FortiMail Student Guide

DO NOT REPRINT  Securing Communications© FORTINETFortiMail Student Guide 451

DO NOT REPRINT  Securing Communications© FORTINETIn this section, you will learn about the configuration workflow for setting up identity-based encryption onFortiMail.FortiMail Student Guide 452

DO NOT REPRINT  Securing Communications© FORTINETTo configure IBE globally, click Encryption > IBE. On the IBE Encryption tab, you can enable IBE systemwide, and define various options.FortiMail uses the IBE service name field as a header that it displays on the IBE user login portal.Encrypted email storage defines how long secure messages remain in a mailbox.You can use the secure editing options to control the actions allowed in the IBE webmail interface. You canenable or disable replying, forwarding, and composing of email messages for IBE users within the securewebmail portal.FortiMail uses the IBE base URL in notification email messages, either in the encrypted attachment or theURL, to enable the recipient to access their secure mailbox. If you leave the field empty, FortiMail uses itsFQDN (hostname and local domain) to generate the URL. Customize this field only if you want to use adifferent URL to enable the recipient to access their secure mailbox.The Notification Settings allow you to enable or disable notifying the sender or recipient when the secureemail is read, or remains unread for a specified period of time.FortiMail Student Guide 453

DO NOT REPRINT  Securing Communications© FORTINETWhen IBE encryption is triggered, the Encryption profile determines how FortiMail handles the emailmessage.Options in the encryption profile include which IBE message delivery method FortiMail invokes, as well aswhich encryption algorithm and strength FortiMail uses.When FortiMail uses the Push method, the maximum size option limits the size of the encrypted attachment. Ifthe encrypted attachment size exceeds this value, FortiMail reverts to the Pull method.To define how FortiMail handles email in the event the IBE service fails, in the Action on failure drop-downlist, select an action. Possible actions include the following:• Drop and send DSN - FortiMail drops the message and sends a delivery service notification to the sender indicating failure• Send plain message - FortiMail delivers the message to the intended recipient without using any encryption• Enforce TLS - FortiMail uses regular TLS encryption to deliver the messageFortiMail Student Guide 454

DO NOT REPRINT  Securing Communications© FORTINETYou can apply encryption profiles using either access delivery rules or content action profiles.It’s not common practice to use access delivery rules to apply IBE because of its rigid matching criteria. Adelivery rule always applies the encryption profile to any email messages that match its configured patterns.It’s more common to apply IBE using a content profile’s Content Monitor and Filtering rule that is configuredto match a specific trigger word. After this word is matched in an email, the content action profile can apply theencryption profile.While the latter method is more common, using access delivery rules is still a viable method for testing yourIBE configuration.FortiMail Student Guide 455

DO NOT REPRINT  Securing Communications© FORTINETThis slide shows and outline of the configuration steps required to establish IBE based on content inspection.First, you must identify a trigger word, and create a dictionary profile using the trigger word. FortiMail appliesthe dictionary profile to a content profile as a content monitor and filtering rule. When the trigger word ismatched, a content action profile applies an encryption profile. An outbound recipient-based policy applies thecontent profile to all applicable email.FortiMail Student Guide 456

DO NOT REPRINT  Securing Communications© FORTINETThe example on this slide uses the word “confidential” inside square brackets to trigger IBE. You can usewildcard patterns for an exact match, or use regular expressions for more complex matching logic. Whateverpattern type you select, be aware of special characters. For example, square brackets are special wildcardcharacters, that must be escaped using a back slash.Enable the appropriate search options for the dictionary entry. For example, if you want to search only for thepattern in the email’s subject, then select only the Search header check box.FortiMail Student Guide 457

DO NOT REPRINT  Securing Communications© FORTINETOn the Content Action Profile screen, select the Encrypt with profile check box and, in the drop-down list,select an encryption profile. Note: Content action profiles have a direction attribute that you can set to eitherIncoming or Outgoing. Since IBE is used exclusively for outgoing messages, you should set the direction toOutgoing.FortiMail Student Guide 458

DO NOT REPRINT  Securing Communications© FORTINETAfter you create the dictionary profile and content action profiles, you must apply them to a content profile.Make sure you set the content profile that you create as Outgoing. Apply the dictionary profile as a ContentMonitor and Filtering rule. Set the action profile globally if you are using the content profile exclusively for IBE.Otherwise, if the content profile is multi-purpose, set the appropriate action profile in the Content Monitor andFiltering rule.FortiMail Student Guide 459

DO NOT REPRINT  Securing Communications© FORTINETYou should apply the content profile using an outgoing recipient-based policy because it provides moreconfiguration flexibility. Recipient policies allow configuration for specific domains or recipients, which IPpolicies lack.After you apply the content profile to an outbound recipient policy, you are ready to use the IBE feature.FortiMail Student Guide 460

