FortiMail 6.0 Lab Guide-Online

DO NOT REPRINT
© FORTINET
FortiMail Lab Guide

for FortiMail 6.0
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
1/9/2019
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
Virtual Lab Basics 5

Network Topology 5
Lab Environment 5
Remote Access Test 6
Logging In 7
Disconnections and Timeouts 9
Screen Resolution 9
Sending Special Keys 10
Student Tools 11
Troubleshooting Tips 11
Lab 1: Initial Setup 14
Exercise 1: Verifying DNS Records 15
Exercise 2: Configuring a Server Mode FortiMail 17
Exercise 3: Configuring a Gateway Mode FortiMail 24
Lab 2: Access Control and Policies 27
Exercise 1: Outbound Email Flow 28
Exercise 2: Relay Host 31
Exercise 3: Policy Usage Tracking 33
Exercise 4: Policy Creation 36
Lab 3: Authentication 40
Exercise 1: User Authentication Enforcement 41
Exercise 2: LDAP Operations 46
Exercise 3: SMTP Brute Force Attack 58
Lab 4: Session Management 61
Exercise 1: Connection Limits 62
Exercise 2: Sender Address Rate Control 65
Exercise 3: Header Manipulation 68
Lab 5: Antivirus 71
Exercise 1: Antivirus Scanning for Malware Detection 72
Lab 6: Antispam 75
Exercise 1: Scan Incoming Email for Spam 76
Test the Antispam Configuration 78
DO NOT REPRINT
© FORTINET
Exercise 2: Scan Outgoing Email for Spam 81
Exercise 3: User Quarantine Management 83
Exercise 4: Impersonation Analysis 86
Exercise 5: Bounce Verification (Backscatter) 89
Disable Recipient Address Verification 89
Disable Bounce Verification 92
Lab 7: Content Inspection 93
Exercise 1: Configuring Content Inspection 94
Exercise 2: Configuring DLP 98
Exercise 3: Configuring CDR 105
Quarantine an Unmodified Copy 106
Exercise 4: Verifying CDR 107
Verify URI Removal 109
Verify HTML Sanitization 110
Lab 8: Securing Communications 112
Exercise 1: Implementing SMTPS 113
Exercise 2: Implementing Content Inspection-Based IBE 118
Exercise 3: Accessing IBE Emails 122
Lab 9: High Availability 125
Exercise 1: Configuring the Primary FortiMail 127
Exercise 2: Configuring the Secondary FortiMail 128
Exercise 3: Verifying Cluster Health 130
Exercise 4: Configuring HA Virtual IP 134
Exercise 5: Monitoring Remote Services 137
Lab 10: Server Mode 142
Exercise 1: Configuring Resource Profiles 143
Exercise 2: Address Book LDAP Import 146
Lab 11: Transparent Mode 150
Exercise 1: Configuring a Transparent Mode FortiMail 151
Exercise 2: Configuring Bidirectional Transparency 157
Lab 12: Maintenance 160
Exercise 1: Configuring and Generating Local Reports 161
Exercise 2: Monitoring System Resource Use 164
Exercise 3: Managing Local Storage 168
Lab 13: Troubleshooting 171
Exercise 1: Troubleshooting the Problem 172
Exercise 2: Fixing the Problem 180
DO Virtual
NOT REPRINT
Lab Basics Network Topology
© FORTINET
Virtual Lab Basics
In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab
and its virtual machines. It also shows the topology of the virtual machines in the lab.
If your trainer asks you to use a different lab, such as devices physically located in your
classroom, then ignore this section. This section applies only to the virtual lab
accessed through the Internet. If you do not know which lab to use, please ask your
trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their
own training lab environment or point of deliveries (PoD).
FortiMail 6.0 Lab Guide 5

Fortinet Technologies Inc.
DO Remote
NOTAccess
REPRINT
Test Virtual Lab Basics
© FORTINET
Remote Access Test
Before starting any course, check if your computer can connect to the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote access test.
To run the remote access test

1. From a browser, access the following URL:
https://use.cloudshare.com/test.mvc
If your computer connects successfully to the virtual lab, you will see the message All tests passed!:
2. Inside the Speed Test box, click Run.

The speed test begins. Once complete, you will get an estimate for your bandwidth and latency. If those
estimations are not within the recommended values, you will get any error message:
6 FortiMail 6.0 Lab Guide

DO Virtual
NOT REPRINT
Lab Basics Logging In
© FORTINET
Logging In
After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a
link and a passphrase.
To log in to the remote lab

1. Click the login link provided by your instructor over email.
2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login.
3. Enter your first and last name.

4. Click Register and Login.

DO Logging
NOTIn REPRINT Virtual Lab Basics
© FORTINET
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
5. To open a VM from the dashboard, do one of the following:

l From the top navigation bar, click a VM's tab.
l From the box of the VM you want to open, click View VM.
Follow the same procedure to access any of your VMs.
When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a
Fortinet VM.

DO Virtual
NOT REPRINT
Lab Basics Disconnections and Timeouts
© FORTINET
For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM.
From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab
environment.
Disconnections and Timeouts
If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that
contains the list of VMs for your session, and reopen the VM.
If that fails, see Troubleshooting Tips on page 11.
Screen Resolution
The GUIs of some Fortinet devices require a minimum screen size.
To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also
change the color depth:

DO Sending
NOTSpecial
REPRINT
Keys Virtual Lab Basics
© FORTINET
Sending Special Keys
You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard:

DO Virtual
NOT REPRINT
Lab Basics Student Tools
© FORTINET
Student Tools
There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance:
Troubleshooting Tips
l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or high-
latency connections.
l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your
computer is always on, and does not go to sleep or hibernate.
l For best performance, use a stable broadband connection, such as a LAN.

DO Troubleshooting
NOT REPRINT Tips Virtual Lab Basics
© FORTINET
l You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and
general performance:
l If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect,
notify the instructor.
l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.

DO Virtual
NOT REPRINT
Lab Basics Troubleshooting Tips
© FORTINET
l During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the
following example appears:
To expedite the response, enter the following command in the CLI:

execute update-now

DO NOT REPRINT
© FORTINET
Lab 1: Initial Setup
In this lab, you will verify the DNS MX records for both of the lab domains, perform the initial configuration tasks
for the FortiMail VMs installed in the internal.lab domain for inbound email, and configure an email client to
connect to a server mode FortiMail. Then, you will issue basic SMTP commands and inspect email headers to
understand the flow of SMTP.
Objectives
l Verify DNS MX records for the lab domains
l Configure the initial system and email settings on the server mode FortiMail
l Configure the initial system and email settings on the gateway mode FortiMail
l Manually send basic SMTP commands to an email server to understand the SMTP protocol
Time to Complete
Estimated: 45 minutes

DO NOT REPRINT
© FORTINET
Exercise 1: Verifying DNS Records
DNS is a critical component in routing email messages. In this exercise, you will use Windows DOS commands to
verify the published DNS MX records for both internal.lab and external.lab domains, to understand the lab
network mail routing.
To verify MX records
1. In Windows, open a command prompt window, and then enter the following commands to display the MX records
associated with the external.lab domain:
nslookup -type=mx external.lab
You should receive an output similar to the following:

C:\Users\Administrator>nslookup -type=mx external.lab
external.lab MX preference = 10, mail exchanger = extsrv.external.lab
extsrv.external.lab internet address = 10.200.1.99
What is the primary MX record for the external.lab domain? ___________________________
As indicated in the nslookup query output, there is only one MX record associated
with the external.lab domain.
extsrv.external.lab MX preference = 10
Therefore, all email messages sent to the external.lab domain must be sent to the
extsrv.external.lab (10.200.1.99) host.
2. In the same command prompt window, enter the following commands to display the MX records associated with
the internal.lab domain:
nslookup -type=mx internal.lab
You should receive an output similar to the following:

C:\Users\Administrator>nslookup -type=mx internal.lab
internal.lab MX preference = 20, mail exchanger = intsrv.internal.lab
internal.lab MX preference = 10, mail exchanger = intgw.internal.lab
intsrv.internal.lab internet address = 10.0.1.99
intgw.internal.lab internet address = 10.0.1.11
What is the primary MX record for the internal.lab domain? ___________________________
What is the secondary MX record for the internal.lab domain? ___________________________

DO NOT REPRINT Exercise 1: Verifying DNS Records
© FORTINET
As indicated in the nslookup query output, there are two MX records associated with
the internal.lab domain.
intgw.internal.lab MX preference = 10
intsrv.internal.lab MX preference = 20
The intgw.internal.lab (10.0.1.11) host is the primary MTA for the

internal.lab domain because it has the lowest preference value. However, at this
point in the lab, you haven’t configured the IntGW FortiMail VM to process email,
therefore, it won’t respond to any SMTP sessions. When the TCP connection fails,
the remote sender will automatically try to send email to the next MX record on the
list intsrv.internal.lab (10.0.1.99)
3. Close the command prompt window.
In the lab network, the MX records for the internal.lab domain are geared for
convenience, and should not be used as a template for real-world deployments.
Since the back-end mail server might not have the full range of email security
features enabled, publishing it as a secondary MX entry is detrimental to security.
Spammers can easily identify and exploit these servers using MX records.
Publishing the back-end mail server as a secondary MX entry will also prevent certain
FortiMail features—such as greylisting, or sender reputation—from working
effectively.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring a Server Mode FortiMail
In the lab network, the IntSRV server mode FortiMail is intended to be the mail server for the internal.lab domain.
It is where the end user mailboxes are, where you will perform all user-management tasks, and where you will
perform tasks specific to server mode.
In this exercise, you will perform the basic configuration tasks required to establish inbound email flow on the
IntSRV FortiMail VM. You will verify your configuration by sending an email from the ExtSRV FortiMail VM and
then reviewing the logs. Then, you will configure a mail user agent (MUA) to connect to the server mode
FortiMail.
To verify the operation mode

1. In Windows, open a web browser , and go to the IntSRV FortiMail management GUI:
https://intsrv.internal.lab/admin
2. Log in as admin and leave the password field empty.

3. On the Dashboard, on the Status tab, locate the System Information widget and verify that the Operation
mode is set to Server.
To configure the system settings

1. Click System > Network > Interface.
2. Select port1, and then click Edit.
3. Verify and configure the following values for port1:
Field Value
Addressing Mode Manual
IP/Netmask 10.0.1.99/24

DO NOT REPRINT Exercise 2: Configuring a Server Mode FortiMail
© FORTINET
Field Value
Advanced Setting
Access HTTPS PING SSH TELNET
Administrative status Up
4. Click OK.
5. Click System > Network > Routing.
6. Click New.
7. Add a new static route using the following values:
Field Value
Destination IP/netmask 0.0.0.0/0
Interface port1
Gateway 10.0.1.254
8. Click Create to save the static route.

9. Click System > Network > DNS, and then configure the following DNS servers:
Field Value
Primary DNS server 10.0.1.10
Secondary DNS server 10.0.1.254
There are two DNS servers in the lab network; a primary and a secondary DNS server.
The primary DNS server is the Windows server and the secondary DNS server is the
Linux server.
10. Click Apply to save the DNS changes.
To configure the mail settings

1. Click System > Mail Settings > Mail Server Settings.
2. Configure the following values under Local Host:
Field Value
Host name IntSRV
Local domain name internal.lab
3. Keep the default values for the remaining settings, and then click Apply to save the changes.
4. Click Domain & User > Domain > Domain.

DO Exercise
NOT2: Configuring
REPRINT a Server Mode FortiMail
© FORTINET
5. Click New to add a protected domain using the following values:
Field Value
Domain name internal.lab
6. Keep the default values for the remaining settings, and then click Create.
To create server mode users

1. Click Domain & User > User > User.
2. Click New to create a new mail user on the server mode FortiMail using the following values:
Field Value
User name user1
Authentication type Local
Password fortinet
Display name Mail User 1
3. Click Create to save the user configuration.
To verify the configuration

1. In Windows, open a new web browser tab, and go to the ExtSRV FortiMail's webmail GUI:
https://extsrv.external.lab/
2. Log in as extuser using the password fortinet.

3. Click the Compose Mail icon ( ), and then compose a new email message using the following values:
Field Value
To user1@internal.lab
Subject Hello World!
Message Body Your configuration is successful!
4. Click Send.
5. Open a new web browser tab, and visit the IntSRV FortiMail webmail GUI:
https://intsrv.internal.lab/
6. Log in as user1 using the password fortinet.

7. If the test email message doesn’t appear in the inbox, click Refresh.

© FORTINET
8. Log out of the webmail interface.

9. Close the browser tab.
To review the logs

1. Visit the IntSRV FortiMail management GUI:
2. Click Monitor > Log > History.

3. Review the first log and verify that the system applied the appropriate Classifier and Disposition to your test
email message.
To configure an MUA to connect to the server mode FortiMail

1. In Windows, open Mozilla Thunderbird and create a new email account.
2. If the system prompts you to sign up for a new email address, click Skip this and use my existing email.
3. After the Mail Account Setup wizard starts, enter the following account information for Mail User 1.
Field Value
Your name Mail User 1
Email Address user1@internal.lab
Password fortinet

DO Exercise
NOT2: Configuring
© FORTINET
4. Click Continue.
Thunderbird attempts to auto-configure the server settings.
5. Click Manual Config if it does not take you to the manual config mode automatically.
6. Modify the auto-discovered Server hostname values for both Incoming and Outgoing to match the following
example, and then click Done.
Filed Protocol Server hostname Port SSL Authentication
Incoming IMAP intsrv.internal.lab 143 STARTTLS Normal Password
Outgoing SMTP intsrv.internal.lab 25 None Normal Password

© FORTINET
7. Select the I understand the risks check box, and then click Done.
While unencrypted passwords are fine for a lab network, you should avoid using them
in real-world deployments.
8. Select the Permanently store this exception check box, and then click Confirm Security Exception to
complete the Mail Account Setup wizard.
Thunderbird displays a certificate security warning.

DO Exercise
NOT2: Configuring
© FORTINET
9. If your configuration is correct, the test email you created in the previous exercise appears in Thunderbird, in your
local inbox.

DO NOT REPRINT
© FORTINET
Exercise 3: Configuring a Gateway Mode FortiMail
In the lab network, the IntGW gateway mode FortiMail is intended to be the MTA for the internal.lab domain. It
will be the relay server for the IntSRV FortiMail, and also where most of the inspection configuration tasks will be
performed.
In this exercise, you will perform the configuration tasks required to establish inbound email flow on the IntGW
FortiMail VM. Then, you will verify your configuration by manually composing an email using a telnet session, and
reviewing the headers of the email in your Thunderbird mail client.
Recall the DNS verification tasks you performed in the first exercise. As the MX
records show, the intgw.internal.lab (10.0.1.11) host is the primary MTA for the
internal.lab main. So, all email messages should be sent to the IntGW FortiMail first
for processing. The IntGW FortiMail will then pass the email to the IntSRV FortiMail
VM for delivery to the end user.

1. In Cloudshare, click the IntGW console window.
2. Click anywhere in the console window, and then press the Enter key.
4. Configure the port1 IP address, subnet mask, and access options using the following CLI commands:
config system interface
edit port1
set ip 10.0.1.11/24
set allowaccess https ping ssh telnet
next
end
5. In Windows, open a new web browser tab, and visit the IntGW FortiMail management GUI:
https://intgw.internal.lab/admin

8. Click New, and then add a new static route using the following values:
Field Value
Destination IP/netmask 0.0.0.0/0
Interface port1
Gateway 10.0.1.254
9. Click Create to save the static route.

