Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Acronym
New Contributor

Antivirus not scanning SMTP traffic

I have setup an SMTP port forwarding rule to an internal Exchange server and enabled the strict protection policy, When using the Eicar test file to send inbound emails into the email server the emails get passed though rather than being blocked. I have tested blocking by file extension using a EXE file and that is getting let through as well, incoming and outgoing. Any help would be appreciated
8 REPLIES 8
abelio
Valued Contributor

Check once again that the incoming SMTP traffic is being processed for the firewall policy you' ve defined with those filters. Use session table available in Status webgui as a tool to track id policies.

regards




/ Abel

regards / Abel
Acronym
New Contributor

I checked the session table and filtered from an external email server I was using to test sending EXE file inbound through the Fortinet. The Policy ID is the correct policy ID and the destination port is 25, the email is being checked for Spam as I have set it to tag and I can see lots of tagged email. So the protection policy is working for Spam as it' s the same protection profile. I have also checked and the Antivirus deffinitions are up to date and secheduled downloads are happening. I have also noted that on the status page the spams detected is 0, as is the Viruses detected. I wonder if it' s a bug with version v4.0,build0178,090820 (MR1) ?
abelio
Valued Contributor

ORIGINAL: Acronym I have also noted that on the status page the spams detected is 0, as is the Viruses detected. I wonder if it' s a bug with version v4.0,build0178,090820 (MR1) ?
Logging in status page is different thing that virus or spam detection obviously; let´s focus on detection: could you post the output of the cli command " show full firewall profile <name_profile_applied_to_smtp_traffic_policy>" ??

regards




/ Abel

regards / Abel
Acronym
New Contributor

Here is my SMTP protection profile, I have turned on a lot more than required just to try everything: edit " Email" set webbwordthreshold 10 set spambwordthreshold 10 set httpoversizelimit 24 set ftpoversizelimit 24 set imapoversizelimit 24 set pop3oversizelimit 24 set smtpoversizelimit 24 set imoversizelimit 24 set nntpoversizelimit 24 config log set log-app-ctrl disable set log-av-block enable set log-av-oversize enable set log-av-virus enable set log-dlp disable set log-ips disable set log-spam enable set log-web-content enable set log-web-filter-activex disable set log-web-filter-applet disable set log-web-filter-cookie disable set log-web-ftgd-err enable set log-web-url enable set log-web-invalid-domain enable end set ftp block clientcomfort oversize scan splice set http block oversize scan clientcomfort unset https set http-retry-count 0 set imap block oversize scan fragmail set pop3 block oversize scan fragmail set smtp block oversize scan spamemailbwl spamfsip spamfschksum spamfssubmit spamfsurl spamipbwl splice set smtp-spamaction tag set smtp-spamtagtype subject spaminfo set smtp-spamtagmsg " Fortinet" set smtp-spamhdrip disable set smtp-spam-localoverride disable set pop3-spamaction pass set pop3-spamtagtype subject spaminfo set pop3-spamtagmsg " Spam" set nac-quar-infected none set imap-spamaction pass set imap-spamtagtype subject set imap-spamtagmsg " Spam" set filepattable 1 set webbwordtable 0 set weburlfiltertable 0 --More-- set spambwordtable 0 set spamemaddrtable 0 set spamipbwltable 0 set spammheadertable 0 set spamrbltable 0 set spamiptrusttable 0 set content-header-list 0 set nntp block oversize scan set ips-sensor-status disable set application-list-status disable config app-recognition edit " http" set inspect-all disable set port 80 next edit " https" set inspect-all disable set port 443 next edit " smtp" set inspect-all disable set port 25 next edit " pop3" set inspect-all disable set port 110 next edit " imap" set inspect-all disable set port 143 next edit " nntp" set inspect-all disable set port 119 next edit " ftp" set inspect-all disable set port 21 next end set mailsig-status disable set mail-sig " test signature" set im block oversize scan set comment " Email AntiVirus and AntiSpam " set dlp-sensor-table ' ' unset http-post-lang set replacemsg-group " default" set httpcomfortinterval 10 set ftpcomfortinterval 10 set httpcomfortamount 1 set ftpcomfortamount 1 set httppostaction normal set http-avdb default set https-avdb default set smtp-avdb default set pop3-avdb default set imap-avdb default set ftp-avdb default set im-avdb default set nntp-avdb default unset safesearch set ftgd-wf-options strict-blocking set ftgd-wf-https-options strict-blocking set ftgd-wf-enable g01 g02 g03 g04 g05 g06 g07 g08 g21 c01 c02 c03 c04 c05 c06 set ftgd-wf-disable g22 set ftgd-wf-allow all unset ftgd-wf-log unset ftgd-wf-ovrd next end
abelio
Valued Contributor

.... set smtp block ... .... set filepattable 1 ....
That settings, if filepattable is populated with file extensions with block action (remember that default builtin-patterns are disabled) should block attachments with blocked extensions.

regards




/ Abel

regards / Abel
Acronym
New Contributor

I have actually got the antivirus and file blocking working now, it is very strange I changed my firewall rule to allow Any service where I had it only allowing the SMTP. Here is my firewall rule that is now working with the AV, is this rule now a security risk as it lists Any service rather than SMTP, although I have run a GRC sheilds up test on the firewall and SMTP is the only one open. edit 3 set srcintf " wan1" set dstintf " internal" set srcaddr " all" set dstaddr " SMTP to SBS2008" set action accept set logtraffic enable set schedule " always" set service " ANY" set profile-status enable set profile " Email" next end
abelio
Valued Contributor

Here is my firewall rule that is now working with the AV, is this rule now a security risk as it lists Any service rather than SMTP
is your VIP definition " SMTP to SBS2008" a static-nat one or a port-forwarding one? If later, policy only allows smtp traffic

regards




/ Abel

regards / Abel
Acronym
New Contributor

The SMTP to SBS2008 VIP is a port forwarding rule from 25 to 25, so is this the correct way to setup an inbound SMTP firewall rule on a Fortinet? The strange thing is when I had the service as SMTP rather than ANY email worked, spam filtering worked, and even the add signature for outgoing email worked it was just the Antivirus scanning and file blocking. I did go into the built in file filter and enabled EXE file patterns and file types. I guess as long as I have setup the firewall rule correctly then this problem is solved. Thanks for your help.
Top Kudoed Authors