Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
burtmianus
New Contributor

FortiMail AV Profile & User Personal Quarantine

Hola, Is there any way of setting an AV profile to deliver to User’s Personal Quarantine? We’re trying to get a balance between Security and user experience... here’s the scenario: We have FML 5.4.2 connected to an FSA 3000E (fully loaded on licenses). I enabled URI scanning through the FSA and over a weekend 1,900 genuine emails were dropped into the system quarantine cos they contained low risk URIs. Cue an outcry from users.... :( so had to turn it off. As I cannot find a way of making FML take different action based on URI or Attachment I’ve decided the best option is to drop any low risk email into personal quarantine and send a notification email. Sadly after getting it approved I found that it doesn’t look like I can make AV profiles use the personal quarantine.... We discussed the option of using the attachment option (deliver the original email as an attachment to a notification) but the consensus was that users would be more likely to open it and not take note of the security concerns than if they had to login to their personal quarantine. Maybe there is a CLI switch that allows this? I have put in an NFR for the ability to split options for attachments and URIs - the FML can send different notification emails if you use the replacement message feature so it can clearly be aware of which is which. Thanks!
8 REPLIES 8
Dirty_Wizard_FTNT

Hi,

 

You are going to see a ton of Low Risk results if sending all URIs to the FSA and you are not pre-filtering them out on the FSA. If you don't want to either change the action on FML to something non-final or prefilter URLs on FSA — you can try this janky workaround to put Low Risk results to user quarantine:

 

-Configure an AV action profile for Low Risk to deliver to alternate host. Set this host as the internal IP of the FortiMail.

You can also tag subject or apply other non-final actions. -Create an IP Policy with the FortiMail IP as source and set as exclusive (take precende over recipient based policy match). Move it to the top of the sequence order. Apply an AntiSpam Profile which will send all email matching that Policy to User Quarantine (default action on policy match). It could either be tagged here on in the previous step to denote that it was flagged by the FSA and not another spam check so that it is distinguished in the user’s quarantine. That’s optional.

 

This is tried and tested, and doesn't appear to break any other functionality but you may want to implement it for a subset of users initially.

burtmianus

Thanks - we are using pre filtering and still getting loads of low risk, hence the issue. Have another idea - after the FSA scans it adds a new header in (something like X-ANTIVIRUS-FESA: Fortisandbox: uri) so I setup a content rule and assumed it would work. But no matter what I do the content rule isn’t being triggered, even after setting the scan-order to antispam-Sandbox-content. Will kick that to TAC as it seems it should work. As for your suggestion could be tricky cos we have a load balancer in Azure (KEMP not ms) and we’re having issues outbound where the IP of the client is the VIP not the exchange server. Could pose problems potentially but I will play around with it as I have a lab version of it too. Thanks
burtmianus

Thanks - we are using pre filtering and still getting loads of low risk, hence the issue. Have another idea - after the FSA scans it adds a new header in (something like X-ANTIVIRUS-FESA: Fortisandbox: uri) so I setup a content rule and assumed it would work. But no matter what I do the content rule isn’t being triggered, even after setting the scan-order to antispam-Sandbox-content. Will kick that to TAC as it seems it should work. As for your suggestion could be tricky cos we have a load balancer in Azure (KEMP not ms) and we’re having issues outbound where the IP of the client is the VIP not the exchange server. Could pose problems potentially but I will play around with it as I have a lab version of it too. Thanks
Dirty_Wizard_FTNT

I also tried that method first with inserting the header + content monitor but it does not work and I would say it is expected.

 

The IP Policy method shouldn't cause any issues since I have not found any scenario where the FortiMail will see any other email sourced from its own IP.

 

In any case, you could use a second MTA to deliver to as alternate host which then relays back to the FortiMail where the user quarantine action can be applied.

 

burtmianus

I will take a look, cos of Azure & Kemp not playing nicely together the source address of our outbound emails is the VIP on our Kemp loadmaster, got that confused with the IP of the FML as I hadn't looked for a few weeks specifically at ouitbound emails. That being the case your suggestion should work for us, though it's not ideal!

 

What makes you think that not applying content rules after sandboxing is by design? surely it should apply all the rules you specify and not just give up part way through after one match/event whose action is to deliver/pass email onwards?

burtmianus

I've run into a problem with the deliver to alternative host option - if the email or domain is on the recipients safe list, it gets delivered!

Dirty_Wizard_FTNT

Then use a Content Profile instead of AntiSpam Profile on the IP Policy.

Set the Content Profile to quarantine everything with a wildcard dictionary entry '*'.

Or to match a header you inserted on the AV action profile.

burtmianus

Hiya,

 

change of tac slightly, have written a regex to catch the header:

 

/^X-FEAS-ANTIVIRUS: FortiSandbox:((?!uri).)*$/

 

so this one will match when an email has the "X-FEAS-ANTIVIRUS: FortiSandbox:" header but not if it includes the "uri" bit, so I can now setup content rules (as you suggested) using this so that if it matches and contains "uri" it goes to personal quarantine, but if it matches and doesn't contain "uri" (i.e. a low-risk file) I can put it into the system quarantine.

 

Thank you for your help - it's a shame that you can't just have a single rule and have to go through the deliver back to itself method!