protection. This allows legitimate bulk messages, such as system outage notifications, to be delivered without triggering message flood protection.

For more information on carrier endpoints, see the User Authentication chapter of the FortiOS Handbook.

 

Configuring message flood detection

To have the Carrier-enabled FortiGate unit check for message floods, you must first configure the flood threshold in an MMS profile, select the MMS profile in a security policy. All the traffic examined by the security policy will be checked for message floods according to the threshold values you set in the MMS profile.

 

Configure the MMS profile – web-based manager

1. Go to Firewall Objects > MMS Profile.

2. If you are editing an MMS profile, select the Edit icon of the MMS profile.

If you are creating a new MMS profile, select Create New and enter a profile name.

3. Expand MMS Bulk Email Filtering Detection.

4. Expand Message Flood.

5. Expand Flood Threshold 1.

6. Select the Enable check box for MM1 messages, MM4 messages, or both.

7. In the Message Flood Window field, enter the length of time the Carrier-enabled FortiGate unit will keep track of the number of messages each subscriber sends.

If the Carrier-enabled FortiGate unit detects the quantity of messages specified in the Message Flood Limit sent during the number of minutes specified in the Message Flood Window, a message flood is in progress.

8. In the Message Flood Limit field, enter the number of messages required to trigger the flood.

9. In the Message Flood Block Time field, enter the length of time a user will be blocked from sending messages after causing the message flood.

10. Select the message flood actions the Carrier-enabled FortiGate unit will take when the message flood is detected.

11. Select OK.

 

Configure the security policy – web-based manager

1. Go to Policy.

2. Select the Edit icon of the security policy that controls the traffic in which you want to detect message floods.

3. Select the MMS Profile check box to enable the use of a protection profile.

4. Select the MMS protection profile from the list.

5. Select OK.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Notifying message flood senders and receivers

Leave a reply

Notifying message flood senders and receivers

The FortiOS Carrier unit does not send notifications to the sender or receiver that cause a message flood. If the sender or receiver is an attacker and is explicitly informed that they have exceeded a message threshold, the attacker may try to determine the exact threshold value by trial and error and then find a way around flood protection. For this reason, no notification is set to the sender or receiver.

However, FortiOS Carrier does have replacement messages for sending reply confirmations to MM1 senders and receivers and for MM4 senders for blocked messages identified as message floods. For information about how FortiOS Carrier responds when message flood detection blocks a message, see and MMS duplicate messages and message floods.

 

Responses to MM1 senders and receivers

When the FortiOS Carrier unit identifies an MM1 message sent by a sender to an MMSC as a flood message and blocks it, the FortiOS Carrier unit returns a message submission confirmation (m-send.conf) to the sender — otherwise the sender’s handset would keep retrying the message. The m-send.conf message is sent only when the MM1 message flood action is set to Block. For other message flood actions the message is actually delivered to the MMSC and the MMSC sends the m-send.conf message.

You can customize the m-send.conf message by editing the MM1 send-conf flood message MM1 replacement message (from the CLI the mm1-send-conf-flood replacement message). You can customize the response status and message text for this message. The default response status is “Content not accepted”. To hide the fact that FortiOS Carrier is responding to a flood, you can change the response status to “Success”. The default message text informs the sender that the message was blocked. You could change this to something more generic.

For example, the following command sets the submission confirmation response status to “Success” and changes the message text to “Message Sent OK”:

config system replacemsg mm1 mm1-send-conf-flood set rsp-status ok

set rsp-text “Message Sent OK”

end

When the FortiOS Carrier unit identifies an MM1 message received by a receiver from an MMSC as a flood message and blocks it, the FortiOS Carrier unit returns a message retrieval confirmation (m-retrieve.conf) to the sender (otherwise the sender’s handset would keep retrying the message). The m-retrieve.conf message is sent only when the MM1 message flood action is set to Block. For other message flood actions the message is actually delivered to the receiver, so the MMSC sends the m-retrieve.conf message.

You can customize the m-retrive.conf message by editing the MM1 retrieve-conf flood message MM1 replacement message (from the CLI the mm1-retr-conf-flood replacement message). You can customize the class, subject, and message text for this message.

