Skip to main content
burtmianus
burtmianus
New Member
March 31, 2018
Question

FortiMail AV Profile & User Personal Quarantine

  • March 31, 2018
  • 1 reply
  • 12622 views
Hola, Is there any way of setting an AV profile to deliver to User’s Personal Quarantine? We’re trying to get a balance between Security and user experience... here’s the scenario: We have FML 5.4.2 connected to an FSA 3000E (fully loaded on licenses). I enabled URI scanning through the FSA and over a weekend 1,900 genuine emails were dropped into the system quarantine cos they contained low risk URIs. Cue an outcry from users.... :( so had to turn it off. As I cannot find a way of making FML take different action based on URI or Attachment I’ve decided the best option is to drop any low risk email into personal quarantine and send a notification email. Sadly after getting it approved I found that it doesn’t look like I can make AV profiles use the personal quarantine.... We discussed the option of using the attachment option (deliver the original email as an attachment to a notification) but the consensus was that users would be more likely to open it and not take note of the security concerns than if they had to login to their personal quarantine. Maybe there is a CLI switch that allows this? I have put in an NFR for the ability to split options for attachments and URIs - the FML can send different notification emails if you use the replacement message feature so it can clearly be aware of which is which. Thanks!

    1 reply

    Dirty_Wizard_FTNT
    Staff
    Dirty_Wizard_FTNT
    Staff
    April 3, 2018

    Hi,

     

    You are going to see a ton of Low Risk results if sending all URIs to the FSA and you are not pre-filtering them out on the FSA. If you don't want to either change the action on FML to something non-final or prefilter URLs on FSA — you can try this janky workaround to put Low Risk results to user quarantine:

     

    -Configure an AV action profile for Low Risk to deliver to alternate host. Set this host as the internal IP of the FortiMail.

    You can also tag subject or apply other non-final actions. -Create an IP Policy with the FortiMail IP as source and set as exclusive (take precende over recipient based policy match). Move it to the top of the sequence order. Apply an AntiSpam Profile which will send all email matching that Policy to User Quarantine (default action on policy match). It could either be tagged here on in the previous step to denote that it was flagged by the FSA and not another spam check so that it is distinguished in the user’s quarantine. That’s optional.

     

    This is tried and tested, and doesn't appear to break any other functionality but you may want to implement it for a subset of users initially.

    burtmianus
    burtmianusAuthor
    New Member
    April 3, 2018
    Thanks - we are using pre filtering and still getting loads of low risk, hence the issue. Have another idea - after the FSA scans it adds a new header in (something like X-ANTIVIRUS-FESA: Fortisandbox: uri) so I setup a content rule and assumed it would work. But no matter what I do the content rule isn’t being triggered, even after setting the scan-order to antispam-Sandbox-content. Will kick that to TAC as it seems it should work. As for your suggestion could be tricky cos we have a load balancer in Azure (KEMP not ms) and we’re having issues outbound where the IP of the client is the VIP not the exchange server. Could pose problems potentially but I will play around with it as I have a lab version of it too. Thanks
    Terms & ConditionsAccessibility statement