Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • FortiMail 11 Transparent Mode

    Enviado por

    yousef512
    1K visualizações9 páginas
    transparent mode for fortimail 7el 3ani

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    transparent mode for fortimail 7el 3ani

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    1K visualizações9 páginas

    FortiMail 11 Transparent Mode

    Enviado por

    yousef512
    transparent mode for fortimail 7el 3ani

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 9

    Course 221 - FortiMail Email Filtering

    Transparent Mode

    Transparent Mode
    Module 11

    2013 Fortinet Inc. All rights reserved.


    The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
    1
    or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
    or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726

    Transparent Mode
    Transparent relay
    FortiMail is inline, in front of the mail servers or mail relays
    FORTIMAIL UNIT INTERCEPTS AND
    SCANS SESSIONS DESTINED TO
    THE BACKEND SERVERS

    MAIL FLOW
    INTERNET

    MTAs

    FortiMail is not the SMTP end point


    FortiMail transparently intercepts and scans SMTP sessions based on
    the destination IP address
    2

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    Transparent Mode

    Transparent Mode Advantages


    IP layer transparency
    FortiMail unit acts as a bridge for SMTP and non SMTP traffic
    The IP address scheme does not require any change

    SMTP layer transparency


    No changes required to existing MX records and MUA/MTA configurations
    The FortiMail units presence can be hidden

    Network Interfaces - Bridge Mode


    When configured in bridge mode the network interfaces operate as an
    L2 forwarding bridge
    The FortiMail unit can be reached through the management IP
    address statically assigned to the port1 interface
    Port1 interface cannot be changed to route mode

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    Transparent Mode

    Network Interfaces - Route Mode


    Configured in route mode the network interface is not part of the bridge
    anymore
    CLI syntax to remove the interface from the bridge is:
    config system interface
    (interface)# edit port2
    (port2)# set bridge-member disable
    (port2)# set ip 192.168.2.100 255.255.255.0
    (port2)# set allowaccess ping
    (port2)# next

    Transparent Mode

    SMTP SESSIONS ARE


    PROXIED AND BRIDGED

    MAIL FLOW
    INTERNET

    MTAs
    FORTIMAIL DEFAULT
    ROUTE AND MTA
    DEFAULT ROUTE

    MANAGEMENT IP ADDRESS IS
    IN THE SAME SUBNET AS THE
    MTAs

    NON SMTP TRAFFIC IS


    BRIDGED (ARP REQUEST,
    ETC.)

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    Transparent Mode

    Transparent Mode Hybrid Example 1


    Mail flow is bridged by the FortiMail unit
    A third interface is in route mode
    EXTERNAL INTERFACE IN
    BRIDGE MODE

    INTERNAL INTERFACE IN
    BRIDGE MODE

    MAIL FLOW
    INTERNET

    MTAs

    FORTIMAIL DEFAULT
    ROUTE

    FORTIMAIL STATIC ROUTE TO


    THE MANAGEMENT
    PLATFORMS

    MANAGEMENT
    PLATFORMS

    THIRD INTERFACE IN
    ROUTE MODE FOR OOB
    MANAGEMENT

    Transparent Mode Hybrid Example 2

    ROUTE MODE
    INTERFACE

    MTAs

    ONE-ARM ATTACHMENT
    (2nd INTERFACE FOR OOB
    MANAGEMENT)

    INTERNET

    MAIL USER
    AGENTS

    POLICY-BASED ROUTING
    SMTP TRAFFIC --> FORTIMAIL

    MAIL FLOW WOULD NOT BE SENT TO


    THE FORTIMAIL WITHOUT POLICYBASED ROUTING

    SMTP

    DESTINATION IP =
    MTAs ADDRESSES

    MTAs

    INTERNAL
    NETWORK

    MAIL USER
    AGENTS

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    Transparent Mode

    Transparent Mode Directions


    In transparent mode the recipient domain address does not determine
    the direction
    At the network connectivity level the destination IP address determines
    whether a session is incoming or outgoing:
    An SMTP session is considered incoming if the destination IP address matches
    an SMTP server configured in the protected domain list
    An SMTP session is considered outgoing if the destination IP address does not
    match any SMTP server configured on the FortiMail unit

    Transparency Settings
    By default, the transparent mode unit does not hide its presence in the
    mail flow
    The management IP address (if in bridge mode) or the interface IP
    address (if in route mode) will be used to establish a new session to
    the destination MTA
    To hide the transparent unit you can use one of the following options
    depending on the direction of the email:
    Incoming emails: Enable the option Hide the transparent box (System > Domain)
    Outgoing emails: Enable the option Hide this box from the mail server (Session
    profile > Connection Settings)
    In both cases, the TP unit will reuse the sender IP address to establish the new
    session

    10

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    Transparent Mode

    Built in MTA
    A transparent mode FortiMail unit can route a message to its
    destination by using its built in MTA or by proxying it
    When the built in MTA is used the following actions are taken:
    The email is intercepted
    DNS MX and A resolution are performed on the recipient domain
    The email is delivered