DO NOT REPRINT  Securing Communications© FORTINETIBE logs are recorded using the Content Requires Encryption Classifier, and the Encrypt Disposition. Thecross search result provides more detail, such as the dictionary profile name and entry that triggered IBE, theIBE method, and the specific word or phrase that triggered the Content Monitor and Filtering rule.FortiMail Student Guide 461

DO NOT REPRINT  Securing Communications© FORTINETFortiMail Student Guide 462

DO NOT REPRINT  Securing Communications© FORTINETA user who receives an IBE email is also referred to as an IBE user. In this section, you will learn the steps afirst-time IBE user must complete to access their IBE email.FortiMail Student Guide 463

DO NOT REPRINT  Securing Communications© FORTINETWhen IBE is triggered to encrypt an email message using the pull method, the recipient receives a notificationthat a secured email has been sent to them. The notification includes an HTML link that opens a new browserwindow for the IBE portal on FortiMail.The push method notification email contains an HTML attachment. When the recipient opens the attachment,a new browser window opens for the IBE portal on FortiMail.Make sure you configure the correct firewall and destination NAT rules to allow HTTPS access to FortiMailfrom the Internet. Otherwise, the IBE users won’t be able to reach the FortiMail IBE portal.FortiMail Student Guide 464

DO NOT REPRINT  Securing Communications© FORTINETA first-time user is prompted to register as an IBE user.To register, a new user must submit their name, create a password, and answer three password recoveryquestions. By default, FortiMail is configured with a set of questions that can be customized. Once registered,a user can proceed to the login portal.FortiMail Student Guide 465

DO NOT REPRINT  Securing Communications© FORTINETAfter registration, users can enter their password to view the secured message in a standard FortiMailwebmail interface. If you enable secure replying and forwarding, those controls appear on the interface.FortiMail Student Guide 466

DO NOT REPRINT  Securing Communications© FORTINETFortiMail Student Guide 467

DO NOT REPRINT  Securing Communications© FORTINETIn his section you will learn about the options FortiMail provides for IBE user management as well ascustomization options for IBE settings.FortiMail Student Guide 468

DO NOT REPRINT  Securing Communications© FORTINETThe system creates IBE user accounts automatically whenever an IBE message is sent to a new recipient.Until a new IBE user registers, their account status is listed as Pre-Registered in the IBE user list. After theyregister, the status changes to Activated. An IBE user account remains in the active state until the accountexpires because of inactivity. You can set the length of time before an inactive account expires in the globalIBE configuration settings. An expired user must register their account again to access any new IBE emails.FortiMail Student Guide 469

DO NOT REPRINT  Securing Communications© FORTINETFortiMail allows you to customize the IBE login page, user registration page, and email notifications. You mustmodify the HTML code to rebrand the pages for your organization. You can also customize the securityquestions used during the user registration process.FortiMail Student Guide 470

DO NOT REPRINT  Securing Communications© FORTINETFortiMail Student Guide 471

DO NOT REPRINT  Securing Communications© FORTINETIn this lesson, you learned how to configure SMTPS, and manage SMTP over TLS settings. You also learnedhow you can use IBE to secure messages from end to end. You also learned how to configure encryptionprofiles to use different delivery methods, how to configure IBE using content profile inspection of triggerwords, and how to use FortiMail logs to verify IBE events. You also learned about the user managementoptions, and the customization options available for IBE.FortiMail Student Guide 472

DO NOT REPRINT  Securing Communications© FORTINETThank you!FortiMail Student Guide 473

DO NOT REPRINT  High Availability© FORTINETIn this lesson, we’ll show how to deploy FortiMail in the existing high-availability modesFortiMail Student Guide 474

DO NOT REPRINT  High Availability© FORTINETThese are the topics that will be covered in this lesson. You will learn about FortiMail’s high-availabilityoptions and the use cases for each mode, as well as how to configure each mode.FortiMail Student Guide 475

DO NOT REPRINT  High Availability© FORTINETIn this section we will illustrate the differences in the two different high-availability (HA) modes available onFortiMail, as well as show you the difference in their synchronization behavior.FortiMail Student Guide 476

DO NOT REPRINT  High Availability© FORTINETFortiMail supports two different modes of high availability: active-passive and config-only mode.Active-passive HA is a traditional pair-based architecture in which one FortiMail acts as the primary deviceand another acts as the secondary device, standing by to take over processing if the primary device fails.FortiMail uses heartbeat connections to synchronize the configuration as well as the stateful mail data toensure no data is lost.Config-only HA allows larger clusters to be built that contain up to 25 FortiMail devices, to provide increasedprocessing capacity in larger environments. In a config-only cluster, all the stand-by devices synchronize theirconfiguration with the primary device.The FortiMail high availability architecture also supports clusters that have mismatched hardware. Forexample, you can build an active-passive cluster using a FortiMail 60D and a FortiMail 200D. However, thecluster is limited to the hardware and software limits of the 60D.FortiMail Student Guide 477

