firewall : mms-profile
 
mms-profile
Use this command to configure MMS profiles. This command applies to FortiOS Carrier only.
Syntax
config firewall mms-profile
edit <profile_str>
set avnotificationtable <index_int>
set bwordtable <index_int>
set carrier-endpoint-prefix {enable | disable}
set carrier-endpoint-prefix-range-min <limit_int>
set carrier-endpoint-prefix-range-max <limit_int>
set carrier-endpoint-prefix-string <prefix_str>
set carrierendpointbwltable <index_int>
set comment <str>
set exmwordtable <index_int>
set filepattable <index_int>
set mm1 {archive-full archive-summary avmonitor avquery bannedword block carrier‑endpoint‑bwl chunkedbypass clientcomfort exemptword no‑content‑summary oversize remove-blocked scan server-comfort}
set mm1-addr-hdr <identifier_str>
set mm1-addr-source {cookie | http-header}
set mm1-convert-hex {enable | disable}
set mm1-retr-dupe {enable | disable}
set mm1-retrieve-scan {enable | disable}
set mm1comfortamount <size_int>
set mm1comfortinterval <seconds_int>
set mm3 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl fragmail no‑content‑summary oversize remove-blocked scan servercomfort splice}
set mm4 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl fragmail no‑content‑summary oversize remove-blocked scan servercomfort splice}
set mm7 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl chunkedbypass clientcomfort exemptword no‑content-summary oversize remove-blocked scan server-comfort}
set mm1oversizelimit <limit_int>
set mm3oversizelimit <limit_int>
set mm4oversizelimit <limit_int>
set mm7-addr-hdr <identifier_str>
set mm7-addr-source {cookie | http-header}
set mm7-convert-hex {enable | disable}
set mm7comfortamount <size_int>
set mm7comfortinterval <seconds_int>
set mm7oversizelimit <limit_int>
set mms-checksum-table <tableID_int>
set mmsbwordthreshold <score_int>
config dupe {mm1 | mm4}
set action1 {alert‑notif archive archive-first block intercept log}
set block-time1 <minutes_int>
set limit1 <duplicatetrigger_int>
get protocol1
set status1 {enable | disable}
set status2 {enable | disable}
set window1 <minutes_int>
end
config flood {mm1 | mm4}
set action1 {alert‑notif archive archive-first block intercept log}
set block-time1 <minutes_int>
set limit1 <floodtrigger_int>
set status1 {enable | disable}
set status2 {enable | disable}
set window1 <minutes_int>
end
config log
set log-antispam-mass-mms {enable | disable}
set log-av-block {enable | disable}
set log-av-carrier-endpoint-filter {enable | disable}
set log-av-oversize {enable | disable}
set log-av-virus {enable | disable}
set log-intercept {enable | disable}
set log-mms-notification {enable | disable}
set log-web-content {enable | disable}
end
config notification {alert-dupe-1 | alert-flood-1 | mm1 | mm3 | mm4 | mm7}
set alert-int <int>
set alert-int-mode {minutes | hours}
set alert-src-msisdn <str>
set alert-status {enable | disable}
set bword-int <noticeinterval_int>
set bword-int-mode {minutes | hours}
set bword-status {enable | disable}
set carrier-endpoint-bwl-int <interval_int>
set carrier-endpoint-bwl-int-mode {hours | minutes}
set carrier-endpoint-bwl-status {enable | disable}
set days-allowed {monday tuesday wednesday thursday friday saturday sunday}
set detect-server {enable | disable}
set dupe-int <interval_int>
set dupe-int-mode {hours | minutes}
set dupe-status {enable | disable}
set file-block-int <interval_int>
set file-block-int-mode {hours | minutes}
set file-block-status {enable | disable}
set flood-int <interval_int>
set flood-int-mode {hours | minutes}
set flood-status {enable | disable}
set from-in-header {enable | disable}
set mmsc-hostname {<fqdn_str> | <ipv4>}
set mmsc-password <passwd_str>
set mmsc-port <port_int>
set mmsc-url <url_str>
set mmsc-username <user_str>
set msg-protocol {mm1 | mm3 | mm4 | mm7}
set msg-type {deliver-req | send-req}
get protocol
set rate-limit <limit_int>
set tod-window-start <window_time>
set tod-window-duration <window_time>
set user-domain <fqdn_str>
set vas-id <vas_str>
set vasp-id <vasp_str>
set virus-int <interval_int>
set virus-int-mode {hours | minutes}
set virus-status {enable | disable}
end
config notif-msisdn
edit <msisdn_int>
set threshold {dupe‑thresh‑1 dupe‑thresh‑2 dupe‑thresh‑3 flood‑thresh‑1 flood‑thresh‑2 flood‑thresh‑3}
end
end
 
