My customer want's to sandbox and quarantine all suspicious mails to the User Quarantine. Fine, Fortimail and Sandbox Appliance configured and everything works as expected.
Yesterday he told me, there were mails in the System Quarantine, which should be in the User Quarantine and now he have to release these mails manually, which is not the best way.
So I researched for a specific email and yes, many mails were delivered to the sSystem Quarantine Folder and all these mails have an attachement, but I don't have configured a System Quarantine Action? I double checked all the possibilities:
Receipient Policies (for all Domains, including System Domain)
Outbound / Inbound Policies
Content Actions and -profiles
AntiSpam Actions and -profiles
AntiVirus Profiles and -profiles[/ul]
So I'm stucking now, because there's nothing related to the System Quarantine.
So the Question is now, is there any "System Default" Action or any CLI Option that I can check, to prevent Emails to deliver to the System Qurantine?
Take one of these email and search for it in the logs. Verify that the Disposition says System Quarantine, check which Profile was triggered (AS, AV, Content). Then looking at 'policy id' columns you should see which Recipient Policy was applied (third number from the policy id), you will find the action configured under this Policy and Profile.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.