Good day,
I am new to Fortinet, I am use to the Cisco product line and wish to expand my knowledge further, using Fortinet products way forward.
Mode chosen: Gateway mode
Deployment type: Forti mail in the DMZ or Behind the FortiGate
Could someone kindly assist me step by step(probably u did for your environment/similar if possible) how to carefully deploy a Forti mail VM to manage and monitor my email traffic in Gateway mode. I have read via the 7.4.1 admin guide, other admin guides, watched a few YouTube videos and NO real guidance, step by step solution, not even a workable template based setup for Forti mail, just a bunch of webinars, chatting and simple setups(telling/referring you to go read this entire document(admin guide), no real lab scenarios at all. I have configured/setup and deployed many devices, network solutions in infrastructure environments/datacenters, some all by myself, others with help of comrades, video guides and straightforward - coherent reading material. But I am stuck here and need your guidance
Network Environment Details but not limited to below(If you need more information, such as a simple network diagram of the intended setup, let me know):
1. One(1) email/exchange server behind the firewall/internal LAN e.g. 192.168.5.6
2. One(1) HW FortiGate Firewall (with both WAN, LAN, DMZ interface etc. setup)
3. 1 Private DNS server/PDC behind the firewall/on internal LAN e.g. 192.168.5.2
4. One(1) mail relay server(VM) running Postfix in the DMZ in front of FortiGate e.g. on diff subnet 192.168.70.3
5. A public/WAN IP address already mapped to the email relay VM internal IP
6. Firewall Policies for SMTP traffic to flow between email server, mail relay and internet(incoming-outgoing)
Intention: Is to replace the email relay VM(putting it offline) with the newly installed Forti mail VM in DMZ for email traffic flow/ protection or keep Forti mail behind firewall and continue using email relay.
What I have done so far:
1. Registered Forti mail license and VM in Fortinet Asset management
2. Downloaded Forti mail VM
3. Configured/setup VM via Hyper V successfully.
4. Started VM and deployed successfully
5. Configured VM nic1 interface via CLI with IP e.g. 192.168.5.7
6. Ran/followed via wizard, entered protected domain, DNS, Mail server settings, Admin credentials etc. input gateway IP so that Forti mail can ping externally.
7. Applied Fortinet registered license to Forti mail VM successfully
8.Connected Forti mail to Forti guard successfully.
Now for the concerns/queries:
1. I watched this video and it provided no real help. How did he even achieve to get mail event logs/email traffic, what am i missing, i copied all his steps but using my network details/IPs of course) - https://www.youtube.com/watch?v=4AAWRrryzX0
2. I watched this video and it is not fully informative, just superficial - https://www.youtube.com/watch?v=jdemC9cGvdM
3. I am confused about some details on this page - https://docs.fortinet.com/document/fortimail/7.4.1/administration-guide/932807/gateway-mode-deployme...
Such as:
I know about DNS records on AD, creating/configuring them etc. But it says in this document public DNS etc.
On the FortiGate I see the address entry for the following :
1. Email Relay VM(DMZ IP)
2. Email Server(local/private IP)
3. DMZ subnet
4. LAN/Internal Subnet
On the FortiGate I see IPv4 Policy entries as follows but not limited to:
1. (WAN to DMZ)allow smtp to relay - (source: all , destination: mail relay , schedule: always , service: smtp , action: accept)
2. (DMZ to LAN) - (source: all, destination: local mail server , schedule: always, service: smtp, action: accept)
Please note:
-On my DC, there are no mx records, so how is name resolution taking place? There is only a Host A record for the Exchange server.
-Whenever I do a NSLOOKUP or PING on mail.batteries.com.au, I see the public/wan mapped IP of the mail relay(postfix VM) that is on the DMZ
- There are no FortiGate entries for the Forti Mail VM
Currently, the deployed Forti mail VM is just sitting there doing nothing. Anyone, please help!
Solved! Go to Solution.
Hello
Are you deploying FML just in lab for internal test and usage or for sending/receiving emails to/from internet?
If it is for internal lab the required DNS entries should be on your local DNS .local.
In cas it is for email communication with internet then the DNS records must be on your public DNS server. E.g: if your public domain name is domain.com and your public email address is neorant@domain.com then the protected domain is domain.com, and you need to add the following dns records to your public DNS server of domain.com.
You may read more on mx, rdns/ptr and spf records on wiki or any other DNS related documentation.
Regarding firewall rules, the main required rules are:
Hope this helps.
Hi NeoRant
You did very well by reading these docs, you'll certainly master FML very quickly. I see you are doing much effort, so I'll try help from my side with the below info.
Here are some recommendations that may help, summarizing from beginning to the end.
Inbound email scan: Enable
Outbound email scan: Enable
Email relay for protected domain: Yes
Once all of this is done, test both sending and receiving e-mails.
Test the delivrability so you ensure that you are not considered as spammer:
I think all is said, but feel free to ask any related question if needed.