For example, you could use the following command make the response more generic:

config system replacemsg mm1 mm1-retr-conf-flood set subject “Message blocked”

set message “Message temporarily blocked by carrier”

end

 

Forward responses for MM4 message floods

When the FortiOS Carrier unit identifies an MM4 message as a flood message and blocks it, the FortiOS Carrier unit returns a message forward response (MM4_forward.res) to the forwarding MMSC (otherwise the forwarding MMSC would keep retrying the message). The MM4_forward.res message is sent only when the MM4 message flood action is set to Block and the MM4-forward.req message requested a response. For more information, see and MMS duplicate messages and message floods.

You can customize the MM4_forward.res message by editing the MM4 flood message MM4 replacement message (from the CLI the mm4-flood replacement message). You can customize the response status and message text for this message. The default response status is “Content not accepted” (err-content-not- accept). To hide the fact that the FortiOS Carrier unit is responding to a flood, you can change the response status to “Success”. The default message text informs the sender that the message was blocked. You could change this to something more generic.

For example, the following command sets the submission confirmation response status to “Success” and changes the message text to “Message Sent OK” for the MM4 message forward response

config system replacemsg mm4 mm4-flood set rsp-status ok

set rsp-text “Message Forwarded OK”

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Notifying administrators of floods

Leave a reply

Notifying administrators of floods

You can configure alert notifications for message floods by selecting the Alert Notification message flood action. The FortiOS Carrier unit sends alert notifications to administrators using the MM1, MM3, MM4, or MM7 content interface. To send an alert notification you must configure addresses and other settings required for the content interface.

For example, to send notifications using the MM1 content interface you must configure a source MSISDN, hostname, URL, and port to which to send the notification. You can also configure schedules for when to send the notifications.

Finally you can add multiple MSISDN numbers to the MMS protection profile and set which flood thresholds to send to each MSISDN.

 

Example — three flood threshold levels with different actions for each threshold

You can set up to three threshold levels to take different actions at different levels of activity.

The first example threshold records log messages when a subscriber’s handset displays erratic behavior by sending multiple messages using MM1 at a relatively low threshold. The erratic behavior could indicate a problem with the subscriber’s handset. For example, you may have determined for your network that if a subscriber sends more the 45 messages in 30 minutes that you want to record log messages as a possible indication or erratic behavior.

From the web-based manager in an MMS profile set message Flood Threshold 1 to:

Enable                                        Selected

Message Flood Window          30 minutes

Message Flood Limit               45

Message Flood Action             Log

From the CLI:

config firewall mms-profile edit profile_name

config flood mm1

set status1 enable set window1 30

set limit1 45 set action1 log

end end

 

Set a second higher threshold to take additional actions when a subscriber sends more that 100 messages in 30 minutes. Set the actions for this threshold to log the flood, archive the message that triggered the second threshold, and block the sender for 15 minutes.

From the web-based manager in an MMS profile set message Flood Threshold 2 to:

 

Enable                                        Selected

Message Flood Window          30 minutes

Message Flood Limit               100

Message Block Time                15 minutes

Message Flood Action             Log, DLP archive First message only, Block

 

From the CLI:

config firewall mms-profile edit profile_name

config flood mm1

set status2 enable set window2 30

set limit2 100

set action2 block log archive-first set block-time2 15

end end

 

Set the third and highest threshold to block the subscriber for an extended period and sand an administrator alert if the subscriber sends more than 200 messages in 30 minutes. Set the actions for this threshold to block the sender for four hours (240 minutes), log the flood, archive the message that triggered the third threshold, and send an alert to the administrator.

From the web-based manager in an MMS profile set message Flood Threshold 3 to:

Enable                                        Selected

Message Flood Window          30 minutes

Message Flood Limit               200

Message Block Time                240 minutes

Message Flood Action             Log, Block, Alert Notification

Because you have selected the Alert Notification action you must also configure alert notification settings. For this example, the source MSISDN is 5551234—telephone number 555-1234. When administrators receive MMS messages from this MSIDSN they can assume a message flood has been detected.

