Presentation is loading. Please wait.

Presentation is loading. Please wait.

Course 201 – Administration, Content Inspection and SSL VPN Filtering

Published byRaymond Flynn Modified over 9 years ago

Similar presentations

Presentation on theme: "Course 201 – Administration, Content Inspection and SSL VPN Filtering"— Presentation transcript:

1 FortiGate Email Filtering
Course 201 – Administration, Content Inspection and SSL VPN Filtering FortiGate Filtering RTOL

2 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Module Objectives By the end of this module participants will be able to: Identify the filtering methods used on the FortiGate device Configure banned word, IP address and address filters Define firewall policies using filter profiles Identify the differences between the filtering capabilities of the FortiGate and FortiMail units RTOL

3 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Filtering filtering SPAM? filtering can be configured to manage unsolicited bulk , to detect spam messages and identify transmissions from known/suspected spam servers. Judging an message as spam is subjective. FortiGuard uses the definition of spam as unsolicited bulk meaning that the recipient has not granted verifiable permission for the message to be sent and the sender has no discernible relationship with the recipient. An message can be considered spam if the recipient’s personal identity and context are irrelevant because the message is equally applicable to many other potential recipients or the recipient has not granted deliberate or explicit permission for it to be sent. FortiGuard uses spam probes located around the world to attract spam . This information is used to continually update lists of spammers and improve spam detection rates. RTOL

4 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Filtering filtering SPAM? FortiGate unit can detect and manage spam RTOL

5 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Spam Actions Tag Discard Subject: Free Stuff Subject: [SPAM] Free Stuff If the FortiGate unit determines a message to be spam it can perform one of the following actions: Tag A custom phrase or word is added to the subject line or a MIME header and value is added into the body of an . To affix the tag to the subject line, the FortiGate unit will convert the entire subject line including the tag to UTF-8. This improves the display for some clients that cannot properly display subject lines that use more than one encoding Discard Immediately drop connection if spam is detected For SMTP, if virus scanning is enabled, spam can only be discarded. There is no option for Tagging. RTOL

6 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Spam Actions Tag Discard Subject: Free Stuff Tag to add a custom phrase/word to subject line or a MIME header and value to body of an message Discard to immediately drop connection if spam is detected Subject: [SPAM] Free Stuff RTOL

7 Email Filtering Methods
Course 201 – Administration, Content Inspection and SSL VPN Filtering Filtering Methods The FortiGate unit uses a number of techniques to help detect spam Some use the FortiGuard Antispam service and require a subscription Others use DNS servers or filters created on the device Click here to read more about the filtering methods used on the FortiGate unit RTOL

8 FortiGuard IP Address Check
Course 201 – Administration, Content Inspection and SSL VPN Filtering FortiGuard IP Address Check Received: from mail.acme.com ( ) by classroom.fortinet.com with SMTP; 30 Sept :27: The FortiGate queries the FortiGuard Antispam service to determine if the source IP address of the client (from the header) sending the is blacklisted. A match will cause the FortiGate unit to treat the delivered message as spam. Queries the FortiGuard FortiIP Sender IP Reputation Database. RTOL

9 FortiGuard IP Address Check
Course 201 – Administration, Content Inspection and SSL VPN Filtering FortiGuard IP Address Check Received: from mail.acme.com ( ) by classroom.fortinet.com with SMTP; 30 Sept :27: FortiGate unit queries the FortiGuard Antispam Service to determine if the source IP address of the sender is blacklisted A match will cause the FortiGate unit to treat the message as spam RTOL

10 FortiGuard URL and Email Address Check
Course 201 – Administration, Content Inspection and SSL VPN Filtering FortiGuard URL and Address Check Visit our web site at to learn more about this great offer or send an to The FortiGate unit queries the FortiGuard Antispam service to determine if any URLs or addresses in the message body are associated with spam. For example, URL links to advertisements, also known as spamvertizements. Queries the FortiGuard FortiSig2 spam signature database for addresses and FortiSig1spam signature database for URLs. The message body URLs are verified against an up to date list of spam sources. RTOL

