Maintenance

DO NOT REPRINT
© FORTINET

FortiMail provides read-only support for SNMP v1, v2c, and v3 polling and traps. Integration with third-party
SNMP management platforms is provided by the FortiMail vendor MIB, which you can download from the
Fortinet support website. For more information, see the FortiMail Administration Guide, because the specific
FortiMail MIB attributes can change by release.

You can enable SNMPv2 on FortiMail to generate SNMP traps when certain system events or thresholds
have been reached.

FortiMail 7.2 Study Guide 481

 Maintenance

DO NOT REPRINT
© FORTINET

For each SNMPv3 user, define the security level and enable the desired traps. If you enable authentication,
privacy, or both, the password values must match those set in the SNMP management platform.

FortiMail 7.2 Study Guide 482

 Maintenance

DO NOT REPRINT
© FORTINET

FortiMail 7.2 Study Guide 483

 Maintenance

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiMail 7.2 Study Guide 484

 Maintenance

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you have learned how to maintain your FortiMail device.

FortiMail 7.2 Study Guide 485

 Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, you will learn some useful tips for troubleshooting FortiMail.

FortiMail 7.2 Study Guide 486

 Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiMail 7.2 Study Guide 487

 Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using troubleshooting tools, you will be able to use those tools to investigate
issues on FortiMail.

FortiMail 7.2 Study Guide 488

 Troubleshooting

DO NOT REPRINT
© FORTINET

FortiMail includes basic IP connectivity testing tools that can help you diagnose network connectivity issues
from the point of view of FortiMail. These include ping, traceroute, SSH, and telnet.

FortiMail 7.2 Study Guide 489

 Troubleshooting

DO NOT REPRINT
© FORTINET

When you troubleshoot network issues, displaying the address resolution protocol (ARP) table can help
identify any Layer 2 problems. You can use the CLI commands shown on this slide to display and manipulate
the ARP table in order to address Layer 2 problems.

FortiMail 7.2 Study Guide 490

 Troubleshooting

DO NOT REPRINT
© FORTINET

You can use the nslookup tool to assist you in verifying domain name system (DNS) connectivity issues on
FortiMail and resolving them. When you enter the command, you can specify a fully qualified domain name
(FQDN) or IP address for the lookup, as well as the type of record, class, server, or even a specific port. This
is usually used to verify what MX record the FortiMail will use when delivering mail when using its MTA.

FortiMail 7.2 Study Guide 491

 Troubleshooting

DO NOT REPRINT
© FORTINET

You can use the smtptest command to create an interactive SMTP connection to remote mail transfer
agents (MTAs). This tool is useful for troubleshooting connectivity issues with other MTAs.

This command initiates an interactive SMTP session with the specified IP or FQDN. If the connection
establishes successfully, you can issue the full range of SMTP commands, such as EHLO, MAIL FROM,
RCTP TO, DATA, and so on.

FortiMail 7.2 Study Guide 492

 Troubleshooting

DO NOT REPRINT
© FORTINET

FortiMail has a built-in GUI based packet capture tool. You can set up a duration to stop the capture without
manual intervention. This ensures that the captures don’t fill up the log disk partition.

You can define up to three different host or subnet addresses to capture. You can capture all traffic on an
interface, or filter by port. You can also exclude certain host addresses, subnet addresses, or ports from the
capture, to make sure unnecessary traffic is excluded from the final capture file and make it easier to analyze.

Once the capture runs for its defined duration, it is ready for download. FortiMail generates the capture file in
the standard LIBPCAP format, which you view in WireShark or other traffic analyzers.

FortiMail 7.2 Study Guide 493

 Troubleshooting

DO NOT REPRINT
© FORTINET

There is a similar CLI traffic capture tool, identical to the one on FortiGate. You can limit the CLI capture to
network traffic on a particular interface and filter it with Berkeley Packet Filter (BPF) formatted filter
expressions.

