Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 6.2.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiDeceptor 6.2.0 Administration Guide
    6.2.0
    6.2.1
    6.2.0
    6.1.1
    6.1.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.2
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.0
    4.1.1
    4.1.0
    4.0.2
    4.0.1
    4.0.0
    3.3.3
    3.3.2
    3.3.1
    3.3.0
    3.2.2
    3.2.1
    3.2.0
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.1.0
    2.0.0
    1.1.0
    1.0.1

    Mail Server

    Mail Server

    The Mail Server page allows you to configure email alerts and create custom delivery rules, ensuring timely and precise notifications of security incidents. This flexibility enhances your security monitoring by allowing you to tailor alerts based on specific criteria.

    Incident alerts

    Enable and configure email alerts for immediate notification of security events.

    To send incident alerts:
    1. Go to System > Mail Server. The Mail Server page opens.
    2. Click Mail server configuration. The Configure Mail Server Settings page opens.
    3. Configure the mail server settings.

      Send Incidents Alerts

      Enable to send incident alerts.

      SMTP Server Address

      SMTP server address.

      Port

      SMTP server port number.

      From

      The mail server email account. This is the "from" address.

      Login User

      The mail server login account.

      Login Password

      Enter and confirm the password.

    4. (Optional) Click Send Test Email to send a test email to one or more email addresses. If an error occurs, the error message appears at the top of the page and is recorded in the System Logs.
    5. Click Save.

    6. Click Back to return to the Mail Server page.

    Alert delivery rules

    Set detailed criteria for alerts, including severity, type, and attacker information, to ensure relevant alerts are sent to the right recipients.

    To create an alert delivery rule:
    1. Go to System > Mail Server. The Mail Server page opens.
    2. Click Create alert delivery rule. The Create Alert Rule pane opens.
    3. Configure the rule settings.

      Enable

      When enabled, FortiDeceptor sends email alerts to the Receiver Email List based on the specified rule.

      Name

      Enter a name for the rule.

      Incident URL

      When enabled, the device hostname is used instead of the management IP.

      Note

      For the Incident URL link to work, your DNS server must be able to resolve the device hostname.

      Alert Severity

      Select Low, Medium, High, or Critical.

      Alert Type

      Select Connection, Reconnaissance, Interaction, and Infection.

      Binary Infection

      This options is available when the Alert Type is Interaction or Infection.

      Select Yes to be alerted when an attacker drops or downloads suspicious files into decoys.

      Incident Alert Section

      Select All, Interaction Events Only, IPS events only, or Web filter events only.

      Attacker IP/Subnet

      Enter one or more values for the attacker IP address or attacker IP network.

      Attacker User

      Enter one or more attacker usernames. The rule is triggered only if the username entered by the attacker matches the value for Attacker Userexactly, including case sensitivity.

      Attacker Password

      Enter one or more attacker passwords. The rule is triggered only if the password entered by the attacker matches the value for Attacker Password exactly, including case sensitivity.

      Operation Content

      Enter one or more keywords that will trigger the rule. Operation Content supports both exact and partial matches. For example, if the keyword is "Monkey" and the attacker enters "Key," the rule is triggered. However, it will not trigger if the attacker only enters "ey." Operation Content is not case sensitive.

      Victim Decoy Name

      Select one or more deployed decoys from the Select Entries pane that slides open.

      Victim Decoy Port

      Enter one or more decoy service port numbers.

      Recipients

      Enter one or more receiver email addresses.

      Display Original Recipient

      Enable to view the original recipient of the alert email message.

      Tooltip

      Condition operators:

      • And: All the values must be met to trigger the rule. For example, the rule is not triggered if the value for Attacker IP/Subnet is met, but the value for Attacker User is not.
      • Or: Only one of the values must be me to trigger the rule. For example, if the values for Attacker User are Admin and Administrator, the rule is triggered if only Admin is entered.
    4. Click Save.
    Previous
    Next

    On This Page

    Creating incident alerts
    Creating alert delivery rules

    Mail Server

    Mail Server

    The Mail Server page allows you to configure email alerts and create custom delivery rules, ensuring timely and precise notifications of security incidents. This flexibility enhances your security monitoring by allowing you to tailor alerts based on specific criteria.

    Incident alerts

    Enable and configure email alerts for immediate notification of security events.

    To send incident alerts:
    1. Go to System > Mail Server. The Mail Server page opens.
    2. Click Mail server configuration. The Configure Mail Server Settings page opens.
    3. Configure the mail server settings.

      Send Incidents Alerts

      Enable to send incident alerts.

      SMTP Server Address

      SMTP server address.

      Port

      SMTP server port number.

      From

      The mail server email account. This is the "from" address.

      Login User

      The mail server login account.

      Login Password

      Enter and confirm the password.

    4. (Optional) Click Send Test Email to send a test email to one or more email addresses. If an error occurs, the error message appears at the top of the page and is recorded in the System Logs.
    5. Click Save.

    6. Click Back to return to the Mail Server page.

    Alert delivery rules

    Set detailed criteria for alerts, including severity, type, and attacker information, to ensure relevant alerts are sent to the right recipients.

    To create an alert delivery rule:
    1. Go to System > Mail Server. The Mail Server page opens.
    2. Click Create alert delivery rule. The Create Alert Rule pane opens.
    3. Configure the rule settings.

      Enable

      When enabled, FortiDeceptor sends email alerts to the Receiver Email List based on the specified rule.

      Name

      Enter a name for the rule.

      Incident URL

      When enabled, the device hostname is used instead of the management IP.

      Note

      For the Incident URL link to work, your DNS server must be able to resolve the device hostname.

      Alert Severity

      Select Low, Medium, High, or Critical.

      Alert Type

      Select Connection, Reconnaissance, Interaction, and Infection.

      Binary Infection

      This options is available when the Alert Type is Interaction or Infection.

      Select Yes to be alerted when an attacker drops or downloads suspicious files into decoys.

      Incident Alert Section

      Select All, Interaction Events Only, IPS events only, or Web filter events only.

      Attacker IP/Subnet

      Enter one or more values for the attacker IP address or attacker IP network.

      Attacker User

      Enter one or more attacker usernames. The rule is triggered only if the username entered by the attacker matches the value for Attacker Userexactly, including case sensitivity.

      Attacker Password

      Enter one or more attacker passwords. The rule is triggered only if the password entered by the attacker matches the value for Attacker Password exactly, including case sensitivity.

      Operation Content

      Enter one or more keywords that will trigger the rule. Operation Content supports both exact and partial matches. For example, if the keyword is "Monkey" and the attacker enters "Key," the rule is triggered. However, it will not trigger if the attacker only enters "ey." Operation Content is not case sensitive.

      Victim Decoy Name

      Select one or more deployed decoys from the Select Entries pane that slides open.

      Victim Decoy Port

      Enter one or more decoy service port numbers.

      Recipients

      Enter one or more receiver email addresses.

      Display Original Recipient

      Enable to view the original recipient of the alert email message.

      Tooltip

      Condition operators:

      • And: All the values must be met to trigger the rule. For example, the rule is not triggered if the value for Attacker IP/Subnet is met, but the value for Attacker User is not.
      • Or: Only one of the values must be me to trigger the rule. For example, if the values for Attacker User are Admin and Administrator, the rule is triggered if only Admin is entered.
    4. Click Save.
    Previous
    Next