Scribd Logo
Upload

Welcome to Scribd!

  • FortiMail 11 Transparent Mode

    Uploaded by

    Pyae Sone Tun
    53 views9 pages

    Original Title

    248625726 FortiMail 11 Transparent Mode

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    53 views9 pages

    FortiMail 11 Transparent Mode

    Uploaded by

    Pyae Sone Tun

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Course 221 - FortiMail Email Filtering Transparent Mode

    Transparent Mode
    Module 11

    © 2013 Fortinet Inc. All rights reserved.


    The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
    1
    or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
    or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726

    Transparent Mode

    • Transparent relay
    • FortiMail is inline, in front of the mail servers or mail relays

    FORTIMAIL UNIT INTERCEPTS AND


    SCANS SESSIONS DESTINED TO
    THE BACKEND SERVERS

    MAIL FLOW
    INTERNET

    MTAs

    • FortiMail is not the SMTP end point


    • FortiMail transparently intercepts and scans SMTP sessions based on
    the destination IP address
    2

    06-50000-0221-20130726 1
    Course 221 - FortiMail Email Filtering Transparent Mode

    Transparent Mode Advantages

    • IP layer transparency
    » FortiMail unit acts as a bridge for SMTP and non SMTP traffic
    » The IP address scheme does not require any change

    • SMTP layer transparency


    » No changes required to existing MX records and MUA/MTA configurations
    » The FortiMail unit’s presence can be hidden

    Network Interfaces - Bridge Mode

    • When configured in bridge mode the network interfaces operate as an


    L2 forwarding bridge
    • The FortiMail unit can be reached through the management IP
    address statically assigned to the port1 interface
    • Port1 interface cannot be changed to route mode

    06-50000-0221-20130726 2
    Course 221 - FortiMail Email Filtering Transparent Mode

    Network Interfaces - Route Mode

    • Configured in route mode the network interface is not part of the bridge
    anymore
    • CLI syntax to remove the interface from the bridge is:
    config system interface
    (interface)# edit port2
    (port2)# set bridge-member disable
    (port2)# set ip 192.168.2.100 255.255.255.0
    (port2)# set allowaccess ping
    (port2)# next

    Transparent Mode

    SMTP SESSIONS ARE


    PROXIED AND BRIDGED

    MAIL FLOW

    INTERNET

    MTAs

    FORTIMAIL DEFAULT MANAGEMENT IP ADDRESS IS NON SMTP TRAFFIC IS


    ROUTE AND MTA IN THE SAME SUBNET AS THE BRIDGED (ARP REQUEST,
    DEFAULT ROUTE MTAs ETC.)

    06-50000-0221-20130726 3
    Course 221 - FortiMail Email Filtering Transparent Mode

    Transparent Mode – Hybrid Example 1

    • Mail flow is bridged by the FortiMail unit


    • A third interface is in route mode
    INTERNAL INTERFACE IN
    EXTERNAL INTERFACE IN BRIDGE MODE
    BRIDGE MODE

    MAIL FLOW

    INTERNET

    MTAs
    FORTIMAIL DEFAULT
    ROUTE
    THIRD INTERFACE IN
    ROUTE MODE FOR OOB
    MANAGEMENT MANAGEMENT
    FORTIMAIL STATIC ROUTE TO PLATFORMS
    THE MANAGEMENT
    PLATFORMS

    Transparent Mode – Hybrid Example 2

    ROUTE MODE
    INTERFACE

    ONE-ARM ATTACHMENT MAIL FLOW WOULD NOT BE SENT TO


    (2nd INTERFACE FOR OOB THE FORTIMAIL WITHOUT POLICY-
    MTAs MANAGEMENT) BASED ROUTING MTAs

    INTERNAL
    INTERNET
    SMTP NETWORK

    MAIL USER POLICY-BASED ROUTING DESTINATION IP = MAIL USER


    AGENTS SMTP TRAFFIC --> FORTIMAIL MTAs ADDRESSES AGENTS

    06-50000-0221-20130726 4
    Course 221 - FortiMail Email Filtering Transparent Mode

    Transparent Mode Directions

    • In transparent mode the recipient domain address does not determine


    the direction
    • At the network connectivity level the destination IP address determines
    whether a session is incoming or outgoing:
    » An SMTP session is considered incoming if the destination IP address matches
    an SMTP server configured in the protected domain list
    » An SMTP session is considered outgoing if the destination IP address does not
    match any SMTP server configured on the FortiMail unit

    Transparency Settings

    • By default, the transparent mode unit does not hide its presence in the
    mail flow
    • The management IP address (if in bridge mode) or the interface IP
    address (if in route mode) will be used to establish a new session to
    the destination MTA
    • To hide the transparent unit you can use one of the following options
    depending on the direction of the email:
    » Incoming emails: Enable the option “Hide the transparent box” (System > Domain)
    » Outgoing emails: Enable the option “Hide this box from the mail server” (Session
    profile > Connection Settings)
    » In both cases, the TP unit will reuse the sender IP address to establish the new
    session

    10

    06-50000-0221-20130726 5
    Course 221 - FortiMail Email Filtering Transparent Mode

    Built in MTA

    • A transparent mode FortiMail unit can route a message to its


    destination by using its built in MTA or by proxying it
    • When the built in MTA is used the following actions are taken:
    » The email is intercepted
    » DNS MX and A resolution are performed on the recipient domain
    » The email is delivered

