FortiMail Overview

Dedicated email security solution

Last Update: March 2008

Nathalie Rivat
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Reporting
Email Security Challenges
• Action is needed to secure mail inbound and outbound
Introducing FortiMail
Maximum detection accuracy of blended email-based threats:
Multi-layered email security –Antispam, antivirus, antispyware and antimalware detection
platforms –Relies on Fortinet FortiGuard™ services that are powered by a
worldwide 24x7 Global Threat Research organization

Inbound & Outbound Email Unlike other messaging security products, FortiMail secures
Messaging Security inbound and outbound mail inspection with only one system

The only email security solution that can be deployed in:

–Transparent mode
Flexible deployment options
–Gateway mode
–Email server mode

Integrated Message Transfer Specialized MTA engine for peak capacity

Agent (MTA) Intelligent routing, QoS, virtualization

No user or mailbox restrictions

Cost effective solution Large product range to fit performance requirements
No third-party agreement – 100% Fortinet technology

Email Archiving Facilitates regulatory compliance for content archiving

High availability FortiMail redundancy with automatic failover
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Reporting
FortiMail Operating Modes
• The only solution that can be deployed in 3 modes and fits:
– Any deployment scenarios
 DMZ or inline deployments, one-arm or dual-arm attachment, etc.
– Any IP requirements
 Bridge mode, Route mode, NAT IP addresses
– Any SMTP requirements
 Explicit or transparent proxy, visible or invisible in headers and envelop

Gateway Mode Proxy MTA services for existing email gateways

(relay mode) DNS MX record redirects email to FortiMail

Intercept SMTP traffic that is not explicitly destined to itself

–FortiMail does not need to be the SMTP or IP endpoint
–Seamless integration into existing network environments
Transparent
–Requires no IP or SMTP changes
Mode
It can also simulate an explicit relay (#VIP)
–FortiMail is the SMTP/IP endpoint
FortiMail can bridge or route traffic

Server Mode Full email server functionality

Gateway mode deployment –
Traditional scenario
USERS
MAIL SERVERS OUTGOING
SMTP

INTERNET

INCOMING SMTP

• FortiMail is a mail relay

• Involves changes to the existing network topology
– DNS server is configured to ensure that incoming SMTP traffic is sent to
FortiMail before reaching the back end mail server
• FortiMail supports outgoing antispam filtering
– In addition to virus and content filtering for policy compliancy
– The back end mail server relay outgoing mail to FortiMail for improved security
 Zombies and botnet protection
– Antispam techniques for outgoing traffic are different than for incoming mail
Transparent mode deployment
option 1 – Large Enterprise
BOTH INTERFACES
ARE IN BRIDGE
USERS
MODE

OUTGOING SMTP
MTAs

INTERNET

INCOMING SMTP

• FortiMail is inline - in front of mail servers

– Although not explicitly destined to FortiMail, SMTP traffic is transparently
proxied and inspected
• Seamless integration into existing network, no network reconfiguration
– IP-layer transparency
 FortiMail acts as a bridge for SMTP and non SMTP traffic
 No need to change the IP addressing scheme or mail server default gateway
– SMTP-layer transparency:
 No change in existing MX records and MUA/MTA setup
 FortiMail can be transparent in envelop & mail headers
Transparent mode deployment
option 2 – ISPs TRANSPARENT MODE

ONE-ARM or DUAL-ARM
ATTACHEMENT POLICY-BASED ROUTING:
(OPTIONALY: 3rd INTERFACE SMTP TRAFFIC --> FORTIMAIL
FOR OOB MANAGEMENT)
MTAs
MTAs
OUTGOING SMTP
INTERNAL
INTERNET
NETWORK
MUAs
MUAs
SESSIONS INITIATED FROM THE INTERNET TO THE
ISP INTERNAL NETWORK ARE NOT SCANNED