In this example, alert notifications are sent by the FortiOS Carrier unit to the MMSC using MM1. The host name of the MMSC is mmscexample, the MMSC URL is /, and the port used by the MMSC is 80. In this example, the alert notification window starts at 8:00am and extends for eight hours on weekdays (Monday-Friday) and the minimum interval between message flood notifications is two hours.

Source MSISDN                         5551234

Message Protocol                     MM1

Hostname                                   mmscexample

URL                                             /

Port                                             80

Notifications Per Second         0

Limit

Window Start Time                   8:00

Window Duration                      8:00

Day of Week                               Mon, Tue, Wed, Thu, Fri, Sat

Interval                                       2 hours

From the CLI:

config firewall mms-profile edit profile_name

config notification alert-flood-1 set alert-src-msisdn 5551234 set set msg-protocol mm1

set mmsc-hostname mmscexample set mmsc-url /

set mmsc-port 80 set rate-limit 0

set tod-window-start 8:00

set tod-window-duration 8:00

set days-allowed monday tuesday wednesday thursday friday set alert-int 2

set alert-int-mode hours

end

You must also add the MSISDNs of the administrators to be notified of the message flood. In this example, the administrator flood threshold 3 alert notifications are sent to one administrator with MSISDN 5554321.

To add administrator’s MSISDNs for flood threshold 3 from the web-based manager when configuring a protection profile, select MMS Bulk Email Filtering Detection > Recipient MSISDN > Create New.

MSISDN                     5554321

Flood Level 3           Select

 

From the CLI:

config firewall mms-profile edit profile_name

config notif-msisdn edit 5554321

set threshold flood-thresh-3

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Setting message flood thresholds

Leave a reply

Setting message flood thresholds

A message flood occurs when a single subscriber sends a volume of messages that exceeds the flood threshold you set. The threshold defines the maximum number of messages allowed, the period during which the subscriber sent messages are considered, and the length of time the sender is restricted from sending messages after a flood is detected.

If a subscriber exceeds the message flood threshold and is blocked from sending more messages, any further attempts to send messages will re-start the block period. You must also enable logging for MMS Scanning > Bulk Messages in the Logging section of the MMS protection profile.

A subscriber is still able to receive messages while they are blocked from sending mes- sages.

 

Example

For example, for the first threshold you may determine that any subscriber who sends more than 100 MM1 messages in an hour (60 minutes) will have all messages blocked for half an hour (30 minutes).

Using this example, if the subscriber exceeds the flood threshold, they are blocked from sending message for 30 minutes. If the subscriber tries to send any message after 15 minutes, the message will be blocked and the block period will be reset again to 30 minutes. The block period must expire with no attempts to send a message. Only then will the subscriber be allowed to send more messages.

 

To configure MM1 message flood threshold – web-based manager

1. Go to Security Profiles > MMS Profile.

2. Select Create New.

3. Enter MM1 flood for Profile Name.

4. Expand MMS Bulk Email Filtering Detection.

5. Enter the following information, and select OK.

 

MM1 (first column)

Enable                                        Enable

Message Flood Window          60 minutes

Message Flood Limit               100

Message Flood Block Time     30 minutes

Message Flood Action             Block

 

To configure MM1 message flood threshold – CLI

config firewall mms-profile edit profile_name

config flood mm1

set status1 enable set window1 60

set limit1 100

set action1 block set block-time1 30

end end

The threshold values that you set for your network will depend on factors such as how busy your network is and the kinds of problems that your network and your subscribers encounter. For example, if your network is not too busy you may want to set message flood thresholds relatively high so that only an exceptional situation will exceed a flood threshold. Then you can use log messages and archived MMS messages to determine what caused the flood.

If your subscribers are experiencing problems with viruses that send excessive amounts of messages, you may want to set thresholds lower and enable blocking to catch problems as quickly as possible and block access to keep the problem from spreading.

 

Flood actions

When the Carrier-enabled FortiGate unit detects a message flood, it can take any combination of the five actions that you can configure for the flood threshold. For detailed options, see Message Flood.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Message flood protection

Leave a reply

Message flood protection

The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse.

