Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎09-21-2005 12:00 AM Edited on ‎06-11-2025 08:01 AM By Community Manager

Article Id 194119

Technical Tip: Using deny firewall policies to stop spam on a FortiGate

Description

 

This article describes how to use deny firewall policies to stop Spam on a FortiGate.

 

Scope

 

FortiGate.

 

Solution

 

There are many tricks to catching spam, and one of the simplest, and most effective, is blocking it before it gets into a network. This is not simple without knowing the source of the spam, but the spam messages themselves can provide the information necessary to determine where they come from. Spam log messages, generated by the FortiGate logging function, contain IP addresses of the mail servers that have delivered spam to the mail server. These unwanted server connections can be blocked with a deny firewall policy.

 

If the SMTP mail server connects to the Internet through a FortiGate unit, use the technique described in this document to reduce the amount of spam reaching the network.

 

This document describes:

  • How to generate the necessary spam log messages.
  • How to analyze the spam logs to find IP addresses of spam sources.
  • How to block email connections for known spam sources.

 

Figure 1: This document describes a spam-reduction strategy for a network with an SMTP server connected to the Internet through a FortiGate Antivirus Firewall.

 

rmetzger_11439_figure1_spam_network.png

 

Note: The technique described here will not be effective if the spammer is spoofing the spam mail server IP address. If spammers do not forge their IP address, it is possible to block mail after determining what the IP address of the mail server is. Careful use of the technique described here reduces the amount of spam entering the network. Use caution when denying connections from SMTP servers because it is always possible to block legitimate mail if implemented too enthusiastically.

 

Generating spam log messages.

  1. Using the FortiGate web-based manager, go to Log & Report -> Log Config -> Log Setting.
  2. Enable memory, and set the level to Information.
    In addition to memory, log to disk will also be available if the FortiGate unit is equipped with a hard disk. It is also possible to send log messages to a FortiLog unit if one is available.
  3. Under Log Filter, check all the spam filtering options in the memory column.
  4. Go to Log & Report -> Log Access -> Spam Filter and select the Column Settings button.
  5. In the Available Fields window, select all fields except Detailed Information and move them to the right. Displaying these extra columns will show as much information as possible in each log message.
  6. Give the FortiGate unit time to record spam log messages.

 

Analyzing spam log messages.

 

Using the FortiGate web-based manager, go to Log & Report -> Log Access -> Spam Filter. In the generated logs (see figure 2), any IP address in the Source column repeatedly listed with a message indicating the IP address is in an RBL/ORDBL list is likely a source of spam. Adding a DENY firewall policy to block connections from this source address not only saves internal network resources by stopping spam messages, but also eliminates the need for repeated queries to RBL/ORDBL servers about this IP address.

 

Figure 2: Sample Spam Log messages.

 

rmetzger_11439_figure2.png

 

Adding the deny firewall policy.

 

For easy maintenance, have the firewall policy block an address group instead of a single address. Create an address group by going to Firewall > Address > Group. After naming the group, any address defined in Firewall > Address > Address may be added to the group. This way, new addresses can be easily added or removed from the address group and the DENY policy without modifying the policy itself.

  1. Using the FortiGate web-based manager, go to Firewall > Policy and select Create New.
  2. In the New Policy window, set Source Interface/Zone to the FortiGate interface connected to the Internet.
  3. Set Source Address Name to the address group containing the IP addresses to block.
  4. Set the Destination Interface/Zone to the interface the mail server is connected to and set the destination address to that of the mail server.
  5. Set the schedule to always, the service to SMTP, and the action to DENY.
  6. Enter a comment describing the policy, like "Block spam mail server connections".
  7. Move the deny policy to the top of the policy list.

All connections from the IP addresses in the address group will be blocked from even establishing a connection with the FortiGate unit.

 

Figure 3: Example firewall policy at the top of a FortiGate-1000 port2 to port1 policy list.

 

rmetzger_11439_figure3.png

 

Related article:

List of most popular articles related to FortiGate Firewall features and settings (Policy, VIP, Prot...

Labels:
32957
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.