    11

    Transparent Proxy

    • If the transparent proxy is enabled, the FortiMail unit performs the


    following actions:
    » The email is intercepted
    » The email is simply forwarded to destination
    » No queuing of messages in case of delivery failure
    • Transparent proxy can be enabled depending on the direction of the
    mail flow in the following ways:
    » Incoming: Select the option “Use this domain’s SMTP to deliver the email” (Mail
    Settings > Domains)
    » Outgoing: Select the option “Use client specified SMTP server to send email”
    (Mail Settings > Settings)

    12

    06-50000-0221-20130726 6
    Course 221 - FortiMail Email Filtering Transparent Mode

    Mail Traffic inspection

    • To perform inspection on specific mail flows the administrator has to


    enable proxy inspection on the physical interfaces

    13

    Transparent Mode SMTP Pass Through

    gw.smarthost.lab
    10.0.3.100

    MX record for external.lab: server.external.lab (10.0.2.100)

    Port2
    Transparent unit (tp.smarthost.lab) configured to Pass Through
    incoming and outgoing SMTP connections. tp.smarthost.lab
    The session from 10.0.1.100 to 10.0.3.100 is bridged. 10.0.3.201

    Mail From: user@internal.lab 1 Port1 2


    RCPT To: user@external.lab
    MX record for domain external.lab:
    gw.smarthost.lab(10.0.3.100)

    FQDN server.internal.lab FQDN server.external.lab


    IP 10.0.1.100 IP 10.0.2.100
    Domain: internal.lab Domain: external.lab

    14

    06-50000-0221-20130726 7
    Course 221 - FortiMail Email Filtering Transparent Mode

    Transparent Mode Incoming SMTP MTA Routing

    gw.smarthost.lab
    10.0.3.100

    Domain smarthost.lab defined with IP 10.0.3.100


    The transparent mode unit intercepts the email and it triggers
    its internal MTA to route the email to destination.
    MX record for domain external.lab: server.external.lab
    (10.0.2.100)
    Port2

    tp.smarthost.lab
    10.0.3.201

    Port1
    Mail From: user@internal.lab
    RCPT To: user@external.lab 1 2
    MX record for domain external.lab: gw.smarthost.lab(10.0.3.100)

    FQDN server.internal.lab FQDN server.external.lab


    IP 10.0.1.100 IP 10.0.2.100
    Domain: internal.lab Domain: external.lab

    15

    Transparent Mode Incoming SMTP Proxy

    gw.smarthost.lab
    10.0.3.100 The Gateway FortiMail unit receives the email.
    MX lookup is performed to route the email to destination.
    MX record for domain external.lab: server.external.lab (10.0.2.100)
    Domain smarthost.lab defined with IP 10.0.3.100
    The transparent mode unit intercepts the email and it forwards
    it to 10.0.3.100 (as indicated in the protected domain section)
    A new session is initiated from the TP unit with source IP of 2
    10.0.3.201 to 10.0.3.100 Port2

    tp.smarthost.lab
    10.0.3.201
    Mail From: user@internal.lab
    RCPT To: user@external.lab Port1
    MX record for domain external.lab:
    gw.smarthost.lab(10.0.3.100)
    1 3

    FQDN server.internal.lab
    FQDN server.external.lab
    IP 10.0.1.100
    IP 10.0.2.100
    Domain: internal.lab
    Domain: external.lab

    16

    06-50000-0221-20130726 8
    Course 221 - FortiMail Email Filtering Transparent Mode

    Transparent Mode Outgoing SMTP MTA

    gw.smarthost.lab
    10.0.3.100

    No protected domain configured on the Transparent FortiMail unit.


    All traffic is considered OUTGOING.
    Port1 configured to proxy outgoing SMTP connections.
    The Transparent mode unit intercepts the email and it triggers its
    Port2 internal MTA to route the email to destination.
    MX record for domain external.lab: server.external.lab (10.0.2.100)

    tp.smarthost.lab
    Mail From: user@internal.lab 10.0.3.201
    RCPT To: user@external.lab Port1
    MX record for domain external.lab: gw.smarthost.lab(10.0.3.100)

    1 2

    FQDN server.internal.lab FQDN server.external.lab


    IP 10.0.1.100 IP 10.0.2.100
    Domain: internal.lab Domain: external.lab

    17

    Transparent Mode Outgoing SMTP Proxy

    gw.smarthost.lab
    10.0.3.100 The Gateway unit receives the email.
    MX lookup is performed to route the email to destination.
    MX record for domain external.lab: server.external.lab (10.0.2.100)
    No protected domain configured on the Transparent unit.
    All traffic is considered outgoing.
    Port1 configured to proxy outgoing SMTP connections.
    The transparent mode unit intercepts the email and it forwards it to
    10.0.3.100 (as indicated by the client). 2
    A new session is initiated from the TP unit with source IP of 10.0.3.201 Port2

    tp.smarthost.lab
    10.0.3.201
    Mail From: user@internal.lab
    RCPT To: user@external.lab Port1
    MX record for domain external.lab:
    gw.smarthost.lab(10.0.3.100) 1 3

    FQDN server.internal.lab FQDN server.external.lab


    IP 10.0.1.100 IP 10.0.2.100
    Domain: internal.lab Domain: external.lab

    18

    06-50000-0221-20130726 9

    You might also like