Content Archive
Log&Report
FortiGate Version 4.0 Administration Guide
668
01-400-89802-20090424
You can configure full content archiving and summary content archiving. Full content
archiving includes all content, for example, content archiving email includes complete
email messages and attachments. Summary content archiving includes just the meta data
about the content, for example, email message summary records include only the email
header.
You can content archive Email, Web, FTP, IM, and VoIP content. Email content includes
IMAP, POP3, and SMTP sessions. Email content can also include email messages tagged
as spam by FortiGate spam filtering. Web content includes HTTP sessions. IM content
includes AIM, ICQ, MSN, and Yahoo! sessions. VoIP content includes SIP, SIMPLE and
SCCP sessions. Only summary content archiving is available for SIP and SCCP. Full and
summary content archiving is available for SIMPLE.
If your FortiGate unit supports SSL content scanning and inspection Web content can also
include HTTPS sessions and Email content can also include IMAPS, POP3S, and SMTPS
sessions. For more information about SSL content scanning and inspection, see
content scanning and inspection” on page 399
You use data leak prevention (DLP) sensors to content archive Email, Web, FTP, and IM
content. VoIP content archiving is configured using application control CLI commands.
Content archiving of spam email messages is configured in protection profiles.
Content archiving and data leak prevention
You enable Email, Web, FTP, and IM content archiving in data leak prevention (DLP)
sensors. Then you add the DLP sensors to protection profiles and add the protection
profiles to firewall policies. All sessions accepted by firewall policies that are matched by
rules in DLP sensors are content archived.
DLP includes the Content_Archive and Content_Summary pre-defined DLP sensors. The
Content_Archive sensor includes pre-defined DLP rules that provide full content archiving
for HTTP, Email, FTP, and IM protocols. The Content_Summary sensor also includes pre-
defined DLP rules and provides summary content archiving for HTTP, Email, FTP, and IM
protocols.
If your FortiGate unit supports SSL content scanning and inspection you can also
configure DLP to content archive HTTPS, IMAPS, POP3S, and SMTPS content. By
default the SSL protocols are not enabled in the All-Email and All-HTTP pre-defined DLP
rules. To content archive the SSL protocols, you must edit these pre-defined rules and
select the SSL protocols to be able to content archive them.
In addition to these pre-defined DLP rules and sensors, you can add your own DLP rules
and sensors and use them for full and summary content archiving. See
for more information about configuring DLP sensors.
Configuring spam email message content archiving
DLP sensors configured to content archive email will archive legitimate email and email
identified as spam by FortiGate spam filtering and by FortiGuard Antispam. By default;
however, the protection profile options under
Archive SPAMed email to
FortiAnalyzer/FortiGuard
are disabled. As a result, by default email identified as spam is
not content archived.
Note:
DLP prevents duplicate action. Even if more than one rule in a sensor matches some
content, DLP will not create more than one content archive entry from the same content.
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...