DO NOT REPRINT  High Availability© FORTINETIn both modes, you must always manage the entire cluster’s configuration on the primary FortiMail, except forsettings that aren’t synchronized. Not all configuration items are synchronized between clustered devices. Forany unsynchronized elements listed in the tables, you must access the secondary devices to modify theirvalues.FortiMail Student Guide 478

DO NOT REPRINT  High Availability© FORTINETFortiMail Student Guide 479

DO NOT REPRINT  High Availability© FORTINETIn this section, you will learn the implementation details and the configuration steps for a config-only FortiMailcluster.FortiMail Student Guide 480

DO NOT REPRINT  High Availability© FORTINETAlthough their configurations are kept in sync, config-only cluster members operate independently of eachother, handling SMTP connections and performing their configured scans. Because their configurations areidentical, config-only clusters in gateway or transparent mode are often positioned behind a load balancer,multiplying the capacity from that of any single FortiMail instance. Another use case for config-only clusters isto deploy it in server mode to maintain an email server farm.The members of the cluster are operational peers of each other as they process the email traffic. However,one member is elected as the configuration master and all configuration changes are made on that device.On the configuration master, any configuration changes instantly propagate to the other devices, keepingthem synchronized.The main motivation for deploying config-only HA clusters is to create increased capacity. When positionedbehind load balancers, however, a measure of high availability or redundancy is also provided. If a devicewere to fail, the load balancer would stop sending traffic to the failed device, and share the traffic with the restof the remaining devices.Each device maintains its own set of MTA queues and mail storage, which are not synchronized across thedevices. Any messages held in a queue when a device fails are lost. For this reason, you should use anexternal network-attached storage (NAS) for gateway or transparent mode clusters. Server mode clustersrequire an external NAS storage, otherwise, user mailbox data becomes incoherent because it’s spreadrandomly across the server farm.FortiMail Student Guide 481

DO NOT REPRINT  High Availability© FORTINETTo create a config-only HA cluster, select one device to be the primary device, and set its Mode of operationto config master. Enter a Shared password, and the IP addresses of the secondary devices.On each subsequent device, set the Mode of operation to config slave, enter the same Shared password,and the IP address of the config master.FortiMail Student Guide 482

DO NOT REPRINT  High Availability© FORTINETFortiMail Student Guide 483

DO NOT REPRINT  High Availability© FORTINETIn this section, you will learn the implementation details and the configuration steps for FortiMail active-passive clusters.FortiMail Student Guide 484

DO NOT REPRINT  High Availability© FORTINETActive-passive HA clusters operate in the traditional fashion in which the primary device performs all the emailprocessing, and the secondary device monitors the primary device, ready to take over the services if theactive device fails.While the cluster is operating, the active device synchronizes not only the configuration as well as all maildata, such as the MTA queues, the user’s quarantined messages, IBE messages, and, for server mode, theuser mailboxes. Because the secondary device has all the data that is on the primary device, a failover canoccur without any data loss. Additionally, any SMTP sessions interrupted during the failover are retransmittedby the sender, so no active sessions are lost.FortiMail Student Guide 485

DO NOT REPRINT  High Availability© FORTINETFortiMail uses heartbeat packets as a keepalive mechanism between clustered devices. The secondarydevice monitors heartbeat packets from the primary. If the heartbeat is undetected for 30 seconds, thesecondary device takes over.At minimum, you must set a network interface on each device as the primary heartbeat interface. If you useonly a primary heartbeat, then the primary interface carries the heartbeats, as well as all the configurationsynchronization and mail data replication traffic. For increased reliability, you should configure secondaryheartbeat interfaces in addition to the primary interface. When a secondary heartbeat link exists, the trafficload is divided between the primary interface that is handling the synchronization and replication traffic, andthe secondary interface that is transmitting the heartbeats.You should configure heartbeat interfaces to use dedicated links. If that’s not possible, use isolated subnets orVLANs.FortiMail Student Guide 486

DO NOT REPRINT  High Availability© FORTINETActive-passive HA clusters use a virtual IP address for email processing and other user-facing services. If afailover occurs, the secondary device inherits this virtual IP. For the clustering to work properly, the virtual IPaddress must be the address used in all DNS MX records, or, the appropriate firewall rules must be in placeto destination NAT any DNS MX public IP address to the cluster’s virtual IP. This way, any failover event istransparent to the rest of the IP infrastructure.While the cluster shares a virtual IP, you can access each device individually using its dedicated networkaccess port IP address.FortiMail Student Guide 487

