FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jheadley_FTNT
Description
When using an anti-spam profile on the FortiGate, users may notice some inbound emails are not being logged under the anti-spam security logs.  In addition, some of the emails that are not logged may also not be inspected by the anti-spam profile or other security profiles, such as AV or DLP.

Scope
Networks where an email server is located behind a FortiGate or FortiWiFi device running FortiOS 5.2 and above.

Solution
Part A – Ensure Logging is Enabled in the CLI

By default, “clean” emails will not be logged in the anti-spam logs if the anti-spam profile does not perform any action on the email. However, we can enable logging of all emails for the SMTP protocol in the CLI with the following commands.

config spamfilter profile
    edit {name}
        config smtp
            set log enable
            end
        next
end

Part B – Some Inbound Email Still Not Being Logged or Inspected

If the CLI commands above have already been implemented, but you still do not see all emails being logged or inspected, then a common cause is the email has been encrypted via SMTPS (generally over port 465) or using a mechanism called STARTTLS (generally over port 587 or the normal SMTP port of 25.)

In order for the FortiGate to log and inspect this traffic, the FortiGate must perform SSL Inspection on these connections to your mail server. In order to avoid certificate warnings, the following configuration is recommended.

1.       Upload the mail server’s SSL certificate and private key under the System > Certificates section, as shown below.

 jheadley_FD40479_1-2.png

jheadley_FD40479_2.png

2.       Create a new SSL Inspection profile of type “Protecting SSL Server” and select the newly uploaded mail server certificate as the “Server Certificate.”

 jheadley_FD40479_3.png
3.       Select this SSL inspection profile on the firewall policy that allows the mail traffic through the FortiGate.

jheadley_FD40479_4.png


Related Articles

Technical Note: AV scanning on SMTP traffic

Contributors