FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Article Id 196359
Description

This article is designed to help troubleshoot the antispam solution on the FortiGate.

FortiGuard antispam services are central to the spam solution on the FortiGate, once these are activated globally and in a protection profile, they will provide: IP address checking, URL checking, email checksum checking, and Spam submission.

There are other techniques that can help reduce and block unsolicited email messages and combined with FortiGuard will allow the reduction of these messages.


Scope
FortiGate running NAT, TP, VDOM mode.
Solution
Step 1

Despite a correctly configured protection profile, SPAM messages are still getting through the system. The first check is to verify if the sending MTA, sender IP, email address, or embedded URL are known to FortiGuard at the following link: http://www.fortiguardcenter.com/antispam/antispam.html

If not, use the spam submission and URL lookup search tool on the FortiGuard portal: http://www.fortiguardcenter.com/contactus.html%20

Submitting new SPAM attacks is a vital way for Fortinet to keep their databases up to date and protect networks from new attacks.

Step 2

Check to see if the FDS servers for antispam are reachable and present. These servers are the same servers that are used for web filtering, this can be obtained by running the following command on the CLI:

fgt2 # diag spamfilter fortishield servers

Locale : english
License : Contract
Expiration : Sat Sep 19 16:00:00 2009
Hostname : service.fortiguard.net
-=- Server List (Sat Oct 18 13:13:12 2008) -=-
IP Weight RTT Flags TZ Packets Curr Lost Total Lost
x.x.x.x 0 3 D -8 2 0 0
x.x.x.x 0 9 -8 1 0 0
x.x.x.x 0 101 -8 1 0 0
x.x.x.x 0 266 -8 1 0 0
x.x.x.x 30 78 -5 1 0 0
x.x.x.x 30 79 -5 1 0 0
x.x.x.x 30 59 -5 1 0 0
x.x.x.x 30 59 -5 1 0 0
x.x.x.x 80 147 D 0 2 0 0
x.x.x.x 80 154 0 1 0 0
x.x.x.x 80 154 0 1 0 0
x.x.x.x 90 211 DI 1 3 0 0
x.x.x.x 90 154 1 1 0 0
x.x.x.x 170 148 9 1 0 0
x.x.x.x 170 148 9 1 0 0

Check server availability with a ping test; if you notice a FDS server is not responding then note the IP of the server in question and raise a support ticket with Fortinet.

Note that the above diagnose command "diag spamfilter fortishield servers" will indicate the server status, the flag definitions are given below:
 
D Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more
than one IP address, all of them will be flagged with 'D' and will be used first for INIT requests before
falling back to the other servers.
I Indicates the server to which the last INIT request was sent.
F The server has not responded to requests and is considered to have failed
T The server is currently being timed.
 

Step 3

If you have checked the above steps and SPAM messages are still affecting your mail servers and users.  Check the messages in question, the MTA's being used, whether this appears to be a new attack with new variants.  You can adapt your configuration by adding the following features to your antispam configuration on the FortiGate:

- Control spam by blocking email messages containing specific words or patterns.
You can add words, phrases, wild cards and Perl regular expressions to match content in email messages.
You can go to UTM > AntiSpam > Banned Word
You can also use wild cards and Perl regular expressions to block instances contained in messages, however, Perl regular expression patterns are case sensitive for antispam banned words.
To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of bad language regardless of case.
Wildcard patterns are not case sensitive.
- Create either an IP or email address black/white list. This can be used as a filter either against an email address or an IP address of a potential spamming MTA.  To configure the list go to UTM >AntiSpam > IP Address

- There are advanced antispam configuration options on the FortiGate, this is discussed in another KB article ''Configuring Advanced antispam options on the FortiGate''.


Step 4

If you feel your system is still receiving too many SPAM messages then raise an issue with Fortinet support, but be sure to provide the following information:
  • Current configuration file of the FortiGate.
  • ''get system status'' from the CLI.
  • Examples in .msg format of the emails that are not being tagged as SPAM.
  • A detailed network diagram of the mail traffic flow.
Fortinet will then instruct you with further debug to collect to try to resolve the problem.

Contributors