FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
opetr_FTNT
Staff
Staff
Article Id 194862
Description
This article describes how to proceed when AV scanning seems to not be performed on SMTP traffic.

Solution
This condition may be seen when deep-inspection is not enabled on the SMTP policy.

Even though only port 25 is being used for the traffic (no SMTPS on tcp/465) the traffic still can be encrypted (and hence needs the deep inspection profile) when protected server supports STARTTLS.

The solution is to enable Deep Inspection on SMTP traffic.

Whether mail server supports STARTTLS can be verified by telnet:
% telnet 10.98.2.90 25
Trying 10.98.2.90...
Connected to 10.98.2.90.
Escape character is '^]'.
220 gateway.internal.lab ESMTP Smtpd; Fri, 24 Apr 2015 10:27:49 +0200
ehlo test
250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 104857600
250-DSN
250-AUTH LOGIN PLAIN
**250-STARTTLS**
250-DELIVERBY
250 HELP
quit
221 2.0.0 gateway.internal.lab closing connection


Diagram

Client ==(port2) FortiGate (port3)== MailServer

Configuration GUI

1) Create SSL Inspection profile in Policy & Objects > Policy > SSL/SSH Inspection.

opetr_FD37727_tn_FD37727-1.jpg

2) Create AV profile in Security Profiles > AntiVirus.

opetr_FD37727_tn_FD37727-2.jpg

3) Create firewall policy in Policy & Objects > Policy > IPv4.

opetr_FD37727_tn_FD37727-3.jpg

opetr_FD37727_tn_FD37727-4.jpg


Configuration CLI

The same can be configured via CLI.

SSL Inspection profile
config firewall ssl-ssh-profile
    edit "smtp-inspection"
            config https
                set ports 443
                set status disable
            end
            config ftps
                set ports 990
                set status disable
            end
            config imaps
                set ports 993
                set status disable
            end
            config pop3s
                set ports 995
                set status disable
            end
            config smtps
                set ports 465
            end
            config ssh
                set ports 22
                set status disable
            end
    next
end

AV profile
config antivirus profile
    edit "AV-SMTP"
        set inspection-mode proxy
            config smtp
                set options scan
            end
    next
end

Firewall Policy
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "SMTP"
        set utm-status enable
        set av-profile "AV-SMTP"
        set profile-protocol-options "default"
        set ssl-ssh-profile "smtp-inspection"
        set nat enable
    next
end

Verification of Configuration and troubleshooting


To verify that the policy is configured correctly and that the check is done on SMTP over TLS traffic, the OpenSSL tool can be used (https://www.openssl.org/).

Run the command as follows, and check in the output for "issuer".

If the policy is configured correctly the CN will show CN name of the CA certificate used in SSL Inspection profile (it is "FortiGate CA" in case of the default "Fortinet_CA_SSLProxy".)
% openssl s_client -connect 10.98.2.90:25 -starttls smtp
<--output omitted-->
-----END CERTIFICATE-----
subject=/C=CZ/ST=Czech Republic/L=Prague/O=Internal Lab CA/CN=gateway.internal.lab/emailAddress=ca@internal.lab
**issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FortiGate CA/emailAddress=support@fortinet.com **
---
No client certificate CA names sent
---
SSL handshake has read 2860 bytes and written 490 bytes

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 76B58A6EB015C95570FC002BC4D14776A8FD276AAEF4438F3CA4F8246C75B390
    Session-ID-ctx:
    Master-Key: E24C9FB50263CA341852D413DF5B0D78BA67ABFE8A3DE100CCE5778317BC571332E6AACF0165
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1429864243
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP
quit
221 2.0.0 gateway.internal.lab closing connection

'swaks'
(http://www.jetmore.org/john/code/swaks/) can be used to confirm that the AV scan will be performed to send the mail and Eicar test file (http://www.eicar.org/85-0-Download.html) to trigger the AV alert.
% swaks --server 10.98.2.90 --from kb@internal.lab --to user@internal.lab -tls --attach ./eicar.com -n
=== Trying 10.98.2.90:25...
=== Connected to 10.98.2.90.
<-  220 gateway.internal.lab ESMTP Smtpd; Fri, 24 Apr 2015 10:41:37 +0200
 -> EHLO client.internal.lab
<-  250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
<-  250-ENHANCEDSTATUSCODES
<-  250-PIPELINING
<-  250-8BITMIME
<-  250-SIZE 104857600
<-  250-DSN
<-  250-AUTH LOGIN PLAIN
<-  250-STARTTLS
<-  250-DELIVERBY
<-  250 HELP
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started w/ cipher ECDHE-RSA-AES128-SHA
=== TLS peer subject DN="/C=CZ/ST=Czech Republic/L=Prague/O=Internal Lab CA/CN=gateway.internal.lab/emailAddress=ca@internal.lab"
 ~> EHLO client.internal.lab
<~  250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
<~  250-ENHANCEDSTATUSCODES
<~  250-PIPELINING
<~  250-8BITMIME
<~  250-SIZE 104857600
<~  250-DSN
<~  250-AUTH LOGIN PLAIN
<~  250-DELIVERBY
<~  250 HELP
 ~> MAIL FROM:<kb@internal.lab>
<~  250 2.1.0 <kb@internal.lab>... Sender ok
 ~> RCPT TO:<user@internal.lab>
<~  250 2.1.5 <user@internal.lab>... Recipient ok
 ~> DATA
<~  354 Enter mail, end with "." on a line by itself
 ~> 25 lines sent
**<~* 554 5.7.1 Dangerous Attachment has been Removed.  The file "eicar.com" has been removed because of a virus.  It was infected with the "EICAR_TEST_FILE" virus.  File quarantined as: "".""**
 ~> QUIT
If everything is configured correctly, after the Eicar file is sent, similar messages should be seen in the FortiGate's logs.

opetr_FD37727_tn_FD37727-5.jpg

Contributors