11 FortiGuard URL and Email Address Check
Course 201 – Administration, Content Inspection and SSL VPN Filtering FortiGuard URL and Address Check Visit our web site at to learn more about this great offer or send an to FortiGate unit queries the FortiGuard Antispam Service to determine if any URLs or addresses in the message are associated with spam RTOL

12 FortiGuard Email Checksum Check
Course 201 – Administration, Content Inspection and SSL VPN Filtering FortiGuard Checksum Check Our online pharmacy offers great prices on all your prescription medications. hash The FortiGate unit sends a hash of an to the FortiGuard Antispam service which compares the hash to hashes of known spam messages stored in the FortiGuard Antispam database. Queries the FortiGuard FortiSig3 spam signature database for spam object checksums RTOL

13 FortiGuard Email Checksum Check
Course 201 – Administration, Content Inspection and SSL VPN Filtering FortiGuard Checksum Check Our online pharmacy offers great prices on all your prescription medications. hash The FortiGate unit sends a hash of the message to the FortiGuard Antispam Service FortiGuard Antispam Service compares the hash received to hashes of known spam messages RTOL

14 IP Address Black/White List (BWL)
Course 201 – Administration, Content Inspection and SSL VPN Filtering IP Address Black/White List (BWL) Mark as Spam Received: from mail.acme.com ( ) by classroom.fortinet.com with SMTP; 30 Sept :27: Mark as Clear Mark as Reject When performing an IP address check, the FortiGate unit compares the IP address of the sender to the IP address Black/White list on the FortiGate unit in sequence. If a match is found the action associated with the IP address is taken If no match is found the message is passed to the next enabled spam filter Multiple IP address Black/White lists can be added on the FortiGate unit and the appropriate list is selected in the filter profile. Each entry in the IP Address Black/White list can be assigned one of the following actions: Mark as Clear Messages from clients with matching IP addresses will be allowed, bypassing further filtering Mark as Reject Messages from clients with matching IP addresses will be rejected. The FortiGate unit will return a reject message to the client (sender of the ) Mark as Reject only applies to mail delivered by SMTP If Mark as Reject is used with POP3 or IMAP mail the action will be Mark as Spam Mark as Spam Messages with matching IP addresses will be treated as spam subject to the action configured in the filter profile RTOL

15 IP Address Black/White List (BWL)
Course 201 – Administration, Content Inspection and SSL VPN Filtering IP Address Black/White List (BWL) Mark as Spam Received: from mail.acme.com ( ) by classroom.fortinet.com with SMTP; 30 Sept :27: Mark as Clear Mark as Reject The FortiGate unit compares the IP address of the sender of an message to the IP addresses specified in the filter profile An administrator can add to or edit the IP addresses and configure the action to take RTOL

16 Email Address Black/White List (BWL)
Course 201 – Administration, Content Inspection and SSL VPN Filtering Address Black/White List (BWL) Mark as Spam From: Mark as Clear The FortiGate unit compares the address of the sender of an message to the addresses specified in the filter profile An administrator can add to or edit the addresses and configure the action to take Wild card and regular expressions can be used to define the address When performing an address check, the FortiGate unit compares the message sender’s address to the Address Black/White list on the FortiGate unit in sequence: If a match is found the action associated with the address is taken. If no match is found the message is passed to the next enabled spam filter. Multiple Address Black/White lists can be added on the FortiGate unit and the appropriate list is selected in the filter profile. Each entry in the Address Black/White list can be assigned one of the following actions: Mark as Clear Messages with matching reply-to addresses will be allowed, bypassing further filtering. Mark as Spam Messages with matching reply-to addresses will be treated as spam subject to the action configured in the filter profile. If you need to enter a pattern in the Address field, select whether to use Wild Cards or Regular Expression to specify the pattern. Click here to read more using regular expressions RTOL

17 Course 201 – Administration, Content Inspection and SSL VPN
Filtering HELO DNS Lookup DNS Received: from mail.acme.com ( ) by classroom.fortinet.com with SMTP; 30 Sept :27: The FortiGate unit takes the domain name specified by the client in the HELO greeting sent when starting the SMTP session and does a DNS lookup to determine if the domain exists. If the lookup fails, the FortiGate unit determines that any messages delivered during the SMTP session are spam The logic of this check is that if a domain is capable of sending mail, it should be capable of receiving mail routed by DNS records RTOL