• FortiMail is not inline

– The network redirects SMTP traffic to FortiMail
– Policy based routing or load-balancers
• Smooth integration into existing network environments
– No need to change IP addressing scheme or SMTP setup on MUA/MTA
– Although not explicitly destined to FortiMail, SMTP traffic is intercepted by
FortiMail inspected, and clean traffic delivered to destination MTAs
ISP scenario
• ISP and Mobile Operators are concerned about filtering
outgoing spam to protect their IP addresses from black-
listing
– Spammers cause ISP addresses to be black-listed by DNSBL
servers
– Outgoing SMTP connections = any SMTP session initiated from
the internal network and destined to MTAs on the Internet
– Outgoing mail flow are NATed behind the Service Provider public IP
addresses
ISP scenario – NAT impact
• Many-to-one NAT
– All users are NATed behind the same IP address
– If the public IP address is black-listed ALL internal users are
blocked and can’t send mail
– A single source of spam is enough to black-list the ISP address
• One to one NAT
– Private IP addresses are dynamically assigned to users
– Each private IP address is NATed behind a public IP address
– If a public IP address is backlisted because it has been used by a
spammer, the next user that receives this IP address is blacklisted
too
ISP scenario – Requirements
• Antispam solution needs:
– To be transparent
 No MTA or MUA modification
– To protect unknown domains
 Not realistic to list & maintain the customer domains
– To support an unlimited number of domains
– To support antispam for outgoing mail flow and implement efficient
filters that fit outgoing traffic type
 Different techniques are involved for outgoing flows than for incoming
flows
 For instance: IP reputation is unadapted
• FortiMail can do all of that
Server mode deployment
USERS

OUTGOING SMTP

INTERNET

INCOMING SMTP

• Mail server functionalities:

– Webmail, SMTP, POP3 and IMAP client support
– Secure (SSL) WebMail client access
– Disk quota policy for user accounts
– Bulk Folder for spam mail
Mail routing decision
• Intelligent MTA
• FortiMail can take mail routing decision based on:
– The original destination IP address (transparent mode)
– Its own calculation of the destination MTA (transparent or gateway
mode) which can be done is various ways:
 If the recipient domain is not explicitly defined in the FortiMail config:
– DNS-MX resolution
– Default relay (IP address or DNS-A resolution for load-balancing)
 If the recipient domain is explicitly defined in FortiMail config:
– DNS-MX resolution
– DNS-A resolution
– Static IP address
– LDAP lookup
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Reporting
FortiMail product line
SMALL ENTERPRISE MEDIUM ENTERPRISE LARGE ENTERPRISE SERVICE PROVIDER

FORTIMAIL 100 FORTIMAIL 400

FORTIMAIL 2000A / 4000A
(FULL INSPECTION) (FULL INSPECTION) (FULL INSPECTION)
RAID SUPPORT RAID SUPPORT
REDUNDANT FANs & IPS

• Dedicated appliance
– Integrated hardware and software
– Purpose build and hardened operating system
• Fit the need of any company size
– From SMB market to High-End Enterprise & Service Providers
• Deliver the same protection level and features through the range
FortiMail 100

• SOHO or branch office use

• Hardware specs:
– 4x 10/100 Ethernet ports
– Single 1.0 GHz CPU
– 512MB RAM
– 1x 250GB 3.5” IDE drive
FortiMail 400

• Medium to large enterprise

• Hardware specs:
– 4x 10/100 ports
– 2x 10/100/1000 ports
– Single 3.0 GHz CPU
– 1GB RAM
– 2x 250GB 3.5” IDE drives
– Software RAID (0 or 1)
FortiMail 2000A / 4000A

