Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiMail AV Profile & User Personal Quarantin...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiMail AV Profile & User Personal Quarantine
Hola,
Is there any way of setting an AV profile to deliver to User’s Personal Quarantine? We’re trying to get a balance between Security and user experience... here’s the scenario:
We have FML 5.4.2 connected to an FSA 3000E (fully loaded on licenses). I enabled URI scanning through the FSA and over a weekend 1,900 genuine emails were dropped into the system quarantine cos they contained low risk URIs. Cue an outcry from users.... :( so had to turn it off.
As I cannot find a way of making FML take different action based on URI or Attachment I’ve decided the best option is to drop any low risk email into personal quarantine and send a notification email. Sadly after getting it approved I found that it doesn’t look like I can make AV profiles use the personal quarantine....
We discussed the option of using the attachment option (deliver the original email as an attachment to a notification) but the consensus was that users would be more likely to open it and not take note of the security concerns than if they had to login to their personal quarantine.
Maybe there is a CLI switch that allows this?
I have put in an NFR for the ability to split options for attachments and URIs - the FML can send different notification emails if you use the replacement message feature so it can clearly be aware of which is which.
Thanks!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You are going to see a ton of Low Risk results if sending all URIs to the FSA and you are not pre-filtering them out on the FSA. If you don't want to either change the action on FML to something non-final or prefilter URLs on FSA — you can try this janky workaround to put Low Risk results to user quarantine:
-Configure an AV action profile for Low Risk to deliver to alternate host. Set this host as the internal IP of the FortiMail.
You can also tag subject or apply other non-final actions. -Create an IP Policy with the FortiMail IP as source and set as exclusive (take precende over recipient based policy match). Move it to the top of the sequence order. Apply an AntiSpam Profile which will send all email matching that Policy to User Quarantine (default action on policy match). It could either be tagged here on in the previous step to denote that it was flagged by the FSA and not another spam check so that it is distinguished in the user’s quarantine. That’s optional.
This is tried and tested, and doesn't appear to break any other functionality but you may want to implement it for a subset of users initially.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - we are using pre filtering and still getting loads of low risk, hence the issue.
Have another idea - after the FSA scans it adds a new header in (something like X-ANTIVIRUS-FESA: Fortisandbox: uri) so I setup a content rule and assumed it would work. But no matter what I do the content rule isn’t being triggered, even after setting the scan-order to antispam-Sandbox-content.
Will kick that to TAC as it seems it should work.
As for your suggestion could be tricky cos we have a load balancer in Azure (KEMP not ms) and we’re having issues outbound where the IP of the client is the VIP not the exchange server. Could pose problems potentially but I will play around with it as I have a lab version of it too.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - we are using pre filtering and still getting loads of low risk, hence the issue.
Have another idea - after the FSA scans it adds a new header in (something like X-ANTIVIRUS-FESA: Fortisandbox: uri) so I setup a content rule and assumed it would work. But no matter what I do the content rule isn’t being triggered, even after setting the scan-order to antispam-Sandbox-content.
Will kick that to TAC as it seems it should work.
As for your suggestion could be tricky cos we have a load balancer in Azure (KEMP not ms) and we’re having issues outbound where the IP of the client is the VIP not the exchange server. Could pose problems potentially but I will play around with it as I have a lab version of it too.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also tried that method first with inserting the header + content monitor but it does not work and I would say it is expected.
The IP Policy method shouldn't cause any issues since I have not found any scenario where the FortiMail will see any other email sourced from its own IP.
In any case, you could use a second MTA to deliver to as alternate host which then relays back to the FortiMail where the user quarantine action can be applied.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will take a look, cos of Azure & Kemp not playing nicely together the source address of our outbound emails is the VIP on our Kemp loadmaster, got that confused with the IP of the FML as I hadn't looked for a few weeks specifically at ouitbound emails. That being the case your suggestion should work for us, though it's not ideal!
What makes you think that not applying content rules after sandboxing is by design? surely it should apply all the rules you specify and not just give up part way through after one match/event whose action is to deliver/pass email onwards?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've run into a problem with the deliver to alternative host option - if the email or domain is on the recipients safe list, it gets delivered!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then use a Content Profile instead of AntiSpam Profile on the IP Policy.
Set the Content Profile to quarantine everything with a wildcard dictionary entry '*'.
Or to match a header you inserted on the AV action profile.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hiya,
change of tac slightly, have written a regex to catch the header:
/^X-FEAS-ANTIVIRUS: FortiSandbox:((?!uri).)*$/
so this one will match when an email has the "X-FEAS-ANTIVIRUS: FortiSandbox:" header but not if it includes the "uri" bit, so I can now setup content rules (as you suggested) using this so that if it matches and contains "uri" it goes to personal quarantine, but if it matches and doesn't contain "uri" (i.e. a low-risk file) I can put it into the system quarantine.
Thank you for your help - it's a shame that you can't just have a single rule and have to go through the deliver back to itself method!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiMail Disable Release Confirmation 261 Views
- Quarantine an Email by header 428 Views
- Receive quarantine report for user -... 269 Views
- Personal email quarantine release 663 Views
- Fortimail Bulk/Personal Quarantine Best practice? 359 Views
Labels
-
FortiGate
8,501 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
Fortiswitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.