FortiMail is a comprehensive email security solution by Fortinet, offering advanced threat protection, data loss prevention, encryption, and email authentication to safeguard organizations against email-based cyber threats and protect sensitive information.
Fortimail
This pack includes Cortex XSIAM content.
Cortex XSOAR interfaces with Fortimail to increase email security.
What does this pack do?
- Views, creates, updates, and deletes a Fortimail IP policy, Access control, and Recipient policy directly from Cortex XSOAR.
- Views, creates, updates, and deletes a Fortimail IP and Email groups directly from Cortex XSOAR.
- Views, creates, updates, and deletes a Fortimail IP and Email group members directly from Cortex XSOAR.
- Views all Fortimail profiles.
Fortimail
This pack includes Cortex XSIAM content.
Configuration on Server Side
You need to configure Fortimail to forward Syslog messages.
Open the Fortimail interface, and follow these instructions Documentation:
- Go to Log & Report → Log Setting → Remote
- Configure the following settings:
Setting |
Description
|
Status |
Select to enable logging to this location.
|
Name |
Enter a unique name for this configuration.
|
Server name/IP |
Enter the IPv4, IPv6, or domain name (FQDN) address of the Syslog server or FortiAnalyzer that will store the logs.
|
Server port |
If the remote host is a FortiAnalyzer unit, type 514. If the remote host is a Syslog server, type the port number on which the Syslog server listens.
|
Protocol |
Select Syslog.
|
Mode |
Select TCP.
|
Level |
Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.
|
Facility |
Select the facility identifier that the FortiMail unit will use to identify itself when sending log messages.
|
CSV format |
Enable if you want to send log messages in comma-separated value (CSV) format. |
- Click Create
|
|
|
|
- To verify logging connectivity, from the FortiMail unit, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.
Pay Attention:
Timestamp ingestion is only available in UTC timezone (00:00) for the Date (%Y-%m-%d) and Time (%k:%M:%S) fields.
In order to change Fortimail's system time zone use the commands-
config system time manual
set daylight-saving-time {disable | enable}
set zone <zone_int>
end
For additional information, review Fortimail's System Time Manual documentation.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings → Configuration → Data Broker → Broker VMs.
- Go to the Apps column under the Brokers tab and add the Syslog Collector app for the relevant broker instance. If the app already exists, hover over it and click Configure.
- Click Add New for adding a new syslog data source.
- When configuring the new syslog data source, set the following values:
| Parameter | Value
| :--- | :---
| Vendor
| Enter fortinet.
| Product
| Enter fortimail.