• Large enterprise and Service Providers

• Hardware specs:
– 4x 10/100/1000 Ethernet ports
– Single / Dual Xeon 3.0 GHz CPUs
– 2GB of RAM
– 6x / 12x 250GB 3.5” SATA drives
– Hardware RAID (0, 1, 5, 10 or 50)
– Redundant power supplies
– Hot-swappable fans
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Reporting
Policies
• Policies determine
– How incoming & outgoing email is scanned for spam, viruses, and attachment
– What to do with spam or email messages containing viruses
• Policies:
– Identify a mail flow based on the:
 Source IP address
 Destination IP address (transparent mode specific)
 Recipient mail address
– And define which security check should apply to this mail flow
 Assign protection profiles to the identified mail flow
 Can also be retrieved from LDAP lookup
• Benefit:
– Allow granular definition of services that should apply on specific type of traffic
– For instance, identify flows that should receive:
 maximum security (strict AS profile)
 or maximum QOS (such as high session rate)
Recipient based policies
• Recipient based policies catch traffic based on mail addresses:
– Explicit user mail address
– User groups (incoming policies)
– Or wildcard asterisk (*)
IP based policies
• IP policies capture traffic based on IP addresses
– Src and/or dst IP addresses (transparent mode)
– Src IP address (in gateway and server mode)
Policy check – How it works
• FortiMail first looks for an IP policy match
– IP policies are checked in sequence
– If there is an IP policy match:
 FortiMail takes into account the session profile defined in the policy
 FortiMail then search the recipient policies
– except if the IP policy exclusive flag is set

– Else, FortiMail looks for a recipient based policy match

IP POLICY
EXCLUSIVE FLAG
Protection profiles
• Profile = a collection of FortiMail settings that control the email flow
• Profiles are selected in policies and run on any traffic the policy
controls
• Several types of profile:
– Session profile
 Set session rate
 Restrict the number of mail per session, of recipients per mail, of simultaneous
session for the same client
 Prevent session encryption,
 Perform SMTP strict syntax check, domain check, etc.
– Antispam profile
– Antivirus profile
– Content profile
 Filter file type, file extensions, banned content
 Defer large message
– Authentication profile
 Authenticate sessions using SMTP, POP3, IMAP, or RADIUS servers
Comments
• You do not have to define the protected domains
– Mail Service Provider and Internet Service Provider environment
– Differentiated services can still apply based on IP addresses or
recipient mail addresses
• Wildcard policies
– IP=0.0.0.0/0
– or recipient address=*
• Antispam, antivirus, content and session profiles are
available for incoming or outgoing mail flow
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Reporting
FortiMail Advanced Spam Detection
• FortiGuard-Antispam service
– FortiMail queries a central database
• FortiMail employs multiple sophisticated antispam
technologies that complement the FortiGuard-Antispam
service:
– Session-based inspection
 Session level detection methods greatly reduce load
– Avoid unnecessary mail processing and content scanning
 Most of the session control parameters are configured in the session
profile
– Few of them in the antispam profile (grey listing & DNSBL)

– Header and body inspection

 Configured in the antispam profile
FortiGuard-Antispam
• FortiGuard-Antispam uses a number of filtering techniques to
detect and filter spam:
– FortiIP = Sender IP reputation database
 IP address scoring
– FortiSig1 = Spamvertised URLs
 Block messages that have spam hosts mentioned in message bodies
 Detect spam based on the URIs (usually web sites) contained in the message
body as opposed to the spam origin (used by RBL)
– FortiSig2 = Spamvertised email addresses
 Lots of spam have an email address in the message body that prompts one to
contact the spammers. Those email addresses are added to FortiSig
– FortiSig3 = Spam object checksums
 Objects in spam are identified and a fuzzy checksum is calculated from each
object which it then added top the FortiSig database
– Objects can be part of the message body or an attachment