    11

    Transparent Proxy
    If the transparent proxy is enabled, the FortiMail unit performs the
    following actions:
    The email is intercepted
    The email is simply forwarded to destination
    No queuing of messages in case of delivery failure

    Transparent proxy can be enabled depending on the direction of the


    mail flow in the following ways:
    Incoming: Select the option Use this domains SMTP to deliver the email (Mail
    Settings > Domains)
    Outgoing: Select the option Use client specified SMTP server to send email
    (Mail Settings > Settings)

    12

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    Transparent Mode

    Mail Traffic inspection


    To perform inspection on specific mail flows the administrator has to
    enable proxy inspection on the physical interfaces

    13

    Transparent Mode SMTP Pass Through


    gw.smarthost.lab
    10.0.3.100

    MX record for external.lab: server.external.lab (10.0.2.100)

    Transparent unit (tp.smarthost.lab) configured to Pass Through


    incoming and outgoing SMTP connections.
    The session from 10.0.1.100 to 10.0.3.100 is bridged.
    Mail From: user@internal.lab
    RCPT To: user@external.lab
    MX record for domain external.lab:
    gw.smarthost.lab(10.0.3.100)

    FQDN server.internal.lab
    IP 10.0.1.100
    Domain: internal.lab

    Port2
    tp.smarthost.lab
    10.0.3.201
    Port1

    FQDN server.external.lab
    IP 10.0.2.100
    Domain: external.lab

    14

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    Transparent Mode

    Transparent Mode Incoming SMTP MTA Routing


    gw.smarthost.lab
    10.0.3.100

    Domain smarthost.lab defined with IP 10.0.3.100


    The transparent mode unit intercepts the email and it triggers
    its internal MTA to route the email to destination.
    MX record for domain external.lab: server.external.lab
    (10.0.2.100)

    Port2

    tp.smarthost.lab
    10.0.3.201

    Mail From: user@internal.lab


    RCPT To: user@external.lab
    MX record for domain external.lab: gw.smarthost.lab(10.0.3.100)

    Port1
    2

    FQDN server.external.lab
    IP 10.0.2.100
    Domain: external.lab

    FQDN server.internal.lab
    IP 10.0.1.100
    Domain: internal.lab
    15

    Transparent Mode Incoming SMTP Proxy


    gw.smarthost.lab
    10.0.3.100

    Domain smarthost.lab defined with IP 10.0.3.100


    The transparent mode unit intercepts the email and it forwards
    it to 10.0.3.100 (as indicated in the protected domain section)
    A new session is initiated from the TP unit with source IP of
    10.0.3.201 to 10.0.3.100

    The Gateway FortiMail unit receives the email.


    MX lookup is performed to route the email to destination.
    MX record for domain external.lab: server.external.lab (10.0.2.100)

    Port2
    tp.smarthost.lab
    10.0.3.201

    Mail From: user@internal.lab


    RCPT To: user@external.lab
    MX record for domain external.lab:
    gw.smarthost.lab(10.0.3.100)
    FQDN server.internal.lab
    IP 10.0.1.100
    Domain: internal.lab

    Port1
    1

    FQDN server.external.lab
    IP 10.0.2.100
    Domain: external.lab

    16

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    Transparent Mode

    Transparent Mode Outgoing SMTP MTA


    gw.smarthost.lab
    10.0.3.100

    Port2

    No protected domain configured on the Transparent FortiMail unit.


    All traffic is considered OUTGOING.
    Port1 configured to proxy outgoing SMTP connections.
    The Transparent mode unit intercepts the email and it triggers its
    internal MTA to route the email to destination.
    MX record for domain external.lab: server.external.lab (10.0.2.100)
    tp.smarthost.lab
    10.0.3.201

    Mail From: user@internal.lab


    RCPT To: user@external.lab
    MX record for domain external.lab: gw.smarthost.lab(10.0.3.100)

    Port1

    FQDN server.external.lab
    IP 10.0.2.100
    Domain: external.lab

    FQDN server.internal.lab
    IP 10.0.1.100
    Domain: internal.lab
    17

    Transparent Mode Outgoing SMTP Proxy


    gw.smarthost.lab
    10.0.3.100
    No protected domain configured on the Transparent unit.
    All traffic is considered outgoing.
    Port1 configured to proxy outgoing SMTP connections.
    The transparent mode unit intercepts the email and it forwards it to
    2
    10.0.3.100 (as indicated by the client).
    A new session is initiated from the TP unit with source IP of 10.0.3.201

    Mail From: user@internal.lab


    RCPT To: user@external.lab
    MX record for domain external.lab:
    gw.smarthost.lab(10.0.3.100)

    FQDN server.internal.lab
    IP 10.0.1.100
    Domain: internal.lab

    The Gateway unit receives the email.


    MX lookup is performed to route the email to destination.
    MX record for domain external.lab: server.external.lab (10.0.2.100)

    Port2
    tp.smarthost.lab
    10.0.3.201
    Port1

    FQDN server.external.lab
    IP 10.0.2.100
    Domain: external.lab

    18

    06-50000-0221-20130726

    Você também pode gostar