10. Click System > Network > DNS, and then configure the following DNS servers:

DO Exercise
NOT3: Configuring
REPRINT a Gateway Mode FortiMail
© FORTINET
Field Value
11. Click Apply to save the DNS changes.

2. Configure the following values under Local Host:
Field Value
Host name IntGW
Field Value
Domain name internal.lab
SMTP Server 10.0.1.99
10.0.1.99 is the IP address of the IntSRV host. This is the server mode FortiMail
that you configured in the previous exercise. It contains the user mailboxes for the
internal.lab domain. Therefore, the IntGW host is configured with 10.0.1.99 as the
protected SMTP Server.
To verify the configuration

1. In Windows, on the taskbar, click the PuTTY icon, and then select Linux from the saved sessions.
2. Click Load.
3. Click Open.
You can also just enter the IP address of the Linux machine, which is 10.0.1.254
and click Open.
4. Log in as student using the password password.

5. After logging in, you will be at the /home/student directory. To verify, type pwd.

DO NOT REPRINT Exercise 3: Configuring a Gateway Mode FortiMail
© FORTINET
6. Run the following swaks command to test the gateway mode FortiMail configuration. A copy of the command is in
a text file named commands.txt, which is located in the Resources folder on the Windows desktop.
swaks -f extuser@external.lab -t user1@internal.lab -s 10.0.1.11 --body 'Gateway mode
FortiMail configuration is successful'
7. In Thunderbird, open the test message that you sent in the previous step.
8. In the More drop-down list, select View Source to view the full headers of the message:
9. Compare the Received: headers in the Telnet session email with the Hello World! email you sent in the
previous exercise.
What differences do you see?
The Hello World email’s Received header shows that the IntSRV FortiMail received
the email directly from the ExtSRV FortiMail.
Received: from extsrv.external.lab ([10.200.1.99])
by IntSRV.internal.lab
The swaks session email’s Received header shows that the email was processed first
by the IntGW FortiMail, and then handed off to the IntSRV FortiMail.
Received: from IntGW.internal.lab ([10.0.1.11]) by
IntSRV.internal.lab

DO NOT REPRINT
© FORTINET
Lab 2: Access Control and Policies
In this lab, you will establish outbound email flow for the internal.lab domain, as well as configure a relay host for
the server mode FortiMail. You will create IP and recipient policies, and then use logged policy IDs to identify how
policies are applied to an email.
Objectives
l Configure access receive rules to allow outbound email
l Configure an external relay host
l Configure IP and recipient policies
l Use logged policy IDs to track messages
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Outbound Email Flow
In this exercise, you will configure the necessary access receive rules on both the IntGW and IntSRV FortiMail
VMs to allow outbound email.
To verify authenticated outbound relay

1. In Windows, open Thunderbird, and then compose a new email message to the external user using the following
values:
Field Value
To extuser@external.lab
Subject Testing Outbound Email
Message Body Will this work?
2. Click Send. If Thunderbird displays a security warning, select the Permanently store this exception check box,
and then click Confirm Security Exception.
3. Open a web browser and visit the ExtSRV FortiMail webmail GUI:
4. Log in as extuser with the password fortinet.

5. Verify that extuser has received the email.
By default, FortiMail rejects outbound email, unless the sender is authenticated.

Because you configured Thunderbird to authenticate when sending emails using
SMTP, the IntSRV FortiMail relays it.
To configure the server mode access receive rule

1. In Windows, open a web browser and go to the IntSRV FortiMail management GUI:

3. Click Policy > Access Control > Receiving.
4. Click New and configure an access receive rule using the following values:
Field Value
Sender Pattern User Defined
*@internal.lab

DO Exercise
NOT1: Outbound
REPRINT
Email Flow
© FORTINET
Field Value
Sender IP/netmask User Defined
10.0.1.0/24
Action Relay
5. Click Create to save the access receive rule.
While the default behavior reduces configuration requirements, it is still a good

practice to configure an access receive rule with specific sender patterns and sender
IP/netmask values in a server mode deployment to restrict filter outbound sessions.
To configure the gateway mode access receive rule

1. In Windows, open a new web browser tab, and visit the IntGW FortiMail management GUI:

3. Click Policy > Access Control> Receiving.
4. Click New.
5. Configure an access receive rule using the following values:
Field Value
Sender Pattern User Defined
*@internal.lab
10.0.1.99/32
Action Relay
On the IntGW FortiMail you are allowing only the IntSRV server mode FortiMail to
relay email. Therefore, you are configuring a /32 subnet mask. No other host is able
to relay email through IntGW.
6. Click Create to save the access receive rule.
To verify the access receive rules

1. Return to the Thunderbird composewindow and compose a new email to extuser@external.lab, and click
Send.
2. Open a new web browser tab and go to the ExtGW webmail GUI:

DO NOT REPRINT Exercise 1: Outbound Email Flow
© FORTINET
The email message should appear in the inbox.
4. Click the email message to open it.

5. Click More > Detailed Header.
This displays the email header in the webmail interface.
6. Review the Received: headers.

What hops did the email take to reach the destination inbox?
The email message was generated by Windows (10.0.1.10) and sent to IntSRV
(10.0.1.99). The IntSRV host then delivered the email message to ExtSRV
(10.200.1.99).
Received: from IntSRV.internal.lab ([10.0.1.99]) by extsrv.external.lab with

ESMTP id v1RL4umB001914-v1RL4umD001914
Received: from [10.0.1.10] ([10.0.1.10])(user=user1@internal.lab

mech=CRAM-MD5 bits=0) by IntSRV.internal.lab with ESMTP id v1RL4uHI001985-
v1RL4uHK001985
According to the headers, the email message did not pass through the IntGW FortiMail, which is expected.
The IntSRV server mode FortiMail delivered the email based on MX query results. To make sure all outbound
email from IntSRV FortiMail relays through the IntGW FortiMail, you must configure a relay host on the
IntSRV FortiMail.

DO NOT REPRINT
© FORTINET
Exercise 2: Relay Host
In this section, you will configure an external relay host on the IntSRV FortiMail so all outbound email are sent to
the IntGW gateway mode FortiMail for delivery.
To configure a relay host

1. In Windows, visit the IntSRV FortiMail management GUI:
2. Click System > MailSettings > Mail Server Settings.

3. Expand the Outgoing Email sub-section.
4. Select the Deliver to relay host check box, and then click New.
5. Create a new relay host using the follow values:
Field Value
Name IntGWRelay
Host name/IP 10.0.1.11
6. Leave the remaining fields empty, and then click Create to save the relay host configuration.
7. Click Apply to save the Outgoing Email setting changes.
To verify the relay host

1. Open Thunderbird, and then click Write.
2. Compose a new email using the following values:
Field Value
Subject Testing Relay Host
Message Body Relay host is working!
3. Click Send.
4. Visit the ExtSRV webmail GUI:
5. Verify that the email was delivered.

6. Review the headers.
Do you see any differences in the Received: headers? What hops did the email take this time to reach the
destination inbox?

DO NOT REPRINT Exercise 2: Relay Host
© FORTINET
The email was generated by Windows (10.0.1.10) and sent to IntSRV
(10.0.1.99). The IntSRV host then sent the email to IntGW (10.0.1.11). The
IntGW host delivered the email to ExtGW (10.200.1.99).
Received: from IntGW.internal.lab ([10.0.1.11]) by extsrv.external.lab with

ESMTP id v1RLvKZS002158-v1RLvKZU002158
Received: from IntSRV.internal.lab ([10.0.1.99]) by IntGW.internal.lab with

ESMTP id v1RLvKQj001948-v1RLvKQl001948
Received: from [10.0.1.10] ([10.0.1.10]) (user=user1@internal.lab

mech=CRAM-MD5 bits=0) by IntSRV.internal.lab with ESMTP id v1RLvJ8k002052-
v1RLvJ8m002052
By completing the previous configuration steps, you have successfully established bidirectional email flow in
which all inbound and outbound email must flow through the IntGW gateway mode FortiMail.

DO NOT REPRINT
© FORTINET
Exercise 3: Policy Usage Tracking
As email messages flow through FortiMail, log entries are created that show which policies were triggered. This is
extremely useful for testing new policies and troubleshooting existing ones.
In this exercise, you will send two email messages, one in each direction, and then review which policies the
messages used.
To generate log entries

1. In Windows, open Thunderbird.
2. Send an email message to extuser@external.lab.
3. Visit the ExtSRV FortiMail webmail GUI:

5. Open the new email message, and then click Reply.
6. Type a reply in the message body, and then click Send.
7. In Thunderbird, verify you received the reply.
To review log entries

1. Visit the IntGW FortiMail management GUI:
2. Click Monitor> Log > History.

3. The first two entries in the History log should correspond to the two email messages that FortiMail just
processed.
4. Right-click the entry for the inbound email, and then select View Details.

DO NOT REPRINT Exercise 3: Policy Usage Tracking
© FORTINET
5. Review the Policy IDs field, and answer the following questions:
The Policy IDs field is made up of three fields (X:Y:Z). What does each field’s value correspond to?
The first policy usage value is 0. What does this mean?
The third policy usage value is 0. What does this mean?

DO Exercise
NOT3: Policy
REPRINT
Usage Tracking
© FORTINET
The policy IDs for each email message are recorded in the history logs in the format
of X:Y:Z, where X is the ID of the access control rule, Y is the ID of the IP-based
policy, and Z is the ID of the recipient-based policy.
If the value in the access control rule field for an incoming email is 0, it means that
FortiMail is applying its default rule for handling inbound email. If the value of X:Y:Z
is 0 in any other case, it means that a policy or rule couldn’t be matched, or doesn’t
exist.
6. Click Close to close the Log Details window.

7. Open the relevant log entry for the outbound email and review the Policy IDs field.
The policy use recorded for the outbound email message is 1:1:0. It was processed
using access receive rule ID 1, which you created in the previous exercise. Then, the
email message was processed using the default IP policy ID 1. Because you didn’t
configure any outgoing recipient policy, the last field value is 0.

DO NOT REPRINT
© FORTINET
Exercise 4: Policy Creation
In this exercise, you will create IP and recipient policies. Then, you will test your configuration by sending email
messages back and forth. You will also use logs to observe the changes to the policy use from the previous
exercise.
To create IP policies
2. Click Policy > IP Policy > IP Policy.

3. In the IP Policy section, click New.
4. Create a new IP policy using the following values:
Field Value
Source 10.0.1.99/32
Session Outbound_Session
5. Click Create to save the policy.

The new policy should have an ID value of 3.
6. Click the policy to select it.

7. In the Move drop-down list, select Before.
8. Move IP policy ID 3 to appear in the list before IP policy ID 1.

DO Exercise
NOT4: Policy
REPRINT
Creation
© FORTINET
The policies should appear in the following order:
IP policy ID 3 will process all email sourced from the IntSRV FortiMail (outgoing), and IP Policy ID 1 will
process all other email (incoming). IP policy ID 2 is a default IPv6 policy. Since this lab is not configured for
IPv6, it is not required. You can delete it if you want to.
To create recipient policies

1. Click Policy > Recipient Policy > Inbound.
2. Click New and, in the Domain drop-down list, select internal.lab.
Don't modify any other values.

DO NOT REPRINT Exercise 4: Policy Creation
© FORTINET
4. Click Outbound.
5. Click New and, in the Domain drop-down list, select internal.lab.
Don’t modify any other values.
To generate log entries

2. Send an email message to extuser@external.lab.

DO Exercise
NOT4: Policy
REPRINT
Creation
© FORTINET
5. Open the new email message, and then click Reply.
6. Type a reply in the message body, and then click Send.
7. In Thunderbird, verify you received the reply.
To review log entries

1. In the IntGW FortiMail management GUI, click Monitor > Log > History.
2. The first two entries in the History log should correspond to the two email messages that FortiMail just
processed.
3. Access the details for each log entry and review the Policy IDs field.
What changes can you see from the previous exercise?
The policy use will reflect the new ID values for the policies you created. All outgoing
email will be processed by IP policy ID 3, and outgoing recipient policy ID 2. All
incoming email will be processed by IP policy ID 1, and incoming recipient policy ID 1.

DO NOT REPRINT
© FORTINET
Lab 3: Authentication
In this lab, you will configure access receive rules to enforce user SMTP authentication. You will also configure an
LDAP profile to enable recipient verification, alias mapping, and user authentication.
Objectives
l Enforce user SMTP authentication using access receive rules
l Configure an LDAP profile
l Enable recipient verification and alias mapping
l Configure LDAP authentication for users
Time to Complete
Prerequisites
Before beginning this lab, you must disable sender reputation on the IntGW FortiMail.
To disable sender reputation

1. In Windows, open a web browser, and go to the IntGW FortiMail management GUI:

4. In the IP Policy section, double-click policy ID 1.
5. Edit the Inbound_Session profile.
6. Expand the Sender Reputation section and clear the Enable sender reputation check box.
7. Click OK to save the changes.
The sender reputation feature can interfere with some of the testing that you will do in
this lab.

DO NOT REPRINT
© FORTINET
Exercise 1: User Authentication Enforcement
In this exercise you will explore how FortiMail handles SMTP authentication. You will enforce authentication
using access receive rules, and test your configuration using various outgoing server settings in Thunderbird.
To disable SMTP authentication in Thunderbird

2. Press the Alt key to show the menu bar.
3. Click Tools > Account Settings.
4. On the Account Settings screen, in the left pane, click Outgoing Server (SMTP), and then click Edit.

DO NOT REPRINT Exercise 1: User Authentication Enforcement
© FORTINET
5. In the Authentication method drop-down list, select No authentication.

7. Click OK to return to the main Thunderbird window.
By making these changes, you have disabled authentication for SMTP connections.
So, when you send an email message, Thunderbird won’t authenticate.

DO Exercise
NOT1: User
REPRINT
Authentication Enforcement
© FORTINET
To send an unauthenticated email message
1. In Thunderbird, send an email to extuser@external.lab.
2. Open a web browser, and then go to the ExtSRV FortiMail webmail GUI.

Why was the email delivered to the destination user even though you disabled SMTP authentication in
Thunderbird?
The access receive rule that you configured in Access Control and Policies on page 27
didn’t have authentication enforcement enabled.
When you set Authentication Status to Any, FortiMail doesn’t verify whether the
sender matching the rule is authenticated or not.
To enforce authentication
1. Open a new web browser tab, and go to the IntSRV FortiMail management GUI:

4. Select rule ID 1 and click Edit.
5. In the Authentication status drop-down list, select Authenticated.

DO NOT REPRINT Exercise 1: User Authentication Enforcement
© FORTINET
To verify authentication enforcement

1. In Thunderbird, send another email message to extuser@external.lab.
This time, an alert opens indicating that relaying is denied.
2. Click OK to close the alert, but leave the email compose window open in the background.

5. Double-click the active log file.
The first entry in the History log should correspond to the rejected email message.

DO Exercise
NOT1: User
REPRINT
Authentication Enforcement
© FORTINET
In this log entry, you can see IntSRV has rejected (Disposition) the email because
the session violated an access control rule (Classifier). By changing the
Authentication Status value to Authenticated, you have successfully enforced
authentication for users connecting to the IntSRV FortiMail.
To restore SMTP authentication on Thunderbird

1. In the main Thunderbird window, press the Alt key to show the menu bar.
2. Click Tools > Account Settings.
3. On the Account Settings screen, click Outgoing Server (SMTP), and then click Edit.
4. In the Authentication method drop-down list, select Normal password.
6. Click OK to return to the main Thunderbird window.
7. Send the email message again.
8. Visit the ExtGW FortiMail webmail GUI:

10. Verify that the email was delivered.

The first entry in the History log should correspond to the email message you just sent.
14. Click the Session ID link to retrieve the cross search results.
15. Right-click the event log related to the authentication event to view the details.