• FortiRule
– FortiGuard also updates FortiMail local set of heuristics rules
FortiIP – Sender IP reputation
• FortiGuard-Antispam maintains a global IP reputation
database
– The reputation of each IP is built and maintained based on tens of
properties gathered from various sources
– The properties include:
 The whois information, geographical location, service provider,
 Whether it is an open relay or hijacked host, etc.
 One of the key properties is the email volume from this sender as
gathered from our FortiGuard service network
• By comparing a sender's recent email volume with its
historical pattern, FortiGuard-AntiSpam updates each IP's
reputation in real-time and provides a highly effective sender
IP address filter
FortiGuard-Antispam overview
• To achieve up-to-date real-time spam identification, Fortinet
utilizes globally distributed spam probes that receive over
one million spam messages per day
• Each message is processed through multiple layers of
identification processes to produce an up-to-date list of spam
origins
– To further enhance the service and streamline performance, each
of the “known” identities in the list is continually re-tested to
determine the state of the origin (active or inactive)
– If a known spam origin has been decommissioned, the origin is
then removed from the list, thus providing customers with both
accuracy and performance
FortiMail Advanced Spam Detection
• Session based inspection
– SMTP syntax verification and RFC compliancy
– SMTP checks (sender/recipient domain check, prevent open relay,
etc.)
– SMTP rate limiting (simultaneous sessions, new sessions / period
of time, etc.)
– SMTP error control
– Recipient address check (valid mail address)
– Greylist Filtering
– Local Reputation Filtering
– Etc.
Session level – Protocol check
• Consider at least the two following options:
Session level – SMTP errors
• Errors sometimes indicate attempts to misuse the server
• You can impose delays or drop connections if there are
errors
Session level – Unauth sessions
• Check sender domain
– Checks the existence of the sender domain by looking up both the
MX record and A record
– One successful query would pass the check
– Enable it depending on deployment scenario
 Useful for ISP outgoing antispam and MSP/Enterprise incoming mail
• Check recipient domain
– Checks the existence of the sender domain by looking up both the
MX record and A record
– One successful query would pass the check
– Enable this depending on your deployment scenario
 Useful for ISP/MSP/Enterprise outgoing antispam
Session level – Unauth sessions
• Reject if recipient and helo domain match but sender domain
is different
– If the recipient (RCPT TO = toto@fortinet.com) and helo domain
match (for instance, SMTP client host name =
mailserver.fortinet.com), then it is expected that it is an internal mail
(sender@fortinet.com in our example): the mail should be coming
from Fortinet and destined to Fortinet.
– That's why if the sender domain is not the same as the recipient
domain, FortiMail would drop the connection
 It is very unlikely that a well-configured mail server would make such a
connection
• Prevent open relaying:
– Verifies that the RCPT TO domain matches the IP address given
by MX lookup – but allow if authentication is used
Session level – Settings for unauth
sessions
Session level – Recipient address
check for incoming mail
• Recipient address verification helps to detect incoming spam
• Ensure that email with invalid recipients is rejected, not
scanned, nor sent to the back end email server
• Support SMTP server or LDAP database