18 Course 201 – Administration, Content Inspection and SSL VPN
Filtering HELO DNS Lookup DNS Received: from mail.acme.com ( ) by classroom.fortinet.com with SMTP; 30 Sept :27: The FortiGate unit compares the source domain name of an message to the registered IP address in DNS If a domain is capable of sending mail, it should be capable of receiving mail routed by DNS records SMTP only RTOL

19 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Return DNS Check DNS From: A or MX record The FortGate unit performs a DNS lookup on the reply-to domain to see if there is an A or MX record. If no such records exist, the message is treated as spam RTOL

20 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Return DNS Check DNS From: The FortiGate unit compares the address domain of an incoming message to the registered IP address in DNS A or MX record RTOL

21 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Banned Word Check Banned words Let us fill all your prescription drugs. Visit our online pharmacy for great prices on prescription medications. We offer the widest selection of popular drugs. Drugs Score=10 Pharmacy Score=5 Prescription Threshold=18 10 +5 +5 =20 Spam can be controlled by blocking messages containing specific words or patterns. If enabled in the filter profile the FortiGate unit searches for words or patterns in messages. If matches are found values assigned to the words are totaled. If the defined threshold value is exceeded the message is marked as spam. When determining the banned word score total for an message, the score for each word is only added once no matter how many times the word appears in the message This score is set when a new pattern is created If no matches are found the is passed along Banned word lists can use Perl regular expressions or wildcards. Banned words can be one word or a phrase up to 127 characters long. For a single word, the FortiGate unit blocks all containing the word. For a phrase, the FortiGate unit blocks all containing the exact phrase. To block any word in a phrase, use Perl regular expressions Click here to read more using regular expressions RTOL

22 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Banned Word Check Banned words Let us fill all your prescription drugs. Visit our online pharmacy for great prices on prescription medications. We offer the widest selection of popular drugs. Drugs Score=10 Pharmacy Score=5 Prescription The FortiGate unit can block based on words or patterns in the message A score is assigned to any banned words in the message If the threshold is exceeded, the message is marked as spam Wildcards and regular expressions can be used to define the banned words Threshold=18 10 +5 +5 =20 Click here to read more using regular expressions RTOL

23 Course 201 – Administration, Content Inspection and SSL VPN
Filtering MIME Headers Check Header list MIME-Version: 1.0 Content-Type: multipart/mixed; X-Mailer: Microsoft Office Outlook, Build X-MimeOLE: Produced By Microsoft MimeOLE V X-Distribution: Bulk X-Distribution=Bulk Mark as Spam Mark as Clear The FortiGate unit can check the MIME header list of incoming mail against the preconfigured spam mime headers list. Available in CLI only: config spamfilter profile edit sample config <protocol ie. smtp, pop> set options spamhdrcheck Compare MIME header key-value to values entered. If match found, corresponding action is taken Configure in CLI: config spamfilter mheader RTOL

24 Course 201 – Administration, Content Inspection and SSL VPN
Filtering MIME Headers Check Header list MIME-Version: 1.0 Content-Type: multipart/mixed; X-Mailer: Microsoft Office Outlook, Build X-MimeOLE: Produced By Microsoft MimeOLE V X-Distribution: Bulk X-Distribution=Bulk The FortiGate unit can check the MIME header information of incoming messages If a match is found on the header list configured on the device, the corresponding action is taken Configured through CLI only config spamfilter mheader Mark as Spam Mark as Clear RTOL

25 Course 201 – Administration, Content Inspection and SSL VPN
Filtering DNSBL and ORDBL Check DNSBL Received: from mail.acme.com ( ) by classroom.fortinet.com with SMTP; 30 Sept :27: ORDBL Check traffic against pre-configured DNS blackhole lists (DNSBL) or open relay database lists (ORDBL). The FortiGate unit compares the IP address or domain name of the sender to any lists configured. Configure in CLI: config spamfilter dnsbl Config spamfilter ordbl RTOL

26 Course 201 – Administration, Content Inspection and SSL VPN
Filtering DNSBL and ORDBL Check DNSBL Received: from mail.acme.com ( ) by classroom.fortinet.com with SMTP; 30 Sept :27: ORDBL The FortiGate unit can compare the IP address or domain name of incoming message against third-party DNSBL and ORDBL lists Match IP addresses or domain names of known spammers Configured though CLI only config spamfilter dnsbl config spamfilter ordbl RTOL

