Help
FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
aaborehab
Staff
Staff

Created on ‎02-17-2023 03:36 AM Edited on ‎03-06-2025 06:11 AM By Staff

Article Id 246257

Technical Tip: IP pool usage in different scenarios

Description

This article describes how to use the IP pool in several scenarios. 
Scope

FortiMail v7.0, v7.2, v7.4 and 7.6.
Solution

IP pools are used to define a range of IP addresses that can be used as source or destination IPs. 

 

IP pool can be used in 3 different locations and each of them has different behavior:

 

  1. IP pool applied under IP policy: in the IP policy, the IP pool will be used as the originating IP when sending emails to external users or to the internal SMTP server of protected domains. It will NOT be used in receiving.

 

 

aaborehab_0-1676632242605.png

 

  1. IP pool applied under Domain settings: via the GUI under Domain & user -> Domain -> Choose a domain and select Edit -> Advanced setting -> Other -> IP pool. Here it is possible to choose the directions of the IP pool as follows:

 

Delivery: the IP pool will be used as the originating IP when delivering emails to external, but it will NOT be used as the originating IP when delivering to the internal SMTP server.

 

Receiving: the IP pool will be used as the destination IP for the incoming traffic. 

 

Both: Receiving & Delivery.

 

aaborehab_1-1676632242609.png

 

  1. IP pool applied under Delivery Access Control Policy: the IP pool here will be used as the originating IP when delivering emails externally and to the internal SMTP server of protected domains.

    It will NOT be used in receiving. It is similar to the IP pool applied under the IP policy, however here it is possible to have more control by specifying the sender and recipient by domain names. The IP policy is based on IP.

 

aaborehab_2-1676632242611.png

 

Note 1:

The Delivery Access control policy has priority over the IP policy, so if the IP pool is applied in both access control & IP policy, only the one in the access control policy will be applied.

 

Note 2:

When the email hits the delivery access control policy, the logs will show only the receiving access control in the policy ID. The matched Delivery access control policy will not be visible. In the policy ID only Receiving access control, IP policy: Recipient policy will be shown as following in the logs:

 

aaborehab_3-1676632242612.png

 

Note 3:

After v7.4.0, the ACL delivery ID was added to the event logs.

 

Note 4:

Before v7.0.1 GA, the IP pool will be ignored when the sender and recipient are protected domain addresses. Starting from v7.0.1 GA, the IP pool will be used and a new CLI command was introduced to have more control over it:

 

config system mailserver
    set ip-pool-direction [ all | exclude-internal-to-internal ] (default value is all)
end


All: IP pool will be used for all emails -> v7.0.1 behavior.

exclude-internal-to-internal <----- IP pool will not be used for emails in between protected domains -> pre-7.0.1 behavior.
Labels:
2105
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.