DEFINE THE APPROPRIATE

METHOD FOR RECIPIENT CHECK
Session level – Session rate limiting

• Adjust the quality of service

• Control the number of simultaneous connections as well as
the number of connections within a certain amount of time
• Adjust this settings if you filter outgoing spam and you have
a large internal source of mail
Session level – Sender Reputation
• An anti-spam measure managed by FortiMail and requiring no
maintenance or attention
• FortiMail keeps track of SMTP client behavior
– If a sender delivers mail including spam and/or viruses, or a large number
of invalid users, the sender reputation feature will take measures against
them
• Those sending excessive spam messages, infected mail, or
messages to invalid recipients will have their deliveries limited
• Should clients continue delivering these types of messages, their
connection attempts will be rejected entirely
• To make it working efficiently, network must not hide the client IP
addresses to FortiMail
– FortiMail is not connected behind a NAT device
– FortiMail is not receiving connections from a relay
Sender Reputation – Specifics
• FortiMail records for each SMTP client (IP address):
– Total number of messages delivered
– Number of messages detected as spam
– Number of messages infected with viruses or worms
– Total number of recipients
– Number of invalid recipients
• FortiMail determines a sender’s reputation score using 2 ratios:
– The amount of good email compared to the bad mail
– The total number of recipients as compared to the number of bad recipients
• FortiMail uses email information up to twelve hours old, and recent mail
influences the score calculation more than older mail
– Score from 0 to 100, (0= a very well behaved sender, 100 = the type of sender you’d
rather avoid)
– After 12 hours without a mail delivery from a client, client records are deleted
• The sender reputation score is compared to 3 thresholds (customizable):
– Above the 1st value, FortiMail limits the number of messages accepted per hour
– Above the 2nd value, FortiMail rejects the connection returning a temporary fail error
– Above the third value, FortiMail refuses the connection returning a reject message
Sender Reputation configuration
• Sender reputation is configured and enabled in the session
profile
• It can be used with the following default settings:
Session level – IP black listing
• DNSBL
– DNS Blacklist
– List of IP addresses that are
known to originate spam
• Configure a public DNSBL
server
– such as: sbl-xbl.spamhaus.org
Session level – Greylisting
• A mean of reducing spam in a relatively low maintenance
manner
– No IP address lists, email lists, or word lists to keep up to date
– The only required list is automatically maintained by the FortiMail
unit
• Block spam based on the behavior of the sending server,
rather than the content of the messages
– When receiving an email from an unknown server, the FortiMail
temporarily rejects the email
– If the mail is legitimate, the originating server will try again later, at
which time the FortiMail unit will accept it
– Spam servers will very unlikely attempt a retry
• Grey listing is enabled in the antispam incoming/outgoing
profiles
Session level – Greylisting

• TTL The time to live setting

– How long the to/from/IP data will be retained in the FortiMail greylist
– When the entry expires, it is removed and new messages are again
rejected until the sending server attempts to deliver the message again
• Grey listing period
– Length of time the FortiMail will continue to reject messages with an
unknown to/from/IP
– After this time expires, any resend attempts will have the to/from/IP
data added to the greylist and subsequent messages will be delivered
immediately
Greylisting – Specifics
• Greylist routine looks at the envelop and extract 3 values:
– Sender address (Mail From:)
– Recipient address (Rctp to:)
– IP address of the mail server delivering the message
• If the greylist routine doesn’t have a record of a message with
these three values:
– Message is refused
– Temporary error is reported to the server attempting delivery
• The delivering server should later attempt to send the mail again
– Mail servers following specifications (RFC 821) will attempt to retry
deliveries that fail with expected error codes
 Most spam mail is not delivered by standard mail servers, but rather by
applications designed specifically for spam distribution
– If another delivery is attempted, the message is accepted
 FortiMail has stored the 3 attributes so any subsequent messages with these
same three values is immediately accepted
Grey listing – Comments
• Grey listing is a very efficient method that is destined to MTA
sessions
• Grey listing should not apply to MUA sessions
– If it is not possible for FortiMail to distinguish MUA sessions from MTA
sessions, do not enable grey listing
– Example: ISP deployment for outgoing antispam
• FortiMail automatically bypass grey listing for SMTP sessions it
authenticates
Header and body inspection
• Header and body inspection
– Deep header scanning
– Image Analysis Filtering
– Heuristics Rules (several thousands) – dynamic update
 Maintained by Fortinet’s antispam research team
 Automatic upload through FortiGuard services
– Public SURBL
– Attachment filtering (PDF scan)
– Per User / Domain Bayesian Filtering
– Locally administered black/white list of domains and users
– Banned words / dictionnary scanning
Header inspection
• Black IP checking looks at the
“Received” fields of the email
header
– Extracts hostnames and IP
addresses of mail servers the
email has gone through
– Pass them to the FortiGuard-
Antispam service, DNSBL, or
SURBL servers
• Header analysis examines the
entire message header for spam
characteristics
– Leverages Fortinet’s extensive
known-spam library to add
intelligent analysis to email header
content; ultimately improving
detection of image spam that
attempts to evade antispam filters
Content inspection – SURBL
• SURBL = Spam URI Realtime
BlockList
– List of spamvertised sites
 Also called spammy URL
– Allows to block mail that have
spam hosts mentioned in
bodies
 web servers, sites, domains
• Configure a public SURBL
server
– Such as multi.surbl.org
Content inspection – Image scanning
• An increasingly common tactic used by spammers is to replace the
message body with an image file
– This image file displays a graphic of the desired text
• Image spam are difficult to detect since spammers slightly change
the image
– To avoid signature based detection methods (such as FortiSig3 =
Spam object checksums)
• FortiMail’s image scan detects spam where the message body
includes an image
– Examines and identifies GIF, JPEG, and PNG graphics
– Detects spam based on email header and body analysis, and image
processing
• Process is locally achieved by FortiMail and does not use OCR
(optical character recognition)
– Our testing has shown this method is not effective enough
Content level – PDF scan
• Enable PDF scanning
• All content filters will
apply:
– SURBL
– Black IP scan
– Image scan
– Banned words
– Etc.
Antispam actions
• Configure on a per profile basis antispam actions:
• Each antispam filter can have its own action
– For instance: choose Discard for DNSBL, while choose quarantine
for image scanning
Quarantine
• Spam messages can be stored locally on FortiMail
– FortiMail hard disk size scales up to terabytes.
• User can release mail by web or by mail
• Mail can be automatically deleted after a specified amount of
time
Spam report
• Set the time for the
FortiMail unit to send spam
reports to email users
• Customize the report
message and HTML
appearance as you wish
Spam quarantine
• Access the quarantine SELECT A
DOMAIN