DO NOT REPRINT
© FORTINET
Exercise 2: LDAP Operations
The Windows VM has been preconfigured with Active Directory devices for the internal.lab domain. In this
exercise, you will review the Active Directory configuration and learn how to retrieve LDAP attributes for Active
Directory objects. Then, you will configure an LDAP profile on both IntSRV and IntGW FortiMail devices to use for
user authentication, alias lookup, and recipient verification.
To review the Active Directory configuration

1. In Windows, on the desktop, open the Active Directory Users and Computers management console.
A service account for the LDAP profile is located in the Service Accounts
organization unit (OU). The users and groups are located in the Training Users OU
and Training Groups OU respectively.
All account passwords have been set to fortinet.
To access the LDAP attributes of Active Directory objects

1. In the Active Directory Users and Computers management console, click View, and then verify that
Advanced Features is selected.

DO Exercise
NOT2: LDAP
REPRINT
Operations
© FORTINET
2. Right-click internal.lab, and then select Properties.
3. In the internal.lab Properties window, click the Attribute Editor tab.

DO NOT REPRINT Exercise 2: LDAP Operations
© FORTINET
You can use the previous steps to access the LDAP attributes of any Active Directory
object necessary to configure the LDAP profile on FortiMail.
4. Click Cancel to close the properties window.

5. Close the Active Directory Users and Computers management console.
To configure an LDAP profile on IntGW FortiMail

1. Open a new web browser tab, and go to the IntGW FortiMail management GUI:

3. Click Profile > LDAP > LDAP.
4. Click New.
5. Create an LDAP profile using the following values:
Field Value
Profile name InternalLabLDAP
Server name/IP 10.0.1.10
6. Use the following values to configure the Default Bind Options:

DO Exercise
NOT2: LDAP
REPRINT
Operations
© FORTINET
Field Value
Base DN OU=Training Users,DC=internal,DC=lab
Bind DN CN=LDAP Service Account,OU=Service Accounts, DC=internal,DC=lab
Bind password fortinet
7. In the User Query Options section, in the Schema drop-down list, select Active Directory.
8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.
9. Use the following values to modify the User Alias Options:
Field Value
Alias member query proxyAddresses=smtp:$m
User group expansion in Disable

advance
Use Separate bind Disable
10. Click Create to save the LDAP profile.
To configure an LDAP profile on IntSRV FortiMail


4. Click New.
5. Create an LDAP profile using the following values:
Field Value
Profile name InternalLabLDAP
Server name/IP 10.0.1.10
6. Use the following values to configure the Default Bind Options:
Field Value
Base DN OU=Training Users,DC=internal,DC=lab
Bind DN CN=LDAP Service Account,OU=Service Accounts, DC=internal,DC=lab
Bind password: fortinet
7. In the User Query Options section, in the Schema drop-down list, select Active Directory.
8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.

© FORTINET
9. Use the following values to modify the User Alias Options:
Field Value
Alias member query proxyAddresses=smtp:$m
User group expansion in Disable

advance
Use Separate bind Disable
10. Click Create to save the LDAP profile.
To validate the LDAP profile configuration

1. In the IntGW FortiMail management GUI, select the InternalLabLDAP profile, and then click Edit.
2. On the LDAP profile configuration screen, click [Test LDAP Query…].
3. Make sure the query type is set to User.
4. Query for the following users:
l user1@internal.lab
l user2@internal.lab
5. If your configuration is correct, you will receive the following Test Result message:
6. If the query fails, make sure the LDAP profile configuration matches the following example:

DO Exercise
NOT2: LDAP
REPRINT
Operations
© FORTINET
7. On the LDAP profile configuration screen, click [Test LDAP Query…] again.
8. Change the query type to Alias.
9. All of the Active Directory users have been preconfigured with aliases.
Query for the following aliases:
l mailuser1@internal.lab
l mailuser2@internal.lab
10. If your configuration is correct, you will receive the following Test Result message:

© FORTINET
11. If the query fails, make sure the LDAP profile User Alias Options configuration matches the following example:
12. Perform the same validation steps on the IntSRV FortiMail.

DO Exercise
NOT2: LDAP
REPRINT
Operations
© FORTINET
To configure recipient verification and alias mapping for gateway mode
1. In the IntGW FortiMail management GUI, click Domain & User > Domain > Domain.
2. Select the internal.lab domain, and then click Edit.
3. In the Recipient Address Verification section, select Use LDAP Server.
4. In the Use LDAP server drop-down list, select InternalLabLDAP.
5. Expand the LDAP Options section.
6. In the User alias / address mapping profile drop-down list, select InternalLabLDAP.
7. Your configuration should match the following example:
You don’t need to configure recipient verification on the IntSRV FortiMail. Recipient
verification is enabled implicitly on a server mode FortiMail because the user
database exists locally.
You also don’t need to configure alias mapping on the IntSRV FortiMail because the
mapping is done by the IntGW FortiMail before it delivers an email message to the
IntSRV FortiMail.
To configure LDAP authentication for gateway mode webmail access

2. Select recipient policy ID 1, and then click Edit.
3. In the Authentication and Access section, configure the following values:

© FORTINET
Field Value
Authentication type LDAP
Authentication profile InternalLabLDAP
Users will use their Active Directory accounts to authenticate and gain access to the
IntGW FortiMail’s webmail interface for quarantined emails.
To configure LDAP authentication for server mode users

2. Click Domain & User > User > User.

3. Select user1, and then click Edit.
4. In the Authentication type drop-down list, select LDAP.
5. In the LDAP profile drop-down list, select InternalLabLDAP.
If the LDAP profile doesn’t appear in the drop-down list, then you missed a step.
Return to the To configure an LDAP profile on IntSRV FortiMail on page 49 section,
and then follow the listed steps to configure the same LDAP profile on the IntSRV
FortiMail.

7. Click New.
8. Create a new user using the following values:
Field Value
User name user2
Authentication type LDAP
LDAP profile InternalLabLDAP
Display name Mail User 2
9. Click Create to save the new user.
To validate server mode LDAP authentication

1. In Windows, open a new web browser tab, and visit the IntSRV FortiMail webmail GUI:

DO Exercise
NOT2: LDAP
REPRINT
Operations
© FORTINET
If you have configured the server mode user LDAP authentication correctly, the login will be successful.
To validate gateway mode LDAP authentication

1. Open a new web browser tab and go to the IntGW FortiMail webmail GUI:
https://intgw.internal.lab/

If you have configured the gateway mode LDAP authentication correctly, the login will be successful.
3. Log out and close the browser tab before proceeding.
The webmail GUI in gateway mode gives users access to their Bulk folder, which
contains only quarantined email. You will configure email quarantining in a later lab. In
this section, you are verifying user access only.
To validate recipient verification

1. In Windows, open a new web browser tab, and go to the ExtSRV FortiMail’s webmail GUI:

3. Compose a new email message using the following values:
Field Value
To invaliduser@internal.lab
Subject Testing Recipient Verification
Message Body This should be rejected!
4. Click Send.
5. Click Refresh to update the inbox.
You should receive a delivery status notification (DSN) message.
6. Open the DSN message and review the transcript details.

7. Visit the IntGW FortiMail management GUI.

The first entry in the History log should correspond to email you just sent.

© FORTINET
10. Review the log details.
To validate alias mapping

1. Visit the ExtSRV FortiMail’s webmail GUI.

3. Compose another email message using the following values:
Field Value
To mailuser2@internal.lab
Subject Testing Alias Mapping
Message Body This should work!
4. Click Send.
5. Visit the IntSRV FortiMail’s webmail GUI:

The email you sent to mailuser2@internal.lab should appear in the user2@internal.lab inbox.


9. The first entry in the History log should correspond to email message you just sent.

DO Exercise
NOT2: LDAP
REPRINT
Operations
© FORTINET
10. Click the Session ID to retrieve the cross search result.
11. Review the AntiSpam log related to the session.
Alias mapping is useful to consolidate multiple email messages for the same user in a
single email account using their primary email address as the identifier. This reduces
account management overhead for the user and the administrator. For example, if a
user has five aliases in addition to a primary email address, FortiMail can use alias
mapping to maintain a single user quarantine mailbox. Otherwise, the user would
have to manage six separate quarantine accounts, as well as the quarantine reports
for each account.

DO NOT REPRINT
© FORTINET
Exercise 3: SMTP Brute Force Attack
In this exercise, you will explore how FortiMail handles a failed SMTP authentication. You will generate an SMTP
brute force attack and block the offending IP address.
Enable authserver security on the IntGW FortiMail

1. In Windows open a new web browser tab and go to the IntGW FortiMail management GUI:
https://intgw.internal.lab/admin/
3. Click Security > Authentication Reputation > Settings.
4. Set the status to Enable, keep the default values for the remaining fields, and click Apply.
The default block period for an offending IP address is 10 minutes. You can set the
block period to a maximum of 60 minutes and minimum of 5 minutes.
Run brute force attack from Linux

2. Click Load.
3. Click Open.
You can also just enter the IP address of the Linux machine, which is 10.0.1.254,
and click Open.

5. After logging in successfully, you will be in the /home/student directory. To verify, type pwd.
6. Run the following swaks command to generate an SMTP brute force attack. A copy of the command is in a text file
named commands.txt, which is located in the Resources folder on the Windows desktop.
while sleep 1; do swaks --to user1@internal.lab --from
"extuser@external.lab" --header "Subject: Test mail" --body "This is a test
mail" --server 10.0.1.11 --port 25 --timeout 40s --auth LOGIN --auth-user
"extuser@external.lab" --auth-password "Myworld" -tls; done
After a few successful SMTP connections, subsequent connections time out.
Successful connection but failed authentication attempt

DO Exercise
NOT3: SMTP
REPRINT
Brute Force Attack
© FORTINET
Connection time out
7. Type ctrl+c to stop the attack.
Stop and think!

Why are the SMTP connections failing?
FortiMail uses a variety of adaptive factors to detect and block brute forcing (not just consecutive failures)
and temporarily locks out (tarpits) the user. FortiMail detected a brute force attack and blocked that IP. New
TCP connections from that attacker were denied.
To review the logs

2. Click Monitor > Log> History.
3. The first few log entries should correspond to the failed SMTP authentication with SMTP Auth Failure showing
in the Classifier column and Reject showing in the Disposition column.
4. Click Monitor> Reputation > Authentication Reputation.

The blocked IP of the attacker is displayed.
5. Refresh to view the current expiry time.

DO NOT REPRINT Exercise 3: SMTP Brute Force Attack
© FORTINET
If you do not see the IP address on the Authentication Reputation tab, then run the
following command on the CLI/console of the gateway mode FortiMail. To access the
console, click Dashboard >Console.
# execute db reset sender-reputation
Delete the blocked IP in order to continue to the next lab

1. Click Monitor > Reputation > Authentication Reputation.
2. Select the blocked IP 10.0.1.254 and Delete it.

DO NOT REPRINT
© FORTINET
Lab 4: Session Management
In this lab, you will configure session profiles to inspect the envelope part of SMTP sessions. You will also use
session profiles to hide internal network information from email headers.
Objectives
l Configure session profile connection settings to limit inbound connections to the IntGW FortiMail
l Configure sender address rate control to limit outbound connections on the IntSRV FortiMail
l Configure session profile header manipulation to hide your internal network information
Time to Complete
Prerequisites
Before beginning this lab, you must restore a configuration file to the IntSRV FortiMail.
To restore the initial configuration file

1. In Windows, open a web browser and visit the IntSRV FortiMail management GUI:

3. Click System > Maintenance > Configuration, and upload the following configuration file:
Desktop\Resources\Starting Configs\Lab 4\04_Initial_IntSRV.tgz
The configuration file adds a new IP policy that causes all email delivery attempts from
the ExtSRV FortiMail to the IntSRV FortiMail to fail temporarily. This is done to ensure
that when the session limits are triggered on the IntGW FortiMail, the ExtSRV
FortiMail can’t deliver to the IntSRV FortiMail directly. The change helps in testing the
session profile settings you will be configuring on IntGW in this lab.
4. Click Restore.
5. Wait for the IntSRV FortiMail to finish rebooting before you proceed with the exercise.

DO NOT REPRINT
© FORTINET
Exercise 1: Connection Limits
Spammers usually send as many email messages as they can in a small period of time, before legitimate email
servers begin to block delivery. If blocked, the spammers won’t spend the time to retry. Normal email servers will
retry delivery if it fails the first time. One method of blocking spam, while allowing legitimate email messages, is
to limit the number of SMTP sessions that each client can establish in a 30-minute period.
In this exercise, you will configure a session profile on the IntGW FortiMail to limit the number of connections the
ExtSRV FortiMail can establish over a 30-minute period. Then, you will test the connection limitation by sending
consecutive email messages to trigger a violation. You will also verify your configuration by reviewing the logs.
To configure a session profile

1. In Windows, open a web browser, and visit the IntGW FortiMail management GUI:

3. Click Profile > Session > Session.
4. Click New.
5. In the Connection Settings section, configure the following values:
Field Value
Profile name limit_connections
Restrict the number of 4

connections per client per 30
minutes to
6. Click Create to save the profile.
Four connections every 30 minutes is too few to be realistic for real-world

deployments. Email servers usually send many email messages to or through
FortiMail each minute. In this lab, however, you will use the 30-minute restriction to
make your rate limit easy to trigger.
If there are no IP policies configured with a session profile, FortiMail will still rate limit
connections according to its default settings, which are similar to the session_basic_
predefined profile–including the 10 MB size limit, sender reputation enabled, and so
on. To disable the rate limit, you must create and apply a blank session profile.
To apply the session profile to inbound connections

1. Continuing on the IntGW FortiMail management GUI, click Policy > IP Policy > IP Policy.
2. Edit IP policy ID 1.
3. In the Profiles section, in the Session drop-down list, select limit_connections.
4. Click OK to save your settings.

DO Exercise
NOT1: Connection
REPRINT Limits
© FORTINET
To validate the connection limits
1. Open a new tab in your browser, and go to the ExtSRV FortiMail webmail GUI:

3. Send five email messages to user1@internal.lab to trigger the session limit.
4. Open Thunderbird and verify how many email messages were delivered to the user1@internal.lab inbox.
There will be one email sent per TCP connection. Therefore, the IntGW FortiMail
should allow the first four but block the fifth, which exceeds your configured connection
limit.


7. The first entry in the History log should correspond to the rejected email.
Why are the From, To, and Subject fields empty in this log entry?
FortiMail blocked the client’s attempt when scanning the IP layer of the initial packets
before the SMTP session could be established. The SMTP session contains the SMTP
envelope: the sender’s email address, the recipient’s email address, and the subject.
So those parts of the email were never received.
8. Click the Session ID to retrieve the cross search results.