Overview

Setting message flood thresholds

Notifying administrators of floods

Example — three flood threshold levels with different actions for each threshold

Notifying message flood senders and receivers

Viewing DLP archived messages

Order of operations: flood checking before duplicate checking Bypassing message flood protection based on user’s carrier endpoints Configuring message flood detection

Sending administrator alert notifications

 

Overview

Flood protection for MM1 messages prevents your subscribers from sending too many messages to your MMSC. Configuring flood protection for MM4 messages prevents another service provider from sending too many messages from the same subscriber to your MMSC.

 

MM1 and MM4 flood protection

The FortiOS Carrier unit keeps track of the number of messages each subscriber sends for the length of time you specify. If the number of messages a subscriber sends exceeds the threshold, a configured action is taken. Possible actions are logging the flood, blocking or intercepting messages in the flood, archiving the flood messages, and sending an alert message to inform the administrator that the flood is occurring.

You can create three different thresholds to take different levels of action at different levels of activity. With this highly configurable system, you can prevent subscribers from sending more messages than you determine is acceptable, or monitor anyone who exceeds the thresholds.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

MMS DLP archiving

Leave a reply

MMS DLP archiving

You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management service. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiOS Carrier configuration. The FortiGuard Analysis and Management server becomes available when you subscribe to the FortiGuard Analysis and Management Service.

You can configure full DLP archiving and summary DLP archiving. Full DLP archiving includes all content, for example, full email DLP archiving includes complete email messages and attachments. Summary DLP archiving includes just the meta data about the content, for example, email message summary records include only the email header.

You can archive MM1, MM3, MM4, and MM7 content.

 

Configuring MMS DLP archiving

Select DLP archive options to archive MM1, MM3, MM4, and MM7 sessions. For each protocol you can archive just session metadata (Summary), or metadata and a copy of the associated file or message (Full).

In addition to MMS protection profile DLP archive options you can:

  • Archive MM1 and MM7 message floods
  • Archive MM1 and MM7 duplicate messages
  • Select DLP archiving for carrier endpoint patterns in a Carrier Endpoint List and select the Carrier Endpoint

Block option in the MMS Scanning section of an MMS Protection Profile

FortiOS Carrier only allows one sixteenth of its memory for transferring content archive files. For example, for Carrier-enabled FortiGate units with 128MB RAM, only 8MB of memory is used when transferring content archive files. Best practices dictate to not enable full content archiving if antivirus scanning is also configured because of these memory constraints.

 

To configure MMS DLP archiving – web-based manager

1. Go to Security Profiles > MMS Profile.

2. Select Create New or select the Edit icon beside an existing profile.

3. Expand MMS Bulk AntiSpam Detection > Content Archive.

4. Complete the fields as described in DLP Archive options.

5. Select OK.

 

Viewing DLP archives

You can view DLP archives from the Carrier-enabled FortiGate unit web-based manager. Archives are historical logs that are stored on a log device that supports archiving, such as a FortiAnalyzer unit.

These logs are accessed from either Log & Report > DLP Archive or if you subscribed to the FortiCloud service, you can view log archives from there.

The DLP Archive menu is only visible if one of the following is true.

  • You have configured the FortiGate unit for remote logging and archiving to a FortiAnalyzer unit.
  • You have subscribed to FortiCloud.

The following tabs are available when you are viewing DLP archives for one of these protocols.

  • Email to view POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS, and spam email archives.
  • Web to view HTTP and HTTPS archives.
  • FTP to view FTP archives.
  • IM to view AIM, ICQ, MSN, and Yahoo! archives.
  • MMS to view MMS archives.
  • VoIP to view session control (SIP, SIMPLE and SCCP) archives.

If you need to view log archives in Raw format, select Raw beside the Column Settings icon.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring content-based antispam protection

Leave a reply

Configuring content-based antispam protection

 

To apply content-based antispam protection – CLI

config webfilter content

edit <filter_table_number>

set name <filter_table_name>

config entries

edit <phrase or regexp you want to block>

set action {block | exempt}

set lang <phrase language>

set pattern-type {wildcard | regexp}

set score <phrase score>

set status {enable | disable}

end end

 

Configuring sender notifications

When someone on the MMS network sends an MMS message that is blocked, in most cases you will notify the sender. Typically an administrator is notified in addition to the sender so action can be taken if required. There are two types of sender notifications available in FortiOS Carrier: MMS notifications, and Replacement Messages.