OPEN A USER
MAILBOX
 Spam quarantine
• Review the content of a quarantine mailbox

CLICK HERE TO
VIEW A MAIL
 Spam quarantine
• Read quarantined mail

CLICK HERE TO VIEW

WHY A MAIL IS IN THE
QUARANTINE
Spam quarantine
• Review why an email is in the quarantine
Spam report
• You can force a spam report to be generated to selected
users or all users
• Select the amount of time for which the user will receive
spam information
User quarantine
• Allow users to access their quarantine by web mail
Quarantine – User preferences
• Language customization
• User BWL settings
• Etc.
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Reporting
Antivirus check
• FortiMail detects viruses and spyware embedded in SMTP
email messages and removes them
– Provides both Wildlist and Zoolist/legacy virus protection against
more than 300,000 viruses and variants
– Leverage the award winning Fortinet Antivirus engine
 ICSA certified
• FortiMail inserts replacement messages to notify the
recipient, or silently block infected email or warn sender of
failed delivery
• Automatic antivirus engine and signature files update
• Do NOT charge per user mailbox
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Reporting
FortiMail clustering
• Supported in transparent/gateway/server mode
• Supports 2 HA modes
• Config-only HA mode:
– Up to 25 FortiMail units share a common configuration, but operate
as separate FortiMail units
– Usually implemented with external load sharing:
 load-balancers, DNS round robin, etc.
FortiMail clustering
• HA Active-passive mode
– Two FortiMail units provide failover protection
– HA synchronization
 Configuration synchronization
– Except few parameters that should not be synchronized: FortiMail
hostname, SNMP information, some HA settings
 Mail data synchronization
– Include and selectively synchronize: System mail directory, user home
directories, and MTA spool directories
– HA health check
 Interface monitoring
 Service monitoring (SMTP, POP3, etc.)
– Supports redundant HA interfaces
– Choose behaviour after recovery: preemption ON/OFF, offline
state, etc.
FortiMail clustering
DEFINE FORTIMAIL BEHAVIOUR
AFTER RECOVERY (PREEMPT,
OFFLINE, ETC.