DO NOT REPRINT  High Availability© FORTINETTo configure an active-passive cluster, set the Mode of operation. Select master for the primary device, andslave for the secondary device. You must also set a Shared password, and configure the Backup options.The On failure action determines how the cluster behaves after a failure. There are three possible actions:• switch off - The failed device’s mode of operation set to off. In this state, the device is not part of the cluster, and doesn’t process any email. To restore the device, you must manually set the Mode of operation again.• wait for recovery then restore original role - The failed device, after recovery, takes on the configured mode of operation. For example, if a device’s mode of operation was master before failure, after recovery it resumes its master role.• wait for recovery then restore slave role - The failed device, after recovery, stays in the slave role.In the On failure drop-down list, you should select Wait for recovery then restore slave role. This allowstime to investigate the cause of the failure before putting a recently failed device back into production.You can also set the Heartbeat lost threshold. This is the total span of time, in seconds, for which theprimary device can be unresponsive before it triggers a failover and the secondary device assumes the activerole.FortiMail Student Guide 488

DO NOT REPRINT  High Availability© FORTINETEach clustered device requires at least one primary heartbeat interface, a peer device’s IP address, and thevirtual IP address.To designate an interface as a heartbeat interface, you have to select a Heartbeat Status (Primary, orSecondary), and enter a Peer IP Address. In the example shown on this slide, port2 on both devices hasbeen designated as the primary heartbeat interface because it is directly connected by a dedicated link.You should apply the Virtual IP Address to the interface that is connected to the rest of the network. In theexample show on this slide, this is port1 on both devices.You can also enable the Port Monitor option to monitor a network interface for failure. If there is a port failureon the active device, it triggers a failover.FortiMail Student Guide 489

DO NOT REPRINT  High Availability© FORTINETThe HA service monitor provides an optional way to verify the status of the active device, beyond that of theheartbeat interfaces. On the standby device, service monitor can check the status of the network servicesrunning on the active device, such as SMTP, POP, IMAP, and HTTP. A failure of any of these services canthen be used in the decision to trigger a failover event. Likewise, on the active device, service monitor canmonitor the proper operation of network interfaces and local hard drives.You should configure each device independently with the appropriate service monitors.FortiMail Student Guide 490

DO NOT REPRINT  High Availability© FORTINETThese are the topics that will be covered in this lesson.FortiMail Student Guide 491

DO NOT REPRINT  High Availability© FORTINETIn this section, you will learn about the management options available on FortiMail, as well the steps toupgrade the firmware on a FortiMail cluster.FortiMail Student Guide 492

DO NOT REPRINT  High Availability© FORTINETYou can perform management tasks on the HA status page, such as restarting the HA system, startingconfiguration synchronization, promoting or demoting devices, and removing a device from the cluster. TheDaemon status section displays messages about the status of the cluster.FortiMail Student Guide 493

DO NOT REPRINT  High Availability© FORTINETBefore performing any firmware upgrades, always check the release notes to make sure you are followingapplicable upgrade paths, or to make note of any major changes that may be applicable to your configurationas a result of the upgrade.For A-P clusters, start by upgrading the standby device. FortiMail reboots as a result of the upgrade. Thisentire procedure won’t affect the active device’s email processing capabilities. After the standby devicerestarts, start the firmware upgrade on the active cluster device. The active device stops all email processing,and the passive device is informed of the upgrade so as not to cause a failover. After the upgrade on theactive device finishes, normal HA and email processing operations resume.For config-only clusters, you must upgrade each device independently. However, you should upgrade all thesecondary devices first, and then upgrade the primary device.FortiMail Student Guide 494

DO NOT REPRINT  High Availability© FORTINETFortiMail Student Guide 495

DO NOT REPRINT  High Availability© FORTINETIn this lesson, you learned about the options for high availability on FortiMail, and the implementation detailsand requirements for each mode. You also learned how to configure, manage, and upgrade each HA mode.FortiMail Student Guide 496

DO NOT REPRINT  High Availability© FORTINETThank you!FortiMail Student Guide 497

DO NOT REPRINT  Server Mode© FORTINETIn this lesson, we’ll show how to deploy the FortiMail in sever mode.FortiMail Student Guide 498

DO NOT REPRINT  Server Mode© FORTINETThese are the topics that will be covered in this lesson. You will learn about the implementation details,configuration tasks, and user mode experiences specific to server mode deployments.FortiMail Student Guide 499

DO NOT REPRINT  Server Mode© FORTINETIn this section, you will review the implementation details for deploying FortiMail in server mode.FortiMail Student Guide 500