Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
You are going to see a ton of Low Risk results if sending all URIs to the FSA and you are not pre-filtering them out on the FSA. If you don't want to either change the action on FML to something non-final or prefilter URLs on FSA — you can try this janky workaround to put Low Risk results to user quarantine:
-Configure an AV action profile for Low Risk to deliver to alternate host. Set this host as the internal IP of the FortiMail.
You can also tag subject or apply other non-final actions. -Create an IP Policy with the FortiMail IP as source and set as exclusive (take precende over recipient based policy match). Move it to the top of the sequence order. Apply an AntiSpam Profile which will send all email matching that Policy to User Quarantine (default action on policy match). It could either be tagged here on in the previous step to denote that it was flagged by the FSA and not another spam check so that it is distinguished in the user’s quarantine. That’s optional.
This is tried and tested, and doesn't appear to break any other functionality but you may want to implement it for a subset of users initially.
I also tried that method first with inserting the header + content monitor but it does not work and I would say it is expected.
The IP Policy method shouldn't cause any issues since I have not found any scenario where the FortiMail will see any other email sourced from its own IP.
In any case, you could use a second MTA to deliver to as alternate host which then relays back to the FortiMail where the user quarantine action can be applied.
I will take a look, cos of Azure & Kemp not playing nicely together the source address of our outbound emails is the VIP on our Kemp loadmaster, got that confused with the IP of the FML as I hadn't looked for a few weeks specifically at ouitbound emails. That being the case your suggestion should work for us, though it's not ideal!
What makes you think that not applying content rules after sandboxing is by design? surely it should apply all the rules you specify and not just give up part way through after one match/event whose action is to deliver/pass email onwards?
I've run into a problem with the deliver to alternative host option - if the email or domain is on the recipients safe list, it gets delivered!
Then use a Content Profile instead of AntiSpam Profile on the IP Policy.
Set the Content Profile to quarantine everything with a wildcard dictionary entry '*'.
Or to match a header you inserted on the AV action profile.
Hiya,
change of tac slightly, have written a regex to catch the header:
/^X-FEAS-ANTIVIRUS: FortiSandbox:((?!uri).)*$/
so this one will match when an email has the "X-FEAS-ANTIVIRUS: FortiSandbox:" header but not if it includes the "uri" bit, so I can now setup content rules (as you suggested) using this so that if it matches and contains "uri" it goes to personal quarantine, but if it matches and doesn't contain "uri" (i.e. a low-risk file) I can put it into the system quarantine.
Thank you for your help - it's a shame that you can't just have a single rule and have to go through the deliver back to itself method!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.