9. Review the related AntiSpam log.
To disable connection limits

1. Go to the IntGW FortiMail management GUI:

DO NOT REPRINT Exercise 1: Connection Limits
© FORTINET
3. Edit IP policy ID 1.
4. In the session profile drop-down list, select Inbound_Session.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 2: Sender Address Rate Control
While it is important to protect your email users from spammers sending large volumes of email, it is also
important to protect your own MX IP reputation by controlling the volume of email received from internal users.
In this exercise, you will configure sender address rate control on the IntSRV FortiMail. Then, you will send
consecutive email messages to trigger a violation, and verify your configuration using logs.
To configure sender address rate control

1. In Windows, open a new web browser tab, and go to the IntSRV FortiMail management GUI:

4. Select the internal.lab domain, and click Edit.
5. In the Advanced Settings section, click Sender Address Rate Control and Enable it.
6. Configure the following values:
Field Value
Action Reject
Maximum number of 4
messages per half hour
Send email notification upon Enable

rate control violations
7. Click New.
8. Create a notification profile using the following values:
Field Value
Name NotifyUser1
Send notification to Others
9. Enter Mail User 1’s email address: user1@internal.lab.

10. Click >>
11. Click Create.
12. Click OK.
13. Click OK.
To validate sender address rate control

1. Open a new web browser tab, and go to the IntSRV FortiMail’s webmail GUI:

DO NOT REPRINT Exercise 2: Sender Address Rate Control
© FORTINET
3. Send five email messages to extuser@external.lab to trigger the rate control limit.
4. Open a new web browser tab, and visit the ExtSRV FortiMail webmail GUI:

6. Check how many email messages were delivered to the extuser@external.lab inbox.
By now, user1@internal.lab should have received the notification email for the rate control violation.
7. Open Thunderbird, and view the details in the notification email.
Notification profiles are a convenient feature that can allow administrators to keep
informed of events occurring on FortiMail. Many FortiMail features support notification
profiles.


The first entry in the History log should correspond to the rate control violation.
While session profile connection limits and sender address rate control appear to
function very similarly, there is a major difference in how these limits are applied by
FortiMail.
As you observed in the previous exercise, session profile connection limits are applied
at the IP layer. Sender address rate control limits connections based on the sender
address. This is derived from the mail From: field of the SMTP envelope. So, for
sender address rate control, FortiMail must process at least a portion of the SMTP
envelope. This is also why user2@internal.lab appears in the From: field of the log
entry, but the log entries from the session profile connection limits are empty.

12. Review the related event, and antispam logs.
To disable sender address rate control

1. Visit the IntSRV FortiMail’s management GUI:

DO Exercise
NOT2: Sender
REPRINT
Address Rate Control
© FORTINET

3. Select the internal.lab domain, and click Edit.
4. In the Advanced Settings section, select Sender address rate control and disable it.

DO NOT REPRINT
© FORTINET
Exercise 3: Header Manipulation
Removing internal headers is a common security practice. It hides your internal network information from the
world.
In this exercise, you will observe the effects of header manipulation settings by configuring a session profile on
the IntGW FortiMail to hide internal headers.
To review headers
1. Open a new web browser tab, and go to the ExtSRV FortiMail webmail GUI:

3. Open any email message sent by an internal.lab user.
If you deleted all the previous email messages, open Thunderbird and send a new email message to
extuser@external.lab.

5. Select and copy (Ctrl + C) the header contents.
6. Open a new Notepad window and paste (Ctrl + V) the header details.
7. Save the file on the desktop as Header_Before.txt.
To configure header manipulation

1. Open a new web browser tab, and go to the IntGW management GUI:

4. Click the Outbound_Session link.
This is the session profile currently applied to IP policy ID 3, which processes all outbound email for the
internal.lab domain.
5. Expand Header Manipulation, and then select the Remove received headers check box.

DO Exercise
NOT3: Header
REPRINT
Manipulation
© FORTINET
The IntGW FortiMail removes all previous Received: headers from the email when
it starts processing it, using IP policy ID 3.
To validate header manipulation settings

1. Open Thunderbird.
2. Send a new email message to extuser@external.lab.

5. Open the email message you just sent from user1@internal.lab.
6. Review the detailed headers of the email.
In the Received: header you should only see details about IntGW and ExtSRV.
There should be no information about Windows (10.0.1.10), and IntSRV
(10.0.1.99).
7. Open the Header_Before.txt file you saved earlier.

8. Compare the differences.

DO NOT REPRINT Exercise 3: Header Manipulation
© FORTINET

DO NOT REPRINT
© FORTINET
Lab 5: Antivirus
In this lab, you will apply FortiMail’s local malware detection techniques to scan for viruses in inbound email.
Objectives
l Configure an antivirus profile to enable local malware detection
l Configure an antivirus action profile to replace infected content from an email
l Apply antivirus scanning to inbound email
l Test antivirus functionality
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Antivirus Scanning for Malware Detection
In this exercise, you will configure an antivirus profile and an antivirus action profile on the IntGW FortiMail. Then,
you will apply the antivirus profile to a recipient-based policy in order to scan all inbound email sent to the
internal.lab domain.
You shouldn’t test your antivirus configuration using a live virus. By doing so, you risk infecting your network’s
hosts if your configuration is incorrect. To test your antivirus configuration without risk of infecting your network,
you will use an EICAR file.
An EICAR file doesn’t contain a real virus. It is a harmless, industry-standard test file that is designed to trigger all
antivirus engines for testing purposes. So, if your antivirus configuration is correct, FortiMail should detect the
EICAR file as a virus.
To configure an antivirus action profile

1. In Windows, open a new web browser, and visit the IntGW FortiMail management GUI:

3. Click Profile > AntiVirus > Action.
4. Click New.
5. Add a new action profile using the following values:
Field Value
Domain internal.lab
Profile name AV_Tag_Replace
Tag subject enabled
[VIRUS DETECTED]
Replace infected/suspicious enabled

body or attachments
The action profile that you created doesn’t appear in the list. Why? The list view is
filtered by domain. If you want to show the new profile, change the selection in the
Domain drop-down list. Select internal.lab to view the action profiles for that specific
domain, or select All to view the action profiles for all domains.
To configure an antivirus profile for local malware detection

1. Continuing on the IntGW FortiMail management GUI, click Profile > AntiVirus > AntiVirus.
2. Click New.
3. Add a new antivirus profile using the following values:

DO Exercise
NOT1: Antivirus
REPRINTScanning for Malware Detection
© FORTINET
Field Value
Domain internal.lab
Profile name AV_In
Default action AV_Tag_Replace
4. Keep the default values for the remaining settings.

6. In the Domain drop-down list, select internal.lab to see the new antivirus profile.
To configure a recipient policy to apply antivirus

3. In the Profiles section, in the Antivirus drop-down list, select AV_In.
4. Click OK to save the recipient-based policy.
To send an infected email


Field Value
To user1@internal.lab
Subject AV EICAR Test
Message Body This contains a virus!
4. Click Attach.
5. Browse to and select:
Desktop\Resources\Files\eicar.com
6. Wait for the file upload to finish, and then click Send.
To verify AV functionality
2. Confirm that you received the email message sent from extuser@external.lab.
3. Note that the following actions have been applied to the email message:
l The subject line contains the [VIRUS DETECTED] tag
l The IntGW FortiMail replaced the EICAR file and inserted a replacement message.

DO NOT REPRINT Exercise 1: Antivirus Scanning for Malware Detection
© FORTINET
To monitor the logs

3. The first entry in the History log should correspond to the virus email.
4. Click the Session ID link to review the cross search result for more details.

DO NOT REPRINT
© FORTINET
Lab 6: Antispam
In this lab, you will configure antispam scanning for both inbound and outbound email. Then, you will verify your
configuration by sending live spam through the IntGW FortiMail VM. You will also configure quarantine report
settings, and manage user quarantine.
Objectives
l Scan both incoming and outgoing email for spam
l Send spam email to user quarantine
l Manage quarantine report configuration
l Access and explore the user quarantine mailbox
Time to Complete
Prerequisites
Before beginning this lab, you must restore a configuration file.
To restore the initial configuration files

1. In Windows, open a web browser, and go to the IntSRV FortiMail management GUI:
3. Click Restore.
4. Open a new web browser tab, and visit the IntGW FortiMail management GUI:
Desktop\Resources\Starting Configs\Lab 6\06_Initial_IntGW.tgz
6. Wait for the VMs to finish rebooting before proceeding with the exercise.
The configuration files disable all session profile inspection features that can
potentially interfere with the antispam testing you will do in this lab.

DO NOT REPRINT
© FORTINET
Exercise 1: Scan Incoming Email for Spam
In this exercise, you will verify the FortiGuard configuration. Then, you will configure an antispam profile to scan
all incoming email and send all spam email to the users’ personal quarantine accounts.
To verify FortiGuard configuration


3. Click System > FortiGuard > Antispam.
4. In the FortiGuard Antispam Options section, configure the following values:
Field Value
Enable service Enabled
Enable cache Enabled
Cache TTL (Seconds) 300 (default)
Use override server Enable
Override server address: 10.0.1.241
5. Click Apply to save the changes.

6. To test the connectivity to FortiGuard, under FortiGuard > License, expand FortiGuard Antispam Query,
enter an IP address, such as 8.8.8.8, and click Query.
7. Confirm that a Query result and Query score are returned such as Score: 7, Not spam.
If the Query result is No response, or if the antispam license status on Dashboard

> Status is Trial, then change the FortiGuard service port setting, click Apply, and
then test the connection again.
8. Click Dashboard > Console.

9. Type execute update now and press Enter.
To configure an antispam action profile

1. Click Profile > AntiSpam > Action.
2. Click New.
3. Configure a new action profile using the following values:

DO Exercise
NOT1: Scan
REPRINT
Incoming Email for Spam
© FORTINET
Field Value
Domain internal.lab
Profile name AS_In_User_Quar
Final action Personal quarantine
4. Click Create.
To create a resource profile

1. Click Profile > Resource > Resource.
2. Click New.
3. Configure a new resource profile using the following values:
Field Value
Domain internal.lab
Profile name: Resource_AS_In_User_Quar
Send quarantine report Enabled
Web release Enabled
Email release Enabled
Safelist sender of released message Disabled
4. Click Create.
To create an antispam profile

1. Click Profile > AntiSpam > AntiSpam.
2. Click New.
3. Configure a new antispam profile using the following values:
Field Value
Domain internal.lab
Profile name AS_In
Default action AS_In_User_Quar
4. Click Create.
5. In the Domain drop-down list, select internal.lab.
6. Select the AS_In antispam profile, and click Edit.
7. Enable the following antispam techniques:

DO Test
NOT REPRINT
the Antispam Configuration Exercise 1: Scan Incoming Email for Spam
© FORTINET
l FortiGuard
l IP Reputation
l Extract IP from Received Header
l URI filter:Primary: phishing
l DMARC check
l Behavior analysis
l Header analysis
l Heuristic
l The percentage of rules used: 100
l Suspicious newsletter
l Newsletter
To apply antispam scanning on all inbound email

3. In the AntiSpam profile drop-down list, select AS_In.
4. In the Resource profile drop-down list, select Resources_AS_In_User_Quar.
Test the Antispam Configuration
To test your antispam settings, you will use the swaks tool on the Linux VM to send spam to
user1@internal.lab.
To test the antispam configuration

1. In Windows, on the taskbar, click the PuTTY icon, and then select Linuxfrom the saved sessions.
2. Click Load.
3. Click Open.
and click Open.

5. After logging in, you will be at the /home/student directory. To verify type pwd.
6. Go to the directory spam_samples located in the Resources folder: cd Resources/spam_samples.
7. Type pwd, and make sure you are in the right directory: /home/student/Resources/spam_samples.
8. Run the following swaks command to generate spam emails. A copy of the command is in a text file named
commands.txt, which is located in the Resources folder on the Windows Desktop.

DO Exercise
NOT1: Scan
REPRINT
Incoming Email for Spam Test the Antispam Configuration
© FORTINET
for ii in `ls`; do swaks -s 10.0.1.11 -f spam@external.lab -t user1@internal.lab -d
$ii; done
9. Wait until all the spam emails are sent.
10. Close the PuTTY window
To verify the antispam configuration

1. Go to the IntGW FortiMail’s management GUI:
2. Click Dashboard > Status.

3. On the Statistics Summary you can see current information on the total number of email messages received,
the percentage of spam detected, and the type of antispam technique used to detect most of the spam.

5. You should see all the history logs associated with the spam email.

DO Test
NOT REPRINT
the Antispam Configuration Exercise 1: Scan Incoming Email for Spam
© FORTINET
6. Click the Session ID link of a history log entry, and review the related antispam log for the session.

DO NOT REPRINT
© FORTINET
Exercise 2: Scan Outgoing Email for Spam
In this exercise, you will configure outbound antispam scanning on the IntGW FortiMail. Then, you will test the
configuration by sending an outbound email message containing a banned word.
To configure an outbound antispam profile


3. Click Profile > AntiSpam > AntiSpam.
4. Click New.
Field Value
Domain System
Profile name AS_Out
Default action Reject_Outbound
6. Enable Banned word.

7. Click Configuration, and then add some words to include in your banned word list. For each word, select whether
FortiMail will scan the subject, body, or both, as follows:
8. Click OK to close the window.

To apply antispam scanning on outbound email

1. Click Policy > Recipient Policy > Outbound.
2. Select policy ID 2, and then click Edit.

DO NOT REPRINT Exercise 2: Scan Outgoing Email for Spam
© FORTINET
3. In the Profiles section, in the AntiSpam drop-down list, select AS_Out.
To verify the antispam configuration

1. Open Thunderbird.
2. Send an email to extuser@external.lab that contains one of the banned words.
You should receive a delivery status notification (DSN) message.
3. Open the DSN and review the transcript details.

Sample output:
An error occurred while sending mail. The mail server responded: 554 5.7.1 This email
from IP 10.0.1.99 has been rejected. The email message was detected as spam.


The first entry in the History log should correspond to the rejected email message.
6. Review the log and verify that the appropriate action was applied to the outbound email message.
7. Click the Session ID link to review the cross search result for more details.

DO NOT REPRINT
© FORTINET
Exercise 3: User Quarantine Management
An email user can access their list of quarantined email messages using either POP3 or webmail. In this exercise,
you will access the user1@internal.lab quarantine mailbox on the IntGW FortiMail on the webmail GUI.
You will also configure quarantine report scheduling and generate an on-demand quarantine report. Then, you
will explore the options available in a quarantine report.
To access the personal quarantine

1. Open a new tab in the web browser, and go to the IntGW FortiMail webmail GUI:

In the webmail interface of the gateway mode FortiMail, a user has access to the Bulk folder for quarantined
email messages only. You should see all the quarantined spam messages in the Bulk folder.
3. Try releasing an email from the quarantine mailbox to the user’s inbox.
4. Try deleting a quarantined email.
5. Log out of the webmail interface after you’re finished.
To configure quarantine reports

2. Click Security > Quarantine > Quarantine Report.

3. In the Schedule section, enable the following days and times only:
l These hours: 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00
l These days: Mon Tue Wed Thu Fri
4. In the Quarantine report template drop-down list, select default-with-icons.
FortiMail auto-generates quarantine reports on schedule only for accounts that have
quarantined email. If a user’s quarantine account is empty, then no report is generated
for that account.

DO NOT REPRINT Exercise 3: User Quarantine Management
© FORTINET
To generate quarantine reports on demand
1. Click Monitor > Quarantine > Personal Quarantine.
2. Select the user1@internal.lab mailbox.
3. Click Send quarantine report to > Selected users.
4. Click OK.
To view the quarantine report

2. Open the quarantine report.
The subject should contain the words “Quarantine Summary”.
You can release or delete each quarantined email message using ether web or email actions.
3. Try using the web delete action:
4. The end of the quarantine report contains options to delete all quarantined email messages using either an email
or a web action:

DO Exercise
NOT3: User
REPRINT
Quarantine Management
© FORTINET
5. Select the web action to delete all of the quarantined email messages for user1@internal.lab.