Variable
Description
Default
<profile_str>
Enter the name of this MMS profile.
No default.
avnotificationtable <index_int>
Enter the ID number of the antivirus notification list to be used for the MMS profile. Antivirus notification tables contain virus names that, when detected, will have the FortiGate unit send a notification message to the administrator. For more information on antivirus notification tables, see “notification”
No default.
bwordtable <index_int>
Enter the ID number of the web content block filter to be used for MMS traffic.
The web content block tables can be configured using the config webfilter bword command.
No default.
carrierendpointbwltable <index_int>
Enter the ID number of the endpoint, such as MSISDN, filtering table to use for MMS traffic with the MMS profile.
No default.
carrier-endpoint-prefix {enable | disable}
Select to add the country code to the extracted carrier endpoint, such as MSISDN, for logging and notification purposes. You can limit the number length for the test numbers used for internal monitoring without a country code.
disable
carrier-endpoint-prefix-range-min <limit_int>
Enter the minimum carrier endpoint prefix length. If this and endpoint-prefix-range-max are set to zero (0), length is not limited.
This option appears only if msisdn-prefix is enable.
0
carrier-endpoint-prefix-range-max <limit_int>
Enter the maximum endpoint prefix length. If this and endpoint-prefix-range-min are set to zero (0), length is not limited.
This option appears only if msisdn-prefix is enable.
0
carrier-endpoint-prefix-string <prefix_str>
Enter the endpoint, such as MSISDN, prefix.
This option appears only if endpoint-prefix is enable.
No default.
comment <str>
Enter an optional comment to give additional detail about the MMS profile.
 
exmwordtable <index_int>
Enter the ID number of the webfilter exempt word list to be used with the MMS profile.
The web content exempt tables can be configured using the config webfilter exmword command.
No default.
filepattable <index_int>
Enter the ID number of the file pattern list to be used with the MMS profile.
0
mm1 {archive-full
archive-summary
avmonitor avquery
bannedword block
carrier‑endpoint‑bwl
chunkedbypass
clientcomfort
exemptword
no‑content‑summary
oversize remove-blocked
scan server-comfort}
Select actions, if any, the FortiGate unit will take on MMS messages of the specified protocol.
archive-full — Content archive both metadata and the MMS message itself.
archive-summary — Content archive metadata.
avmonitor — Log detected viruses, but allow them through the firewall without modification.
avquery — Use the FortiGuard Antivirus service for virus detection using MD5 checksums.
bannedword — Block messages containing content in the banned word list.
block — Block messages matching the file patterns selected by mms-file-pat-table, even if the files do not contain viruses.
carrier-endpoint-bwl — Enable the black/white list specified with the carrierendpointbwltable command.
chunkedbypass — Allow web sites that use chunked encoding for HTTP to bypass the firewall. Chunked encoding means the HTTP message body is altered to allow it to be transferred in a series of chunks. Use of this feature is a risk. Malicious content could enter the network if web content is allowed to bypass the firewall. This option only available for the mm1 and mm7 commands.
clientcomfort — Apply client comforting to prevent client timeout. This option is available only for mm1 and mm7.
exemptword — Exempt words from content blocking. This option only available for the mm1 and mm7 commands.
fragmail — Pass fragmented email messages. Fragmented email messages cannot be scanned for viruses. This option only available for the mm3 and mm4 commands.
no-content-summary — Omit MMS filtering statistics from the dashboard.
oversize — Block files that are over the file size limit.
remove-blocked — Remove blocked items from messages.
scan — Scan files for viruses and worms.
server-comfort — Apply server comforting and prevent server timeout. This option is available only for mm1 and mm7.
No default.
mm3 {archive-full
archive-summary
avmonitor avquery
bannedword block
carrier-endpoint-bwl
fragmail
no‑content‑summary
oversize remove-blocked
scan servercomfort
splice}
no-content-summary splice
mm4 {archive-full
archive-summary
avmonitor avquery
bannedword block
carrier-endpoint-bwl
fragmail
no‑content‑summary
oversize remove-blocked
scan servercomfort
splice}
splice
mm7 {archive-full
archive-summary
avmonitor avquery
bannedword block
carrier-endpoint-bwl
chunkedbypass
clientcomfort
exemptword
no‑content-summary
oversize remove-blocked
scan server-comfort}
No default.
 