The output of this command is displayed on the CLI terminal session for real-time analysis. To capture the
output to a file, use a terminal program such as PuTTY that allows session logging.

For further protocol analysis with Wireshark, you can convert the captured output to PCAP format using
WireShark’s text2pcap tool.

FortiMail 7.2 Study Guide 494

 Troubleshooting

DO NOT REPRINT
© FORTINET

There are five different log types on FortiMail. Each of the five log types holds the details for different FortiMail
activities.

The history log contains a high-level abstract of each email processed by FortiMail, and its final disposition.
Event log entries provide the details of SMTP connections as well as system events. Antivirus log entries are
generated for any virus detection event. Antispam logs contain entries for each email that the antispam scans
detect as spam, along with which scan type detected it, and the elements in the email that triggered the hit.
And finally, the encryption log entries are created when an email message triggers identity based encryption
(IBE) or secure/multipurpose internet mail extensions (S/MIME) encryption.

A single email can potentially generate four to five different log types, depending on which inspection profiles
are triggered. This allows a deep look into each single email event.

FortiMail 7.2 Study Guide 495

 Troubleshooting

DO NOT REPRINT
© FORTINET

Use the built-in search function to find what you are looking for. The search form allows you to search the logs
using different search criteria and time periods. The search functions exist for each of the log types, with
different criteria available for each.

When performing searches, try to narrow down your scope using short time periods; otherwise, the search
can potentially use enough FortiMail resources to affect performance.

FortiMail 7.2 Study Guide 496

 Troubleshooting

DO NOT REPRINT
© FORTINET

History log entries have two attributes: classifier and disposition. These attributes quickly show you what
happened to a particular email message. The disposition attribute shows the action taken by FortiMail, and
the classifier attribute shows the reason the action was taken. Classifier values tend to be the names of
particular FortiMail subsystems, but can also be generic terms such as Not Spam.

For a complete list of classifiers and dispositions, see the FortiMail Administration Guide.

FortiMail 7.2 Study Guide 497

 Troubleshooting

DO NOT REPRINT
© FORTINET

In addition to SMTP sessions, the event log can contain entries related to other FortiMail subsystems, such as
IMAP and POP client connections, HA, internal system activities, configuration changes, problems with
FortiMail processes, and DNS failures.

If you are searching for logs related to a particular system event, it is always a good practice to filter the logs
using the Type drop-down list. Otherwise, the sheer volume of logs in this section makes investigation very
difficult. You can narrow the scope even further by selecting the appropriate severity level using the Level
drop-down list.

FortiMail 7.2 Study Guide 498

 Troubleshooting

DO NOT REPRINT
© FORTINET

Clicking the Session ID link will open the cross-search result showing all relevant log entries—of all log
types—that are associated with the same TCP session. The cross search is time based, and the default
period is 5 minutes. Different time values are accessible through right-click options.

This is an extremely powerful and convenient way to see the sequence of events and FortiMail actions that
took place for a given session. In the cross-search result, the Message column contains the most detailed
information relevant to the email event.

FortiMail 7.2 Study Guide 499

 Troubleshooting

DO NOT REPRINT
© FORTINET

The Message column contains the most detailed information relevant to the email session. Specifically, the
SMTP event logs are divided in a way that can assist in identifying issues in email transmission.

The first pair of event logs are always related to the TLS and email transmission details between the sending
MTA and FortiMail. The second pair of event logs are related to the TLS, and email transmission details
between FortiMail and the backend mail sever. In this section, FortiMail records the acknowledgement
message from the backend mail server in the logs.

The presence, or absence, of certain information in the logs can help you to identify the root cause of any
email transmission issues. For example, the lack of STARTTLS messages might mean that TLS is either not
enabled, or not supported, by either MTA. Or, if there is a delivery acknowledgement recorded by FortiMail,
but the message never reached the end user, then there might be an issue in the path between the mail
server, and the end user.

FortiMail 7.2 Study Guide 500