DO NOT REPRINT
© FORTINET
Exercise 4: Impersonation Analysis
In this exercise, you will configure Fortimail to inspect all email communications for messages designed to
impersonate critical personnel and to take appropriate action on these types of messages.
Impersonation analysis is used to detect an email spoofing attack that attempts to deceive the recipient by using
a forged header to make the message appear as though it comes from a trusted sender
To configure an impersonation analysis profile

1. In Windows, open a web browser, and go to the IntGW FortiMail management GUI:

3. Click Profile > Antispam > Impersonation.
4. Click New to create a new impersonation profile.
5. In the Profile Name field, type impersonation.
6. In the Impersonation Entry section, click New.
7. Configure the dictionary entry using the following values:
Field Value
Display name pattern: Corporate CEO
Pattern type Wildcard
Email address ceo@fortinet.com
8. Click Create to save the entry.

9. Click Create to save the impersonation profile.

DO Exercise
NOT4: Impersonation
REPRINT Analysis
© FORTINET
To apply impersonation to the antispam profile

1. Click Profile > Antispam > Antispam.
2. In the Domain: drop-down list, select internal.lab
3. Edit AS_In.
4. Enable & expand the Impersonation analysis feature set.
5. In the drop-down list, select the impersonation profile impersonation.
6. Click OK.
Assuming that you have completed the previous exercises in this lab, the antispam
profile AS_In should already be applied to the inbound recipient policy. Policy >
Recipient Policy > Inbound.
To test impersonation
2. Click Load.
3. Click Open.
and click Open.
4. Log in as studentusing the password password.


DO NOT REPRINT Exercise 4: Impersonation Analysis
© FORTINET
6. Run the following swaks command to impersonate a high-target user. A copy of the command is in a text file
named commands.txt, which is located in the Resources folder on the Windows desktop.
swaks -f extuser@external.lab -t user1@internal.lab -s 10.0.1.11 --header-
From "Corporate CEO <extuser@external.lab>"
To review the logs


The first entry in the History log should correspond to the email that was sent. Notice the values in the
Classifier and Disposition columns.

4. Review the antispam log related to the session.

DO NOT REPRINT
© FORTINET
Exercise 5: Bounce Verification (Backscatter)
In this exercise, you will configure backscatter to detect spam contents in delivery status notifications (DSN).
Disable Recipient Address Verification
You will need to disable recipient address verification on the FortiMail IntGW so that you can test backscatter.
To disable recipient address verification


4. Edit the domain internal.lab.
5. Expand Recipient Address Verification.
6. Select Disable.
7. Click OK.
To send an email to an invalid user

2. Click Load.
3. Click Open.
and click Open.

6. Run the following swaks command to send an email to an invalid nonexistent user. A copy of the command is in a
text file named commands.txt, which is located in the Resources folder on the Windows desktop.
swaks -f user1@internal.lab -t nonexistent@internal.lab -s 10.0.1.11 --ehlo
10.0.1.254 --body 'buy while supplies last'
7. Close the PuTTY session.
To verify the DSN email on Thunderbird

2. Open the DSN email with the subject Returned mail: see transcript for details.
3. The spam is attached to the DSN email.

DO Disable
NOTRecipient
REPRINT
Address Verification Exercise 5: Bounce Verification (Backscatter)
© FORTINET
To configure bounce verification

1. Go to the IntSRV FortiMail’s management GUI:
2. Log in as admin with password password.

3. Click Security > Bounce Verification > Settings.
4. Click New and, in the Key name field, type internal.
5. Set the Status to Active.

DO Exercise
NOT5: Bounce
REPRINT
Verification (Backscatter) Disable Recipient Address Verification
© FORTINET
6. Click Create.
7. Enable Enable bounce verification.
8. Set Bounce verification action: to Discard.
9. Leave the rest to default settings.
10. Click Apply.
11. Verify your settings:
To send an email to an invalid user

2. Click Load.
3. Click Open.
and click Open.

6. Run the following swaks command to send an email to an invalid nonexistent user. A copy of the command is in a
text file named commands.txt, which is located in the Resources folder on the Windows desktop.
swaks -f user1@internal.lab -t nonexistent@internal.lab -s 10.0.1.11 --ehlo
10.0.1.254 --body 'buy while supplies last'
7. Close the PuTTY session.
To verify the Bounce Verification log

1. Go to the IntSRV FortiMail management GUI:

DO Disable
NOTBounce
REPRINT
Verification Exercise 5: Bounce Verification (Backscatter)
© FORTINET
2. Log in as admin with password password.
4. The first log should correspond to the email you just sent.
5. Verify the Classifier and Disposition.
Disable Bounce Verification
You will need to disable bounce verification because it could interfere with the next lab exercise.
To disable bounce verification

1. Click Security > Bounce Verification > Settings.
2. Disable Enable bounce verification.

DO NOT REPRINT
© FORTINET
Lab 7: Content Inspection
In this lab, you will configure a content filter to monitor email based on dictionary word scores. You will also
configure the data loss prevention (DLP) feature to detect and block any outbound email containing credit card
numbers. Finally, you will configure and verify the content disarm and reconstruction (CDR) feature on FortiMail.
CDR neutralizes suspicious content in an email and delivers a clean copy of the email to the end user.
Objectives
l Configure a dictionary profile to monitor words using scores
l Configure a content profile to monitor and filter the dictionary profile
l Apply content filtering on all inbound email
l Configure DLP to detect credit card numbers in an email body and attachments
l Apply DLP on all outbound email
l Configure CDR to detect HTML tags and URIs in an email body and attachments
l Apply CDR to all inbound email
Time to Complete
Prerequisites
To restore the initial configuration file

1. On Windows, open a web browser, and go to the IntSRV FortiMail management GUI:
3. Click Restore.
6. Wait for the VMs to finish restarting before proceeding with the exercise.
The configuration files disable bounce verification on IntSRV and the antispam profile
on IntGW that can potentially interfere with the content inspection testing you will do
in this lab.

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Content Inspection
In this exercise, you will configure the content monitoring and filtering options of a content profile to scan for
specific pattern occurrences in inbound email. Then, you will configure the action to be applied after the same
word occurs three times in an email message.
To configure a dictionary profile

1. On Windows, open a web browser, and visit the IntGW FortiMail management GUI:

3. Click Profile > Dictionary > Dictionary.
4. Click New.
5. Name the profile WordScores.
6. In the Dictionary Entries section, click New.
Field Value
Pattern fortimail
8. Click Create to save the entry.

9. Click Create to save the dictionary profile.
If Enable pattern maximum weight limit is disabled, the pattern can increase an
email’s dictionary match score by more than the amount entered in the Pattern max
weight field.
To configure a content profile

1. Click Profile > Content > Content.
2. Click New.
3. Configure a new content profile using the following values:
Field Value
Domain System
Profile name CF_Dictionary
Action SysQuarantine_Inbound

DO Exercise
NOT1: Configuring
REPRINT Content Inspection
© FORTINET
4. Expand the Content Monitor and Filtering section.
5. Click New.
6. Configure the content monitor profile using the following values:
Field Value
Dictionary profile
WordScores
Minimum score 3
7. Click Create to save the content monitor profile.

8. Click Create to save the content profile.
Setting the Minimum score to 3 ensures that the action profile is applied only after
FortiMail has found three occurrences of the pattern in a single email message.
To apply content inspection to inbound email

2. In Recipient Policies, select the incoming policy for internal.lab (that is, policy ID 1).
3. Click Edit.
4. In the Profiles section, change the Content profile to CF_Dictionary.
5. Click OK.
To test the content profile


3. Compose a new email message to user1@internal.lab.
4. Copy the contents of the following file, and paste it into the body of the email message:
Desktop\Resources\Files\messagebody.txt
FortiMail appliances provide high-performance email routing and security by utilizing multiple high-accuracy
antispam filters. As part of the Fortinet Security Fabric, FortiMail prevents your email systems from
becoming threat delivery systems. FortiMail can be deployed in the cloud or on premises and gateway, inline
and server modes in a range of appliance or virtual machine form factors.
5. Click Send.
To review the logs


DO NOT REPRINT Exercise 1: Configuring Content Inspection
© FORTINET
The first entry in the Historylog should correspond to the email that was sent. Notice the values in
theClassifier and Disposition columns.
3. In the Session ID column, click the link to retrieve the cross-search results.
To access the system quarantine

1. Click Monitor > Quarantine > System Quarantine.
2. Double-click the Content/current mailbox.
The quarantined email will appear here.
To perform a sanity check (optional)

1. Go to the ExtSRV webmail GUI:

DO Exercise
NOT1: Configuring
REPRINT Content Inspection
© FORTINET
2. Compose a new email to user1@internal.lab.
3. Copy and paste the same message body, but remove two occurrence of the word FortiMail, and then send the
email message.
4. Open Thunderbird, and verify that the email message was delivered to the user1@internal.lab inbox.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring DLP
In this exercise, you will configure a DLP profile and DLP action profile on the IntGW FortiMail. Then, you will
apply the DLP profile to a recipient-based policy, to scan all outbound email sent from the internal.lab domain.
To configure a DLP rule to scan for credit card numbers

2. Log in as admin and leave the password filed empty.
3. Click Data Loss Prevention > Rule and Profile > Rule.
4. Click New to create a new message scan rule.
5. In the Name field, type ScanCreditCards.
6. In the Conditions section, click New.
7. In the first Condition drop-down list, select Body and Attachment.

DO Exercise
NOT2: Configuring
REPRINT DLP
© FORTINET
8. In the second Condition drop-down list, select contains sensitive data.
9. Click Edit.
10. Select the Credit_Card_Number data template, and then click OK.
11. Click Create to save the scan condition.
12. Verify that your Message Scan Rule matches the following example, and then click Create to save the rule.

DO NOT REPRINT Exercise 2: Configuring DLP
© FORTINET
To configure a DLP profile to apply the DLP rule and action profile
1. Click Data Loss Prevention > Rule & Profile > Profile.
2. Click New to create a new DLP profile.
3. In the Name field, enter DLP_Out.
4. Beside the Action drop-down list, click New.
5. Create a new action profile using the following values:

DO Exercise
NOT2: Configuring
REPRINT DLP
© FORTINET
Field Value
Profile name DLP_Out_Sys_Quar
Final action Enable
System quarantine
Folder name Dlp
6. Click Create to save the action profile.
7. In the Content Scan Settings section, click New.
8. In the Scan rule drop-down list, select ScanCreditCards.

9. Click Create to save the DLP content scan settings.

© FORTINET
10. Verify that your DLP profile matches the following screenshot, and then click Create to save the profile.
To apply DLP scanning for outbound email

2. Edit the outbound recipient policy.

DO Exercise
NOT2: Configuring
REPRINT DLP
© FORTINET
3. In the Profiles section, in the DLP drop-down list, select DLP_Out.
Test DLP Functionality

1. On Windows, open Thunderbird.
2. Click Write to compose a new email message using the following values:
Field Value
Subject DLP Credit Card Test
Message Body DLP test email
3. Click Attach to select a file as an attachment.

4. Browse to and select:
Desktop\Resources\Files\sample.pdf
5. Click Send.
The email message won’t be delivered to extuser@external.lab because the IntGW

FortiMail should detect the credit card numbers in the PDF file, and apply the system
quarantine action.
To review the logs

1. Got to the IntGW FortiMail management GUI:

© FORTINET
The first entry in the history log should correspond to the email message you just sent.
You can also view the logs in Monitor > Quarantine > System Quarantine.
6. Double click Dlp/current.

DO NOT REPRINT
© FORTINET
Exercise 3: Configuring CDR
In this exercise, you will configure CDR options in a content profile to scan the HTML content within email bodies
and attachments that may contain potentially hazardous tags and attributes, such as hyperlinks and scripts.
FortiMail provides the capability to remove or neutralize potentially hazardous contents and reconstruct the email
messages and attachment files.
To configure action profile for sanitized email

1. On Windows, open a web browser, and go to the IntGW FortiMail management GUI:

3. Click Profile > Content > Action.
4. Click New.
Field Value
Domain internal.lab
Profile name CDR_User_Quar
Tag Subject Enable
[Sanitized Content]
Deliver to original host Enable
Final action Enable
Personal quarantine
6. Click Create.
To configure CDR in content profile

2. Click New.
Field Value
Domain internal.lab
Profile name CDR
Action CDR_User_Quar

DO Quarantine
NOT REPRINTan Unmodified Copy Exercise 3: Configuring CDR
© FORTINET
4. Expand the Content Disarm and Reconstruction section.
5. Configure the following values
Filed Value
Action Default
Enable
HTML content
Sanitize HTML content
Text content Enable
Remove URIs
PDF Enable
To apply content inspection to inbound email

2. Edit policy ID 1.
3. In the Profiles section, in the Content drop-down list, select CDR .
4. Click OK.
Quarantine an Unmodified Copy
When CDR is configured, the user receives a reconstructed email and attachment. If the user wants to view the
original email, then they can quarantine an unmodified copy of the email for review.
To quarantine an unmodified copy

1. Click Security > Other> Preference.
2. Beside Personal quarantine,select Unmodified copy.
3. Click Apply.

DO NOT REPRINT
© FORTINET
Exercise 4: Verifying CDR
In this exercise, you will test and verify CDR features that you configured in the previous exercise.
You will test sanitizing a PDF file containing HTML links, URL removal, and HTML email sanitation.
To test the CDR pdf


3. Compose a new message to user1@internal.lab.
4. Click Attach.
5. On the Windows desktop, browse to Resources > Files.
6. Select the file labdoc.
7. Wait for the file to upload.
8. Click Send.
To review the logs


The first entry in the Historylog should correspond to the email that was sent.
3. Review the values for Classifier and Disposition.
5. Review the log message.

DO NOT REPRINT Exercise 4: Verifying CDR
© FORTINET
The recipient will receive the disarmed email.
6. Open theThunderbird client and verify that user1 received the sanitized email with the attachment.
To access the personal quarantine

1. Go to the IntGW webmail GUI:
2. Log in as user1 with the password fortinet.

An unmodified copy of the email is available in the Bulk folder.
3. Open the email to view the attached unmodified PDF file.

DO Exercise
NOT4: Verifying
REPRINTCDR Verify URI Removal
© FORTINET
Stop and think!
Compare the two pdf files: the one that was quarantined and the other email that the user received in the
email client.
Case 1: Open the pdf labdoc file that was attached to the email in Thunderbird and click on the URL
links. Do the links redirect you to the websites?
Case 2: Open the pdf labdoc file that was attached to the email in the personal quarantine folder and
click on the URL links. Do the links redirect you to the websites?
In case 1, the links have been neutralized by CDR; therefore, you are unable to visit the websites
corresponding to those links.
In case 2, the links are active, because it is the original file.
Verify URI Removal
You will test the URI removal feature which detects URIs in email messages. If the feature finds URIs, FortiMail
removes them from the text portion of the email message.
To verify URI removal

1. On Windows, on the taskbar, click the PuTTY icon, and then select Linux from the saved sessions.
2. Click Load.
3. Click Open.
You can also enter the IP address of the Linux machine, which is 10.0.1.254 and
click Open.