Hello NeoRant,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Thank you Anthony, God bless, I will wait.
Hello
Are you deploying FML just in lab for internal test and usage or for sending/receiving emails to/from internet?
If it is for internal lab the required DNS entries should be on your local DNS .local.
In cas it is for email communication with internet then the DNS records must be on your public DNS server. E.g: if your public domain name is domain.com and your public email address is neorant@domain.com then the protected domain is domain.com, and you need to add the following dns records to your public DNS server of domain.com.
You may read more on mx, rdns/ptr and spf records on wiki or any other DNS related documentation.
Regarding firewall rules, the main required rules are:
Hope this helps.
Thanks AEK, I will look into this and provide feedback. I will appreciate all the help I can get. This is indeed for production, so essentially, I am treading softly. I realize that the admin guides especially for later models such as Fortimail 7.4.1 gives a WHOLE lot of information, but no real guide on what/how to do things properly, especially for new customers. So in essence as a first step, I need the public dns server to add those records basically. It was confusing, because I am saying, I just know that we have an internal mail server behind fortigate firewall, the internal/lan behind firewall, postfix server for mail relay, i see firewall entries between mail server and postfix, but where is the public dns server located. I nslookup or email domain e.g. neorant@domain.com and get the local IP for our mail server, but when i ping the mail.domain.com, it resolves to a virtual/public IP on the fortigate that maps to the postfix/mail relay vm private IP(which is on the dmz). I appreciate the response.
Hi @NeoRant
As it is a production mail gateway I recommend to ask the help of an experienced integrator if this is your first time. Otherwise it may take you a lot of time and you may run in trouble with spam, phishing mails, getting some legitimate mails quarantined and other delivrability issues.
Since this is prod I think it is safer to avoid such risks.
Once you follow this first integration and take note of all steps you will be able to handle the next integration easier, faster and safer.
Hi AEK, thank you for the help and all others who stepped in, glad to be apart of the Fortinet community. My job really was to:
Above part of the job was done by me easily. I am Systems/Server Engineer/Administrator, not a cybersecurity expert, rather i am a fortinet newbie lol. Though i understand the basic-intermediary concepts and some advanced areas in network security/networking, the learning never stops. I was told today, that someone else will be doing the fortigate fwl rule, public dns, mx and A records stuff for smtp traffic to flow via the fml for final/production deployment. I say thank God. However I need some guidance below(should i create a new community post to get help?).
My manager now asked me to just focus on enhancing the Fortimail VM with recommended features located in the dashboard for Fortimail 7.4( and believe me, I do not understand MOST of the features in Fortimail - as someone said in a video, features are TOO vast/plenty):
1. Policy (Access control, ip policy, recipient policy etc)
2. Profile (session, antispam, antivirus, content, replacement message, resource, auth, ldap, dictionary, security, ip pool, group, notification)
3. Security(url filter, quarantine, greylist etc)
4. Encryption ( IBE etc)
5. Log & Report
Could I kindly get a set template/industry standard for a good Fortimail Deployment( a step by step guide) so that i can use on my fortimail? I know many admins have their options tweaked to their environment, but I will use anyone's recommended options, take time tweak mine accordingly.
I already know my LAN/WAN net configs. The only thing i would do is just use my IP details, replacing what ever I get.
I have done some of reading, but no real recommendation or "how to" guide in setting up Fortimail with great antispam, antivirus etc features. Most settings in these dashboard sections have been set to default, but I welcome any recommendations PLEASE.
Resources that I have read so far:
https://www.fortinetguru.com/2016/04/configuring-policies/3/
https://www.youtube.com/watch?v=nTPA8YTd9Zg
https://www.youtube.com/watch?v=kEPTTPznJRA&t=321s
https://www.isp-tools.de/fileadmin/media/Produkte/pdf/FortiMail_Install_Guide_v4_0_1_rev2.pdf
https://docs.fortinet.com/document/fortimail/7.4.1/administration-guide/338745/configuring-policies
Hi NeoRant
You did very well by reading these docs, you'll certainly master FML very quickly. I see you are doing much effort, so I'll try help from my side with the below info.
Here are some recommendations that may help, summarizing from beginning to the end.
Inbound email scan: Enable
Outbound email scan: Enable
Email relay for protected domain: Yes
Once all of this is done, test both sending and receiving e-mails.
Test the delivrability so you ensure that you are not considered as spammer:
I think all is said, but feel free to ask any related question if needed.
I thank you for your knowledge and assistance, you are kind, this community is awesome. Should I have more queries, I will ask.
I made a post yesterday
Re: Initial Fortimail configuration and tuning
I know not one solution/template fits all, but a general set of recommended feature/ option settings would be great. Whatever i learn in this forum, i will help others and encourage more people to use the Fortinet product line.
Kindly refer to post below(It is not me alone):
*https://www.reddit.com/r/fortinet/comments/awn1kz/initial_fortimail_configuration_and_tuning/*
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.