 

MMS notifications

MMS notifications to senders are configured in Security Profiles > MMS Profile, under MMS Notifications. In this section you can configure up to four different notification recipients for any combination of MM1/3/4/7 protocol MMS messages. Also for MM7 messages the message type can be submit.REQ or deliver.REQ. Useful settings include:

  • delay in message based on notification type
  • limit on notifications per second to prevent a flood
  • schedules for notifications
  • log in details for MM7 messages.

For more information on MMS notifications, see Notifying message flood senders and receivers and MMS Notifications.

 

Replacement messages

Replacement messages are features common to both FortiOS and FortiOS Carrier, however FortiOS Carrier has additional messages for the MMS traffic.

While each MMS protocol has its own different rec placement messages, the one common to all MMS protocols is the MMS blocked content replacement message. This is the message that the receiver of the message sees when their content is blocked.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

MMS content-based Antispam protection

Leave a reply

MMS content-based Antispam protection

Expand MMS Scanning and select Content Filter in an MMS protection profile to create content filter black/white lists that block or allow MMS messages based on the content of the message.

 

Overview

A school computer lab may block age-inappropriate content. A place of business may block unproductive content. A public access internet cafe may block offensive and graphic content. Each installation has its own requirements for what content needs to be blocked, and in what language.

FortiOS Carrier provides the ability to create custom local dictionaries, black lists, and white lists in multiple languages enables you to protect your customers from malicious content around the world.

 

Configurable dictionary

You can create a dictionary of configurable terms and phrases using the CLI. The text of MMS messages will be searched for these terms and phrases. Add content filter lists that contain content that you want to match in MMS messages. For every match found, a score is added. If enough matches are found to set the total score above the configured threshold, the MMS message is blocked.

You can add words, phrases, wild cards and Perl regular expressions to create content patterns that match content in MMS messages. For more on wildcard and regular expressions, see Using wildcards and Perl regular expressions in the UTM guide.

 

For each pattern you can select Block or Exempt.

  • Block adds an antispam black list pattern. A match with a block pattern blocks a message depending on the score of the pattern and the content filter threshold.
  • Exempt adds an antispam white list pattern. A match with an exempt pattern allows the message to proceed through the FortiOS Carrier unit, even if other content patterns in the same content filter list would block it.

If a pattern contains a single word, the FortiOS Carrier unit searches for the word in MMS messages. If the pattern contains a phrase, the FortiOS Carrier unit searches for all of the words in the phrase. If the pattern contains a phrase in quotation marks, the FortiOS Carrier unit searches for the whole phrase.

You can create patterns with Simplified Chinese, Traditional Chinese, Cyrillic, French, Japanese, Korean, Spanish, Thai, or Western character sets.

 

Black listing

Black listing is the practice of banning entries on the list. For example if an IP address continuously sends viruses, it may be added to the black list. That means any computers that consult that list will not communicate with that IP address.

Sometimes computers or devices can be added to black lists for a temporary problem, such as a virus that is removed when notified. However, as a rule short of contacting the administrator in person to manually be removed form the black list, users have to wait and they generally will be removed after a period without problem.

 

White listing

White listing is the practice of adding all critical IP addresses to a list, such as company email and web servers. Then if those servers become infected and start sending spam or viruses, those servers are not blocked. This allows the critical traffic through, even if there might be some malicious traffic as well. Blocking all traffic from your company servers would halt company productivity.

 

Scores and thresholds

Each content pattern incudes a score. When a MMS message is matched with a pattern the score is recorded. If a message matches more than one pattern or matches the same pattern more than once, the score for the message increases. When the total score for a message equals or exceeds the threshold the message is blocked.

The default score for a content filter list entry is 10 and the default threshold is 10. This means that by default a message is blocked by a single match. You can change the scores and threshold so that messages can only be blocked if there are multiple matches. For example, you may only want to block messages that contain the phrase “example” if it appears twice. To do this, add the “example” pattern, set action to block and score to 5. Keep the threshold at 10. If “example” is found twice or more in a message the score adds up 10 (or more) and the message is blocked.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!