5. Type pwd to verify that you are at the/home/student directory, after successfully logging in.
6. Run the following swak command to send URL links, one of which is malicious.
A copy of the command is available in a text file named commands.txtwhich is located in the Resources
folder on the Windows desktop.
swaks -f extuser@external.lab -t user1@internal.lab -s 10.0.1.11 --ehlo
10.0.1.254 --body 'please visit http://www.fortinet.com and
http://www.wicar.org and http://www.cnn.com'
7. On Thunderbird, open the email and verify that the malicious URL has been removed.

DO Verify
NOT HTMLREPRINT
Sanitization Exercise 4: Verifying CDR
© FORTINET
9. Log in as user1using the password fortinet.

An unmodified copy of the email is available in the Bulkfolder.
10. Go to the IntGW management GUI:


12. Click Monitor > Log> History.
The first log corresponds to the email that was just sent.
13. Review the values in the Classifierand Dispositioncolumns.
Verify HTML Sanitization
You will send an email with HTML body content and verify that the user receives a clean email from which all
potentially hazardous tags and attributes (such as hyperlinks and scripts) are removed.
To verify HTML sanitization

1. On the Window taskbar, click the PuTTY icon, and then select Linuxfrom the saved sessions.
2. Click Load.
3. Click Open.
and click Open
4. Log in as studentusing the password password.

5. Verify that, after successfully logging in, you are at the /home/student directory.
6. Run the following swak command to send an email with HTML content. A copy of the command is available in a
text file name commands.txtwhich is located in the Resources folder on the Windows desktop.
cat Resources/tosanitize.dat | swaks -f extuser@external.lab -t
user1@internal.lab -s 10.0.1.11 --ehlo 10.0.1.254 --data -
Swak takes the contents of the file tosanitize.dat, which contains HTML links
and attributes, and sends it to the user named in the body of the email.

DO Exercise
NOT4: Verifying
REPRINTCDR Verify HTML Sanitization
© FORTINET
7. Open Thunderbird and review the email.
8. Click in the body of the email.
All links in the body of the email have been neutralized by CDR.

10. Log in as user1 with the password fortinet.

An unmodified copy of the email is available in the Bulk folder.
11. Select the email and release it to the user1's inbox.
12. Open Thunderbird and open the original email that was just released.
13. Click on the body of the email.
HTML links within the body of the email will redirect the user to various websites.
14. Go to the IntGW management GUI:


The first log corresponds to the email that was just sent.
17. Review the values in the Classifierand Disposition columns.

DO NOT REPRINT
© FORTINET
Lab 8: Securing Communications
In this lab, you will implement SMTPS between the IntGW and IntSRV FortiMail VMs. You will also configure
content inspection-based identity-based encryption (IBE) and verify your configuration by sending a secure email.
Objectives
l Implement SMTPS between IntGW and IntGW FortiMail devices
l Implement content inspection-based IBE
l Configure the dictionary profile with the trigger word
l Configure an encryption profile
l Configure a content action profile to apply the encryption profile
l Apply the dictionary profile and content action profile to a content profile
l Apply the content profile to an outbound recipient-based policy
l Register an IBE user, and access the IBE email
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Implementing SMTPS
In this section, you will configure SMTPS between the IntGW and IntSRV FortiMail devices. You will also
compare logged details before and after implementing SMTPS.
To review logs
1. On Windows, open a web browser, and got to the ExtSRV FortiMail’s webmail GUI:

3. Send an email message to user1@internal.lab.

7. The first entry in the history log should correspond to the email you just sent.
8. Click the Session ID to retrieve the cross search result, and then review the last two entries, which contain details
about the session between the IntGW and IntSRV FortiMail devices.

DO NOT REPRINT Exercise 1: Implementing SMTPS
© FORTINET

DO Exercise
NOT1: Implementing
REPRINT SMTPS
© FORTINET
By default, FortiMail uses SMTP over TLS if the recipient MTA supports it. In this
session, IntSRV is the recipient MTA.
By default, SMTP over TLS is enabled on FortiMail.
To configure SMTPS
1. Go to the IntGW FortiMail’s management GUI:

3. Select internal.lab and click Edit.
4. Enable Use SMTPS.
5. Click OK to save the change.
To verify SMTPS
1. Go to the ExtSRV FortiMail webmail GUI:
2. Send another email to user1@internal.lab.


The first entry in the history log should correspond to the email message you just sent.

DO NOT REPRINT Exercise 1: Implementing SMTPS
© FORTINET
5. Click the session ID to retrieve the cross-search result, and then review the last two entries, which should
indicate the switchover to SMTPS from STARTTLS.

DO Exercise
NOT1: Implementing
REPRINT SMTPS
© FORTINET
The underlying encryption mechanism for SMTPS and SMTP over TLS is the same.
Both protocols use SSL or TLS. In this case, the FortiMail devices negotiated
TLSv1.2. The difference exists in how and when that TLS encryption is applied.
When SMTP over TLS is used, the connection is made on the standard SMTP port—
TCP port 25. If the recipient MTA supports the STARTTLS extension, the sender
chooses whether SMTP over TLS is used by transmitting the STARTTLS message.
This STARTTLS request happens after the envelope exchange, and so, in SMTP over
TLS only a portion of the session is encrypted.
When SMTPS is used, the client initiates the SMTP session with the server over a
fully-encrypted tunnel using a separateTCP port: port 465. SMTPS encrypts the full
session.

DO NOT REPRINT
© FORTINET
Exercise 2: Implementing Content Inspection-Based IBE
In this exercise, you will configure content inspection-based IBE. You will also verify your configuration by sending
an IBE email message and reviewing the logs.
To configure the IBE service

1. On Windows, open a web browser, and got to the IntGW FortiMail management GUI:

3. Click Encryption > IBE > IBE Encryption.
4. Configure the IBE Service settings using the following values:
Field Value
Enable IBE service Enabled
IBE service name Internal Lab Secure Portal
Allow secure replying Enabled
Allow secure forwarding Enabled
Allow secure composing Enabled
IBE base URL intgw.internal.lab
Send notification to sender Enabled

when message is read
To configure a dictionary profile with the trigger word

1. Click Profile > Dictionary > Dictionary.
2. Click New.
3. Name the profile IBEDictionary.
4. In the Dictionary Entries section, click New.
Field Value
Pattern \[CONFIDENTIAL]
Search header Enabled

DO Exercise
NOT2: Implementing
REPRINT Content Inspection-Based IBE
© FORTINET
Field Value
Search body Disabled
6. Click Create to save the dictionary entry.

7. Click Create to save the dictionary profile.
To configure an encryption profile for pull method delivery

1. Click Profile > Security > Encryption.
2. Select the IBE_Pull profile, and then click Edit.
3. In the Encryption algorithm drop-down list, select AES 256.
To configure a content action profile to apply IBE encryption

1. Click Profile > Content > Action.
2. Click New.
3. Configure a new content action profile using the following values:
Field Value
Domain System
Profile name CF_IBE_Pull
Final action: Enabled Encrypt with profile
IBE_Pull
To configure a content profile to apply IBE encryption based on dictionary match

2. Click New.
Field Value
Domain System
Profile name CF_Out
Action CF_IBE_Pull
4. Expand the Content Monitor and Filtering section.

5. Click New.
6. In the Dictionary drop-down list, select profile and IBEDictionaryprofile.

DO NOT REPRINT Exercise 2: Implementing Content Inspection-Based IBE
© FORTINET
7. Click Create to save the Content Monitor profile.
8. Click Create to save the Content profile.
To configure an outbound recipient policy to apply the content profile

2. Double-click outgoing recipient policy ID 2.
3. In the Content drop-down list, select CF_Out.
To send an IBE email

2. Click Write.
Field Value
Subject [CONFIDENTIAL] Requires immediate attention
Message body Did you leave the stove on?
4. Click Send.
To verify IBE operations using logs


The first entry in the history log should correspond to the email you just sent.
3. Click the Session ID link to retrieve the cross search results and review the antispam, and encryption logs related
to the session.

DO Exercise
NOT2: Implementing
REPRINT Content Inspection-Based IBE
© FORTINET

DO NOT REPRINT
© FORTINET
Exercise 3: Accessing IBE Emails
In this exercise, you will register a new IBE user. Then, you will log in to the secure portal to retrieve the IBE
email. You will also see the message read notification email messages that the sender receives after the IBE user
has read the IBE email.
To register an IBE user

1. On Windows, open a new web browser and go to the ExtGW FortiMail webmail GUI:

3. Open the IBE notification email.
4. Click the link in the notification email to access the encrypted email.
5. Click Register.

DO Exercise
NOT3: Accessing
REPRINTIBE Emails
© FORTINET
6. Complete the registration form, and then click Register.

When the registration is complete, webmail should display a notification that the registration was successful.
During registration if you get an invalid user error, you can ignore it, the user has
been created even though you get the error.
7. Click Continue.
After registration, you will be returned to a login page.
To access the IBE email

1. Type the password that you entered during the registration process, and then click Open.
The secure portal displays the contents of the IBE email.

DO NOT REPRINT Exercise 3: Accessing IBE Emails
© FORTINET
In the IBE Service configuration, you enabled secure replying.
2. Reply to the IBE email message to observe the behavior.
To access the message read notification

The following notification is generated when extuser@external.lab reads the IBE email.

DO NOT REPRINT
© FORTINET
Lab 9: High Availability
In this lab, you will build an active-passive FortiMail HA cluster that has two FortiMail VMs. The cluster will
operate in server mode.
You will configure the IntSRV FortiMail (10.0.1.99) as the primary and the IntGW FortiMail (10.0.1.11) as
the secondary. You will verify the HA and configuration synchronization status, configure a virtual IP, and use the
HA service monitor to detect when the SMTP service connectivity fails on the primary FortiMail.
The lab network DNS server has the following CNAME records to aid in identifying the two clustered devices:
l primary CNAME intsrv.internal.lab

l secondary CNAME intgw.internal.lab
Objectives
l Configure a FortiMail HA group to synchronize their configuration and data
l Verify cluster health
l Configure HA virtual IP
l Configure remote services monitoring
Time to Complete
Prerequisites
Before beginning this lab, you must change the operation mode of the IntGW FortiMail.
To change the operation mode

1. On Windows, open a web browser, and visit the IntGW FortiMail’s management GUI.

4. On the System information widget, in the Operation mode drop-down list, select Server.
The system will prompt you twice about most settings being reset to factory defaults.
5. Click OK in both prompts.

DO NOT REPRINT Lab 9: High Availability
© FORTINET
6. Wait for the FortiMail to restart.

The FortiMail will still have an IP address assigned to the port1 interface. So, after it finishes restarting, you
should be able to access the management GUI again.
7. Log in to the management GUI, and then verify that the following system settings persisted:
l Interface (System > Network > Interface)
l Route (System > Network > Routing)
l DNS (System > Network > DNS)
9. Verify the status of the following mail settings. The settings should have reset to factory default values.
l Mail server settings (System > Mail Settings > Mail Server Settings)
l Domains (Domain & User > Domain > Domain)
10. The IntGW FortiMail is ready to be configured as a secondary device in the cluster.
Caution: When doing the lab exercises, ensure you are applying the configuration
changes to the correct FortiMail VM.
If at any point you wish to reset the configuration state for the FortiMail VMs, you can
restore the following configuration files:
IntGW : Desktop\Resources\Starting Configs\Lab 9\09_Reset_

IntGW.tgz
IntSRV: Desktop\Resources\Starting Configs\Lab 9\09_Reset_

InSRV.tgz
Always restore the secondary unit first, and then the primary. The configuration files
will restore the VMs to the standalone states they were in at the end of the Securing
Communications on page 112 lab.

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring the Primary FortiMail
In this exercise, you will configure the mail server settings on the primary FortiMail. Then, you will configure the
HA settings.
To configure mail server settings on the primary device

1. On Windows, open a web browser, visit the primary FortiMail's management GUI:
https://primary.internal.lab/admin
Ignore any security warnings generated by your browser. These relate to the CN field and the signer of the
self-signed FortiMail certificate.

4. Change the Host name field to primary, and then click Apply to save the change.
To configure HA on the primary device

1. Click System > High Availability > Configuration, and then configure the following values:
Field Value
Mode of operation master
On failure wait for recovery then restore slave role
Shared password fortinet
2. Expand the Advanced options section, and then configure the following values:
Field Value
Backup mail data directories Enabled
Backup MTA queue Enabled

directories
3. Click Apply.
4. In the Interface section, double-click port1 and configure the following settings:
Field Value
Enable port monitor Enabled
Heartbeat status Primary
Peer IP address 10.0.1.11
5. Click OK and Apply to save the HA interface configuration.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring the Secondary FortiMail
In this exercise, you will configure the mail server settings on the secondary FortiMail because they are not
synchronized. Then, you will configure the HA settings, and verify that the cluster has formed.
To configure mail server settings on the secondary device

1. Open a new tab in the web browser and go to the secondary FortiMail’s management GUI:
https://secondary.internal.lab/admin

3. In the admin drop-down, select Advanced mode.
4. Click OK.
Field Value
Hostname secondary
7. Click Apply.
To configure HA on the secondary device

1. Click System > High Availability > Configuration.
Field Value
Mode of operation slave
On failure wait for recovery then restore slave role
Shared password fortinet

DO Exercise
NOT2: Configuring
REPRINT the Secondary FortiMail
© FORTINET
3. Expand the Advanced options section, and then configure the following values:
Field Value
Backup mail data directories Enabled
Backup MTA queue Enabled

directories
4. Click Apply.
5. In the Interface section, double-click port1.
Field Value
Enable port monitor Enabled
Heartbeat status Primary
Peer IP address 10.0.1.99

8. Click System > High Availability > Status.
9. Click Refresh to update the daemon status.
As soon as the two devices join in a cluster and complete synchronization, the
secondary device’s management GUI session will time out and return you to the login
prompt. This process may take a few minutes.

DO NOT REPRINT
© FORTINET
Exercise 3: Verifying Cluster Health
In this exercise, you will verify the HA and configuration synchronization status.
To verify the HA status

1. Go to the primary FortiMail management GUI:

3. On the System Information widget, verify that the HA mode values are Configured: master, Effective:
master.
4. You can find the same information by clicking System > High Availability > Status.

DO Exercise
NOT3: Verifying
REPRINTCluster Health
© FORTINET
5. Go to the secondary FortiMail’s management GUI:

6. Verify the HA status of the secondary FortiMail.

DO NOT REPRINT Exercise 3: Verifying Cluster Health
© FORTINET
To verify configuration synchronization status

1. On the secondary FortiMail, verify domains (Domain & User > Domain > Domain).
2. Verify users (Domain & User > User > User).
3. Verify LDAP (Profile > LDAP > LDAP).
The steps 1 to 3 are configuration elements that should have been synchronized from the primary FortiMail.
4. Go to the primary FortiMail’s management GUI:


6. Click New.
Don’t change any values.
7. Click Create.
8. Go to the secondary FortiMail management GUI:

DO Exercise
NOT3: Verifying
REPRINTCluster Health
© FORTINET
9. Click Policy > Recipient Policy > Inbound, and then verify that the new policy has synchronized with the
secondary device.
To verify configuration synchronization status (alternate method)


3. On the Console widget, type the following command:
# diagnose system ha showcsum
The console outputs the HA checksum for the primary device.
4. Open a new web browser tab, and visit the secondary FortiMail’s management GUI:

6. On the Console widget, type the following command:
# diagnose system ha showcsum
The console outputs the HA checksum for the secondary device.
7. Compare the checksum values of the two devices.