27 FortiGuard Email Filtering Options
Course 201 – Administration, Content Inspection and SSL VPN Filtering FortiGuard Filtering Options Cache IP address: URL: Message checksum: x65Fsd34c Caching is available and is strongly recommended as it improves performance by reducing the number of ForitGate unit requests sent to the FortiGuard server. Caching values apply to both filtering and web filtering The Cache uses a small percentage of the FortiGate’s system memory. When the Cache is full the last recently used item is deleted. A Time to Live (TTL) setting controls the number of seconds filtering query results are stored in the cache before contacting the server again. FortiGuard Services are reachable over port 53. An alternate port of 8888 can be used. Use Test Availability to verify that the FortiGuard services are available through either the default port or the alternate port. RTOL

28 FortiGuard Email Filtering Options
Course 201 – Administration, Content Inspection and SSL VPN Filtering FortiGuard Filtering Options Cache IP address: URL: Message checksum: x65Fsd34c Caching improves performance by reducing FortiGate unit requests to FortiGuard servers Small amount of FortiGate system memory dedicated to the cache TTL settings controls the number of second query results are cached Alternate port number of 8888 can be configured for access to FortiGuard servers RTOL

29 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Filter Profile filter profile: Class_ _Filter filtering operations applied to traffic through filter profiles. filter profiles are in turn applied to policies. Any traffic matching the policy will have the filtering operations applied to it Firewall policy RTOL

30 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Filter Profile filter profile: Class_ _Filter Enable filtering operations on a protocol-by-protocol basis in filter profile Profile in turn applied to firewall policy Any traffic being examined by the policy will have the filter operations applied to it Firewall policy RTOL RTOL 30

31 FortiMail Email Filtering
Course 201 – Administration, Content Inspection and SSL VPN Filtering FortiMail Filtering Enhanced set of features for detecting and blocking spam Some techniques not available on FortiGate units Stand-alone filtering system Second layer of protection in addition to FortiGate Legacy virus protection quarantine The FortiMail unit provides an enhanced set of features for detecting and blocking spam compared to the FortiGate device, including some techniques not available in the FortiGate unit: Forged IP Scanning Graylist scanning Bayesian scanning Heuristics scanning Image spam scanning PDF scanning Dictionary scanning The FortiMail device can be configured to act as a stand-alone filtering system or it can be the second layer of protection in addition to the FortiGate device. Entire messages can be quarantined. The FortiMail device can also be configured to provide full messaging server functionality. RTOL

32 Course 201 – Administration, Content Inspection and SSL VPN
Filtering Student Resources Click here to view the list of resources used in this module RTOL

Download ppt "Course 201 – Administration, Content Inspection and SSL VPN Filtering"

Similar presentations

What’s New in Fireware XTM

What’s New in Fireware XTM
Basic Communication on the Internet:

Basic Communication on the Internet:
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Used by many 100,000s of customers Used by many 10,000,000s of users Processing Billions of emails a day Using Thousands of servers Across dozens of.

Used by many 100,000s of customers Used by many 10,000,000s of users Processing Billions of s a day Using Thousands of servers Across dozens of.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Introduction to Fortinet Unified Threat Management

Introduction to Fortinet Unified Threat Management
Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.

Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.
Course 301 – Secured Network Deployment and IPSec VPN

Course 301 – Secured Network Deployment and IPSec VPN
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Office 365 SMTP Relay June 2013. Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.

Office 365 SMTP Relay June Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Managing and Avoiding Junkmail. Junk E-mail  Where does Junk Mail come from? People with whom you do business  Pepsi Friends of people with whom you.

Managing and Avoiding Junkmail. Junk  Where does Junk Mail come from? People with whom you do business  Pepsi Friends of people with whom you.
Presenter notes This Microsoft Outlook 2010 presentation is a prepackaged solution designed to help attendees maximize the e-mail application. You may.

Presenter notes This Microsoft Outlook 2010 presentation is a prepackaged solution designed to help attendees maximize the application. You may.

Similar presentations

Ads by Google