SUPPORTS REDUNDANT HA
INTERFACE

DEFINE FAILURE
DETECTION SETTINGS
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Reporting
Archival – Meet regulatory
requirements
• Selectively archive mails based on: • Storage:
– FortiMail HD
– Sender  scheduled SFTP/FTP upload
– Recipient – Or External NAS storage
– Content Pattern
 Keywords in subject
 Keywords in body
– Attachment type
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Management / Logging / Reporting
Logging
• Logs
– On device local logging
– Syslog/FortiAnalyzer output
• Alerts and resources usage
– SNMP traps and MIB polling
– CPU Usage, Memory Usage, Log Disk Usage, Mailbox Disk
Usage, Deferred queue, Detected virus, Detected spam, etc.
Logs

CHOOSE
WHERE TO LOG
 Logs

SPECIFY THE EVENTS

YOU WANT TO LOG

• Antispam logs – sample:

Management
• Easy management that answers SMB and High End need
– Wizard option for fast and easy deployment
• Configuration tasks
– Through Intuitive GUI (basic and advanced modes)
– Though CLI mode
Wizard for fast & easy deployment
• Provides a way to quickly have the FortiMail unit up and running
• Administrator does not have
to know & choose antispam
techniques
• Involves only 6 steps
– Step1: Admin pwd
– Step2: IP/DNS/Time info
Wizard for fast & easy deployment
• Step3: Local domain

• Step4: Protected domain

Wizard for fast & easy deployment
• Step5: Incoming protection
– Antispam level
(high/medium/low)
– Antivirus service ON/OFF

• Step6: Outgoing protection

– Antispam level
(high/medium/low)
– Antivirus service ON/OFF
– Access control for relay
permission
Wizard for fast & easy deployment
• Review, save
• It’s done!
Reporting
• Provide full visibility about the mail usage
– Over 240 embedded HTML or PDF reports
– Mail stats, virus stats, spam stats, etc.
• The FortiMail unit comprehensive reporting with over 240
reports in nine categories.
• Reports can be run :
– on demand or scheduled
– on a specific period of time
– for all domains or a specific set of domains
– for incoming or outgoing mail
 Report setup
CHOOSE THE
PERIOD OF TIME TO
COVER

SCHEDULE THE
REPORT

CHOOSE A LIST OF
DOMAINS OR ALL
DOMAINS

SELECT INCOMING OR
OUTGOING TRAFFIC CHOOSE THE
OUTPUT
 Reports – Query selection
• Mail Statistics
– Mail Stat Messages
– Mail Stat Viruses
–
Mail Stat Actions
• Total Summary
– Total Sent And Received
– Total Spam And Nonspam
– Top Ten Viruses
• High Level Breakdown
– Top Client IP
– –
Top Local User
– Top Remote Address
– Spam Filter
– Action
– Top Virus
– Virus
BY DATE, HOUR OF DAY, DAY OF
– MONTH,
WEEK, DAY OF System User
BY WEEK
OF YEAR, OR BY MONTH
– Top Client MSISDN
• Spam by Sender • Spam by Recipient
– Top Spam Recipient
– Top Spam Sender
– Top Local Spam Recipient
– Top Spam Domain
– Top Remote Spam Recipient
– Top Spam IP •
Virus by Sender
– Top Local Spam Sender – Top Virus Sender
– Top Local Spam Domain – Top Virus Domain
– Top Remote Spam Sender – Top Virus IP
– Top Remote Spam Domain – Top Local Virus Sender
– Top Local Virus Domain
– Top Spam MSISDN
– Top Remote Virus Sender
• Mail by Sender – Top Remote Virus Domain
–
– Top Sender Top Virus MSISDN
– Top Sender IP • Virus by Recipient
Top Local Sender – Top Virus Recipient
– Top Local Virus Recipient
– Top Remote Sender
– Top Remote Virus Recipient By Month
– Top Sender MSISDN
• Mail by Recipient
– Top Recipient
– Top Local Recipient
– Top Remote Recipient
Report sample
FortiMail key points
Fit any deployment scenario and network requirement (explicit or transparent proxy, route or bridge
 packets, visible or unvisible in the headers, etc).

 No OEM agreement, 100% Fortinet technology, no user licences

Support advanced HA with network and service check, mail

 data synchronization, etc.

 Supports outgoing spam filtering

Includes extended reports and large
 quarantine server

Administration that fits SMB, Enterprises

 and Service Providers
Thank you !
Questions ?