If they match, then their configurations are in sync.

DO NOT REPRINT
© FORTINET
Exercise 4: Configuring HA Virtual IP
In this exercise, you will configure a virtual IP for the HA cluster. You will also verify the virtual IP function by
forcing a failover.
To configure a virtual IP on the primary device


Field Value
Virtual IP action Use
Virtual IP address 10.0.1.100/24
To configure a virtual IP on the secondary device


Field Value
Virtual IP action Use
Virtual IP address 10.0.1.100/24
To verify the virtual IP configuration

1. Open a new web browser tab and use the virtual IP to access the management GUI:
https://10.0.1.100/admin

DO Exercise
NOT4: Configuring
REPRINT HA Virtual IP
© FORTINET
4. Verify the host name of the current cluster device that owns the virtual IP. It should be primary.
5. On Windows, open a command prompt window.

6. Initiate a telnet command to start an SMTP session to the virtual IP:
telnet 10.0.1.100 25
7. You should be presented with the following banner, which belongs to the primary device:
220 primary.internal.lab ESMTP Smtpd;
To failover to the secondary device

1. Go to the cluster management GUI:

3. In the Actions section, click Switch to SLAVE mode.
The system prompts you to verify this action.
4. Click OK.
This forces a failover to the secondary device.
5. Wait a few seconds, and then reload the management GUI.

You should be returned to the login prompt.
To verify the virtual IP after failover

2. Verify the hostname of the current cluster device that owns the virtual IP.
It should be secondary.

DO NOT REPRINT Exercise 4: Configuring HA Virtual IP
© FORTINET
3. On Windows, open a command prompt window.

4. Initiate a telnet command to start an SMTP session to the virtual IP:
telnet 10.0.1.100 25
5. The following banner, which belongs to the secondary device, should appear:
220 secondary.internal.lab ESMTP Smtpd;
6. Close the command prompt window.
To restore the cluster

1. Go to the cluster management GUI:

3. In the Actions section, click Restore to configured operating mode.
The system prompts you to verify your action.
4. Click OK.
This forces a failover to the primary device.
5. Wait a few seconds, and then reload the management GUI.

You should be returned to the login prompt.

8. Verify that the primary FortiMail was restored to the master role.

DO NOT REPRINT
© FORTINET
Exercise 5: Monitoring Remote Services
In addition to hardware failure, it’s often useful for cluster devices to monitor the network connectivity and
services of each other. This ensures a failover occurs if any of these services experience an outage.
In this exercise, you will configure remote SMTP service monitoring on both cluster devices. Then, you will trigger
a service-based failover to verify the configuration, and then verify the failover using event logs.
To configure service monitoring on the primary device


3. In the Service Monitor section, double-click Remote SMTP.
Field Value
Enable Enabled
Remote IP 10.0.1.11
Timeout 10
Interval 30
Retries 2
For the purposes of this lab, you are reducing the time values to their lowest
configurable value to speed things up. In a live production environment, the default
values are a good place to start. You can fine tune them as you discover what kind of
outage your email network can tolerate.
Using this procedure, you configured the secondary device to test the primary’s
device’s port 25 connectivity every 30 seconds (Interval). If a connection attempt
times out for 10 seconds (timeout) it is considered a failure. Two (retries) failures
must occur before the secondary device forces a failover.
5. Click OK and Apply to save the changes.
To configure service monitoring on the secondary device


3. In the Service Monitor section, double-click Remote SMTP.

DO NOT REPRINT Exercise 5: Monitoring Remote Services
© FORTINET
Field Value
Enable Enabled
Remote IP 10.0.1.99
Timeout 10
Interval 30
Retries 2
5. Click OK and Apply to save the changes.
To trigger a service-based failover


3. Change the SMTP server port number value to 125.
4. Click Apply.
Using this procedure, you changed the SMTP service port on the primary FortiMail to
port 125. Because of this change, the secondary FortiMail can no longer detect SMTP
services on port 25 and should trigger a failover based on remote service failure.
You must to wait a few minutes for the secondary device to go through the service
monitoring check schedule before a failover is triggered.
To verify service-based failover

1. Visit the secondary FortiMail’s management GUI:
2. Click Monitor > Log > System Event.

3. In the Type drop-down list, select HA, and keep clicking the refresh icon to see the latest logs related to HA
events.

DO Exercise
NOT5: Monitoring
REPRINT Remote Services
© FORTINET
Event logs related to the remote SMTP service should show up when the secondary device detects failure for
the first time.
After the second detection, the secondary device takes over as the active member.

5. On the System Information Widget, verify that the HA mode values are Configured: slave, Effective:
master.

DO NOT REPRINT Exercise 5: Monitoring Remote Services
© FORTINET


8. On the System Information Widget, verify that the HA mode values are Configured: master, Effective:
failed.
To restore the cluster


DO Exercise
NOT5: Monitoring
REPRINT Remote Services
© FORTINET
3. Change the SMTP server port number value back to 25.
4. Click Apply.
6. In the Actions section, click Restart the HA system.
The system prompts you to confirm your action.
7. Click OK.
8. Click Refresh.
The primary FortiMail reverts to the master role.
9. Click Monitor > Log > System Event.

10. In the Sub type drop-down list, select HA.
11. Review the log messages related to the HA events.

DO NOT REPRINT
© FORTINET
Lab 10: Server Mode
In this lab, you will configure server mode resource profiles, and see their effect on user resource allocation. You
will also populate the global address book from the LDAP server.
Objectives
l Configure resource profiles
l Configure LDAP mapping to import a domain address book
Time to Complete
Prerequisites


4. Click Restore.

8. Click OK.
The configuration files will restore the devices to the standalone states they were in
before you completed High Availability on page 125.

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Resource Profiles
In this exercise, you will review the IntSRV FortiMai configuration. Then, you will configure resource profiles, and
observe their effects on resource allocation for email users.
To review the server mode FortiMail configuration

1. On Windows, open a web browser, and go to the IntSRV FortiMail webmail GUI:

3. Scroll to the bottom and find the Disk Usage value for user1.
If there are no resource profiles or domain-level service settings configured, there is a

system default 500 MB disk limit for each user mailbox.
4. Click the address book icon and find the address books that user1 has access to.
If there are no resource profiles configured, server mode users have access to their
personal address book only.
To configure a resource profile


DO NOT REPRINT Exercise 1: Configuring Resource Profiles
© FORTINET
2. Click Profile > Resource > Resource.
3. Click New.
4. Create a new resource profile using the following values:
Field Value
Domain internal.lab
Profile name PowerUsers
Disk quota (MB) 2000
5. Expand Webmail access and enable Domain address book.

7. Click New again.
8. Create another resource profile using the following values:
Field Value
Domain internal.lab
Profile name RegularUsers
Disk quota (MB) 1000
To apply the resource profile to a recipient policy

2. Click New.
3. Create a new recipient policy using the following values:
Field Value
Domain internal.lab
Recipient Pattern Type: User
user1
Resource PowerUsers

5. Click New again.
6. Create another recipient policy using the following values:

DO Exercise
NOT1: Configuring
REPRINT Resource Profiles
© FORTINET
Field Value
Domain internal.lab
Recipient Pattern Type: User
user2
Resource RegularUsers

The following two recipient policies should appear:
For larger deployments that have different levels of resource allocation requirements,
you can create recipient policies for local or LDAP groups, and assign resource profiles
using separate recipient policies.
To verify the resource profile configuration

1. Go to the IntSRV FortiMail webmail GUI:

If you were already logged in, you must log out and log back in for the resource profile changes to apply.
3. Verify user1 has the disk quota and address book access as defined in the PowerUsers resource profile.
4. Log out of user1’s account.
6. Verify user2 has the disk quota and address book access as defined by the RegularUsers resource profile.

DO NOT REPRINT
© FORTINET
Exercise 2: Address Book LDAP Import
In this exercise, you will review the existing LDAP profile you configured in Authentication on page 40. Then, you
will configure an LDAP mapping profile, and use the LDAP profile to import contacts into the domain address
book.
To review the existing LDAP profile


3. Double-click InternalLabLDAP.
4. Verify that the profile configuration matches the following settings:
5. Click Cancel.
When the LDAP mapping profile uses the existing LDAP profile to import contacts, it
starts from the base DN. To ensure the LDAP mapping profile doesn’t import Active
Directory system accounts, configure the base DN to point to the location of the user
accounts.

DO Exercise
NOT2: Address
REPRINT
Book LDAP Import
© FORTINET
To configure an LDAP mapping profile
1. Click Domain & User > Address Book > LDAP Mapping.
2. Click New.
3. Create a new mapping profile using the values shown here. To add new contact fields, click +.
Field Value
Mapping name InternalLabMapping
Email (Work) mail
Display name cn
First name givenName
Last name sn
Title title
Department department
Company name company
To review how to find LDAP attributes of Active Directory objects, you can refer to the
LDAP Operations exercise in Authentication on page 40.
The profile should match the following values:

DO NOT REPRINT Exercise 2: Address Book LDAP Import
© FORTINET
To import contacts from LDAP
1. Click Domain & User > Address Book > Contact.
2. In the Domain drop-down list, select internal.lab.
3. In the More drop-down list, select Import and then select LDAP.
Field Value
Select LDAP profile InternalLabLDAP
Select LDAP mapping InternalLabMapping
Overwrite existing contacts Enabled
Delete nonexistent contacts Enabled
5. Click OK.
The system notifies you that LDAP synchronization is running.
6. Click OK.
7. Click the refresh icon.
You should see all the users that were imported from the Training Users OU in the internal.lab address book.

DO Exercise
NOT2: Address
REPRINT
Book LDAP Import
© FORTINET
To verify the domain address book

1. Go tothe IntSRV FortiMail webmail GUI:

3. In the address book, verify that domain address book contains the imported contacts.

DO NOT REPRINT
© FORTINET
Lab 11: Transparent Mode
In this lab, you will configure a transparent mode FortiMail to process bidirectional email for the external.lab
domain using the built-in MTA. You will also configure and verify bidirectional transparency.
Objectives
l Configure a transparent mode FortiMail to process bidirectional email
l Verify built-in MTA functionality
l Configure bidirectional transparency
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring a Transparent Mode FortiMail
In this exercise, you will review the initial system configuration and the topology for the ExtTP FortiMail VM.
Then, you will perform the rest of the basic configuration tasks required to establish bidirectional email flow. You
will also verify built-in MTA functionality using logs.
To review the initial system configuration

1. On Windows, open a web browser, and go to the ExtTP FortiMail management GUI:
https://exttp.external.lab/admin

3. On the System Status page, on the System Information widget, beside Operation mode, verify that
Transparent is selected.

5. Verify the following:
l port1/Management IP is configured using the IP address 10.200.1.98/24
l All interfaces are members of the built-in bridge
l port3 and port4 are administratively down

DO NOT REPRINT Exercise 1: Configuring a Transparent Mode FortiMail
© FORTINET

7. Verify that there is a default route configured through port1.
To review the topology

1. Review the topology below and make note of the following:
ExtSRV FortiMail is directly connected to ExtTP FortiMail’s bridge-member interface port2.
To configure connection pickup

1. Visit the ExtTP FortiMail management GUI:

3. Double-click port1/Management IP.
4. Verify that the SMTP proxy configuration uses the following values:
Field Value
Incoming connections Proxy
Outgoing connections Pass through

DO Exercise
NOT1: Configuring
REPRINT a Transparent Mode FortiMail
© FORTINET
Field Value
Local connections Enable
5. Click Cancel.
6. Double-click port2.
7. Configure the following SMTP proxy values:
Field Value
Incoming connections Pass through
Outgoing connections Proxy
Local connections Disable
Because port1 is the closest interface to the source for all inbound email, port1’s
incoming connections are proxied. Port2 is the closest interface to the source for all
outbound email, so port2’s outbound connections are proxied.

1. Click System > Network > DNS.
2. Configure the following DNS servers:
Field Value

2. Configure the following values for the Local Host:
Field Value
Host name ExtTP
Local domain name external.lab

© FORTINET
Field Value
Domain name external.lab
SMTP server 10.200.1.99
6. Expand Transparent Mode Options.

7. In the This server is on drop-down list, select port2.
To configure an access receive rule for outbound email

2. Click New.
3. Create a new access receive rule using the following values:
Field Value
Sender pattern User Defined
*@external.lab
10.200.1.99/32
Action Relay
4. Click Create to save the rule.
To verify built-in MTA functionality

2. Click Write.
Field Value
Subject Testing Transparent Mode
Message Body Will this work?
4. Click Send.

7. Verify that the email message was delivered.
8. Reply to the email message.

DO Exercise
NOT1: Configuring
REPRINT a Transparent Mode FortiMail
© FORTINET
9. On Thunderbird, verify that the reply was received.
10. Visit the ExtTP FortiMail management GUI:

The first two entries in the history log should correspond to the two email messages that FortiMail just
processed.
13. View the details for each log, and review the values beside Direction and Mailer.

© FORTINET
FortiMail is using its built-in MTA to route email in both directions. The value
mtabeside Mailer, shows this.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring Bidirectional Transparency
You have verified that the ExtTP FortiMail is picking up email in both directions, and using the built-in MTA to
route email to its intended destination successfully.
In this exercise, you will examine email headers to investigate the transparency of ExtTP FortiMail’s email
processing. Then, you will configure transparency for both incoming and outgoing email.
To examine outgoing email headers

2. Open the last email user1 received from extuser.
3. Click More > View Source.
4. Review the Received headers:
Received: from IntGW.internal.lab ([10.0.1.11])
by IntSRV.internal.lab with ESMTP id v29HESsx001946-v29HESt0001946
Received: from ExtTP.external.lab ([10.200.1.98])
by IntGW.internal.lab with ESMTP id v29HESm1001931-v29HESm3001931
Received: from extsrv.external.lab ([10.200.1.99])by ExtTP.external.lab with ESMTP id
v29HERuL002360-v29HERuN002360
Received: from [10.0.1.10] ([127.0.0.1])by extsrv.external.lab with ESMTP id
v29HER6G001960-v29HER6H001960
To examine incoming email headers

2. Open the last email extuser received from user1.

by extsrv.external.lab with ESMTP id v29HEDnS001931-v29HEDnU00193
by ExtTP.external.lab with ESMTP id v29HEDhs002345-v29HEDhu002345
You should see that the transparent mode FortiMail is not really transparent in the
email headers.
To configure inbound transparency

1. Go to the ExtTP FortiMai management GUI:

3. Double-click external.lab.
4. Expand the Transparent Mode Options section.

DO NOT REPRINT Exercise 2: Configuring Bidirectional Transparency
© FORTINET
5. Enable the Hide the transparent box.
To configure outbound transparency

2. In the IP Policies section, click the Inbound_Session link for policy ID 1.
This session profile is applied to IP policy ID 1, which is currently processing all email.
3. In the Connection Settings section, enable Hide this box from the mail server.
4. Click OK.
To verify inbound transparency

1. On Thunderbird, send a new email message to extuser@external.lab.
http://extsrv.external.lab/
3. Open the email message you just sent.

5. Review the Received headers.
by extsrv.external.lab with ESMTP id v29IUVNd002175-v29IUVNf002175
The ExtTP FortiMail no longer appears in the inbound email headers.
To verify outbound transparency

http://extsrv.external.lab/
2. Send a new email message to user1@internal.lab.

3. On Thunderbird, open the email message you just sent.
by IntSRV.internal.lab with ESMTP id v29IgrVu001966-XXXXXXX

by IntGW.internal.lab with ESMTP id v29IgrJV001947-XXXXXXX
Received: from [10.0.1.10] ([127.0.0.1])

by extsrv.external.lab with ESMTP id v29IgqvA00221-XXXXXXX

DO Exercise
NOT2: Configuring
REPRINT Bidirectional Transparency
© FORTINET
While the header is now showing the IP address of the ExtSRV FortiMail
(10.200.1.99), the hostname still shows ExtTP.external.lab. This is because the
ExtTP FortiMail uses its own hostname in the SMTP greeting. There is one more
configuration change you must make to prevent this.
To configure SMTP greeting rewrite

1. Got to the ExtTP FortiMail’s management GUI:

3. Double-click external.lab.
4. Expand Advanced Settings and click Other.
5. Beside SMTP greeting (EHLO/HELO) name (as client) select Use other name, and then enter
ExtSRV.external.lab.
6. Click OK.
7. Click OK.
To verify outbound transparency


3. On Thunderbird, open the new email message.
5. Review the Received headers.
The ExtTP FortiMail should no longer appear in the headers:
by IntSRV.internal.lab with ESMTP id v29MUF0s001921-v29MUF0t001921
Received: from ExtSRV.external.lab ([10.200.1.99])
by IntGW.internal.lab with ESMTP id v29MUEdn001911-v29MUEdp001911
Received: from [10.0.1.10] ([127.0.0.1])
by extsrv.external.lab with ESMTP id v29MUExs002184-v29MUExt002184

DO NOT REPRINT
© FORTINET
Lab 12: Maintenance
In this lab, you will configure and generate a local report, monitor system resource use, and perform local storage
management.
Objectives
l Configure and generate a local report
l Monitor historical and real-time system resource use
l Partition a disk to allocate more space to the log disk
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring and Generating Local Reports
In this exercise, you will configure a local report to query the IntGW FortiMail’s mail filtering statistics. Then, you
will generate an on-demand report and review the statistics.
To configure a local report

1. On Windows, open a web browser, and go to the IntGW FortiMai management GUI:

3. Click Log and Report > Report Settings > Configuration.
4. Click New.
5. Create a new report configuration using the following values:
Field Value
Report name IntGWReport
Time Period This week
6. Expand the Query Selection section.

7. Expand the Mail Filtering Statistics query, and enable the following queries:
l Mail Category by Date
l Non-Spam Classifier by Date
l Spam Classifier by Date
l Virus Classifier by Date
8. In the Sender Domain section, disable All domains and add just the internal.lab domain.
9. Click Create to save the report configuration.

DO NOT REPRINT Exercise 1: Configuring and Generating Local Reports
© FORTINET
In a production FortiMail, you should also configure scheduling and add a notification
email so that the report is automatically generated and sent to you by email. The
scheduled reporting will help keep you up-to-date on the email trends of your network.
To generate an on-demand report

1. Click Log and Report > Report Settings > Configuration.
2. Select the IntGWReport entry, and click Generate.
FortiMail generates the following notification:
3. Click OK.
To view the local report

1. Click Monitor > Report > Report.
2. Expand the report file entry.
3. Double-click the html file.
The report opens on a separate web browser tab.
4. Use the menu on the left to navigate and review the data.

DO Exercise
NOT1: Configuring
REPRINT and Generating Local Reports
© FORTINET

DO NOT REPRINT
© FORTINET
Exercise 2: Monitoring System Resource Use
In this exercise, you will view the historical and real-time resources used by the IntGW FortiMail.
To view the resource use history

1. Visit the IntGW FortiMai management GUI:

3. In the System Resource widget, make note of the following values:
l CPU usage
l Memory usage
l System load
l Active sessions
4. Click History.
You may need to allow Flash to run in the web browser.
5. Make note of the trends in resource use.

DO Exercise
NOT2: Monitoring
REPRINT System Resource Use
© FORTINET
To view resource use in real-time

1. On Windows, open PuTTY.
2. Double-click the preconfigured session for IntGW.
4. To view the list of processes that are consuming the most CPU cycles or RAM, enter the following command:
diagnose system top delay 1
A list of system processes is displayed. The processes consuming the most CPU at the
top of the list. The list refreshes every second, which gives you a real-time view of the
system’s resource use. To stop the output, press Q.
5. Press Q to stop the output.

DO NOT REPRINT Exercise 2: Monitoring System Resource Use
© FORTINET
To generate traffic
1. On Windows, on the taskbar, click the PuTTY icon, and then select Linux from the saved sessions.
2. Click Load.
3. Click Open.
You can also enter the IP address of the Linux machine, which is 10.0.1.254 and
click Open.

5. After you log in successfully, you will be at the /home/student directory. To verify type pwd.
6. Run the following python script to send continuous emails to the IntGW FortiMail:
sudo python mbox_send.py --to user1@internal.lab --from spam@external.lab spam_mbox
A copy of the command is in a text file name commands.txt, which is located in the Resourcesfolder on
the Windows desktop.
If asked for password, the password is password.
To view resource use during traffic


3. In the System Resource widget, click History.
4. You must wait a few minutes before the charts refresh with new data.
5. In the drop-down list at the top of the screen, you can select By Minute or By Hour, to specify how you want to
view the system resource usage.

DO Exercise
NOT2: Monitoring
REPRINT System Resource Use
© FORTINET

DO NOT REPRINT
© FORTINET
Exercise 3: Managing Local Storage
By default, the mail disk partition size is 80% of the total disk. For a gateway mode FortiMail, this can mean that
a lot of unused space is taken up by the mail disk partition.
In this exercise, you will partition the IntGW FortiMail local storage, and allocate more space to the log disk
partition.
To verify partition sizes


3. On the System Information widget, make note of the Log disk and Mailbox disk sizes:
To change the partition size

1. On the virtual lab environment window, click the IntGW console.
This opens a new tab for the FortiMail VM console session.
You should always perform disk formatting and partitioning tasks using the console
connection. This allows you to monitor the entire process and take action, in case of
errors.
2. Click anywhere on the console window, and then press Enter.

This displays the login prompt.

DO Exercise
NOT3: Managing
REPRINT
Local Storage
© FORTINET
4. Type the following commands to change the log disk partition size to 50% of the total storage:
execute partitionlogdisk 50
The system warns you about data loss on the mail and log disk. Press Y.
5. After partitioning completes, the VM restarts.
To verify the size after partitioning

1. On Windows, return to the IntGW FortiMail management GUI:

4. On the System Information widget, make note of the Log disk and Mailbox disk sizes:

DO NOT REPRINT Exercise 3: Managing Local Storage
© FORTINET

DO NOT REPRINT
© FORTINET
Lab 13: Troubleshooting
The internal.lab users are complaining that they are not able to send or receive email. In this lab, you will use
SMTP event logs and the built-in packet capture tools to investigate and remedy the mail flow issues.
Objectives
l Investigate user complaints
l Use SMTP event logs and packet capturing to determine where the issue is occurring
l Remedy the email flow issue
Time to Complete
Prerequisites


4. Click Restore.

The config files introduce errors that cause the mail flow issues. Try to follow the
methodologies presented in the lab to troubleshoot and remedy the problem.

DO NOT REPRINT
© FORTINET
Exercise 1: Troubleshooting the Problem
In this exercise, you will verify the problem. Then, you will use SMTP event logs and packet capturing to
determine where the issue lies.
To investigate inbound email flow

1. On Windows, open a web browser, and visit the ExtSRV FortiMail webmail GUI:

4. Open Thunderbird, and then wait for the email message to arrive.
Hint: It won’t arrive.
5. Open a new web browser tab and go to the IntGW FortiMail management GUI:

The first entry in the history log should correspond to the email message you just sent from extuser.
9. View the log details.

Do the details indicate that there is a problem?

DO Exercise
NOT1: Troubleshooting
REPRINT the Problem
© FORTINET
In this particular instance, the history log details don’t provide much information. You
must dig deeper.
10. Click Close.

11. In the Session ID column, click the link to retrieve the cross search results.
12. Review the event logs related to the session:

DO NOT REPRINT Exercise 1: Troubleshooting the Problem
© FORTINET
The first two event logs relate to the external part of the session–from ExtSRV to
IntGW. The third event log relates to the internal part of the session–from IntGW to
IntSRV.
Do the event logs indicate that there is a problem?
The external part of the session appears to be without issues. The internal part of the
session appears to be experiencing problems. Specifically, the connection from IntGW
to IntSRV is being refused. However the reason for refusal isn’t listed.
To investigate outbound email flow

2. Try to send an email message to extuser@external.lab.

DO Exercise
REPRINT the Problem
© FORTINET
Hint: It won’t work!

6. Click the active log file, and try to find an entry in the history log for the outbound email message you just tried to
send.
7. Click Monitor > Log > Mail Event.
9. In the Type drop-down list, select SMTP.
10. Try to find a related SMTP event log entry for the outbound email message you just tried to send.
If you can’t find an entry in the history or event logs for a specific session, it means
there is an issue at either the IP or TCP layer. In these types of scenarios, only a traffic
capture might show you what the problem is.
To capture inbound email traffic

2. Click System > Network > Traffic Capture.

3. Click New.
Field Value
Description InboundCapture
Duration 10 minutes
Interface port1
IP/Host 10.0.1.99
Filter None
After investigating the inbound email flow, you established that the issue appears to
be with the internal portion of the email session. Therefore, you are only interested in
seeing traffic for the IntSRV (10.0.1.99) FortiMail.
5. Click Create.

© FORTINET
7. Send a new email message to user1@internal.lab.
8. Visit the IntGW FortiMail management GUI.
9. Click System > Network > Traffic Capture.
10. Click Refresh until you see the Size(Byte) column populated.
11. Select the capture, and then click Stop.
12. Select the capture again, and then click Export.
13. Save the capture file to the desktop.
To review the inbound traffic capture

1. On the Windows desktop, open the capture file.
2. In the Display Filter field, type ip.addr==10.0.1.99, and then press Enter.
3. You should see the following packets:
4. Select the first packet (Source: 10.0.1.11 Destination 10.0.1.99), and expand the Transmission Control
Protocol header.
5. Review the details:

DO Exercise
REPRINT the Problem
© FORTINET
This is the first packet of the session between IntGW (10.0.1.11) and IntSRV
(10.0.1.99) on port 465 (Dst Port). This packet has a sequence number of 0 and is
flagged as the SYN packet. This packet is expected, since all TCP sessions start with a
SYN packet.
6. Select the second packet (Source: 10.0.1.99 Destination 10.0.1.11), and expand the Transmission
Control Protocol header.
7. Review the details:

© FORTINET
This second packet is not expected. It has a RST/ACK flag. The IntSRV FortiMail is
sending a reset as soon as IntGW attempts to set up a TCP session on port 465. The
expected packet would have been a SYN/ACK, but that is not the case.
From the above analysis, you can start to form an idea about the root cause. The
IntGW FortiMail is sending a SYN packet for port 465 (SMTPS); however, the IntSRV
FortiMail is refusing the session. You know, and can verify, that it’s not related to IP
addressing because if it was you wouldn’t see a reply packet at all. So, it must be
related to the TCP port. However, before you try to fix this issue, have a look at the
outbound session using a packet capture.

DO Exercise
REPRINT the Problem
© FORTINET
To capture outbound email traffic
1. On Windows, open a PuTTY window.
2. Double-click the preconfigured session for IntSRV.
4. Type the following commands to start a packet capture:
diagnose sniffer packet any “host 10.0.1.10 and port 25” 4
The filter is set up to capture SMTP (port 25) traffic from the 10.0.1.10 host
(Windows).

6. Try to send another email message to extuser@external.lab.
7. On the PuTTY window, review the capture output:
The IntSRV FortiMail is showing similar behavior for outbound traffic. The
10.0.1.10 host is initiating the session on port 25 with a SYN packet. However, the
10.0.1.99 host is refusing the session with an RST.
8. Press Ctrl+C to stop the capture.

9. Close the PuTTY window.

DO NOT REPRINT
© FORTINET
Exercise 2: Fixing the Problem
In this exercise, you will review the configuration and fix any errors. Then, you will verify your changes by sending
email in both directions.
To review the configuration


3. Try to navigate the various configuration sections and discover where there could be a potential configuration
issues for SMTP and SMTPS port numbers.
Hint: Check System > Mail Settings > Mail Server Settings.
4. Fix any errors you see on the Mail Server Settings tab.
Hint: SMTP uses port 25 and SMTPS uses port 465.
To verify the change

1. On the main Thunderbird window, send another email message to extuser@external.lab.

DO Exercise
NOT2: Fixing
REPRINT
the Problem
© FORTINET
If your changes are correct, the email message will be delivered to the recipient.
2. Open another web browser tab, and go to the ExtSRV FortiMai webmail GUI:

4. Verify that the email was received.
5. Open the email message, and then reply to it.
6. On the main Thunderbird window, verify that the reply was received.

DO NOT REPRINT
© FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiMail 6.0 Lab Guide-Online

Uploaded by

Copyright:

Available Formats

You might also like

FortiMail 6.0 Lab Guide-Online

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiMail 6.0 Lab Guide-Online

Uploaded by

Copyright:

Available Formats

DO NOT REPRINT

FortiMail Lab Guide

Fortinet Network Security Expert Program (NSE)

Virtual Lab Basics 5

FortiMail 6.0 Lab Guide 5

Remote Access Test

To run the remote access test

2. Inside the Speed Test box, click Run.

6 FortiMail 6.0 Lab Guide

To log in to the remote lab

3. Enter your first and last name.

FortiMail 6.0 Lab Guide 7

5. To open a VM from the dashboard, do one of the following:

Follow the same procedure to access any of your VMs.

8 FortiMail 6.0 Lab Guide

Disconnections and Timeouts

If that fails, see Troubleshooting Tips on page 11.

The GUIs of some Fortinet devices require a minimum screen size.

FortiMail 6.0 Lab Guide 9

Sending Special Keys

10 FortiMail 6.0 Lab Guide

FortiMail 6.0 Lab Guide 11

12 FortiMail 6.0 Lab Guide

To expedite the response, enter the following command in the CLI:

FortiMail 6.0 Lab Guide 13

14 FortiMail 6.0 Lab Guide

You should receive an output similar to the following:

What is the primary MX record for the external.lab domain? ___________________________

You should receive an output similar to the following:

What is the primary MX record for the internal.lab domain? ___________________________

What is the secondary MX record for the internal.lab domain? ___________________________

FortiMail 6.0 Lab Guide 15

The intgw.internal.lab (10.0.1.11) host is the primary MTA for the

3. Close the command prompt window.

16 FortiMail 6.0 Lab Guide

To verify the operation mode

2. Log in as admin and leave the password field empty.

To configure the system settings

Addressing Mode Manual

FortiMail 6.0 Lab Guide 17

Access HTTPS PING SSH TELNET

Destination IP/netmask 0.0.0.0/0

8. Click Create to save the static route.

Primary DNS server 10.0.1.10

Secondary DNS server 10.0.1.254

10. Click Apply to save the DNS changes.

To configure the mail settings

Host name IntSRV

Local domain name internal.lab

18 FortiMail 6.0 Lab Guide

Domain name internal.lab

To create server mode users

User name user1

Authentication type Local

Display name Mail User 1

3. Click Create to save the user configuration.

To verify the configuration

2. Log in as extuser using the password fortinet.