splice — Simultaneously scan a message and send it to the recipient. If the FortiGate unit detects a virus, it prematurely terminates the connection and returns an error message to the recipient, listing the virus name and infected file name. This option is available only for mm3 and mm4.
 
mm1-addr-hdr <identifier_str>
Enter the sender address (MSISDN) identifier.
If mm1-addr-source is http-header, the address and its identifier in the HTTP request header is in the format of:
<Sender Address Identifier>: <MSISDN Value>
For example, the HTTP header might contain:
x-up-calling-line-id: 6044301297
where x-up-calling-line-id would be the Sender Address Identifier.
If mm1-addr-source is cookie, the address and its identifier in the HTTP request header’s Cookie field is in the format of attribute-value pairs:
Cookie: id=<cookie-id>;
<Sender Address Identifier>=<MSISDN Value>
For example, the HTTP request headers might contain:
Cookie: id=0123jf!a;x-up-calling-line-id=6044301297
where x-up-calling-line-id would be the sender address identifier.
x-up-calling-line-id
mm1-addr-source
{cookie | http-header}
Select to extract the sender’s address from the HTTP header field or a cookie.
http-header
mm1-convert-hex {enable | disable}
Select to convert the sender address from ASCII to hexadecimal or from hexadecimal to ASCII. This is required by some applications.
disable
mm1-retr-dupe {enable | disable}
Select to scan MM1 mm1-retr messages for duplicates. By default, mm1-retr messages are not scanned for duplicates as they may often be the same without necessarily being bulk or spam.
This option is available only if status is enable for the config dupe mm1 command.
disable
mm1-retrieve-scan {enable | disable}
Select to scan message retrieval by MM1. If you select scan for all MMS interfaces, messages are scanned while being sent, and so scanning message retrieval by MM1 is redundant. In this case, you can disable MM1 message retrieval scanning to improve performance.
enable
mm1comfortamount <size_int>
Enter the number of bytes client comforting sends each interval to show a download is progressing.
The interval time is set using mm1comfortinterval.
1
mm1comfortinterval <seconds_int>
Enter the time in seconds before client comforting starts after a download has begun. It is also the interval between subsequent client comforting sends.
The amount of data sent each interval is set using mm1comfortamount.
10
mm1oversizelimit <limit_int>
Block files in MM1 streams that are over this file size limit in KB.
10240
mm3oversizelimit <limit_int>
Block files in MM3 streams that are over this file size limit in KB.
10240
mm4oversizelimit <limit_int>
Block files in MM4 streams that are over this file size limit in KB.
10240
mm7-addr-hdr <identifier_str>
Enter the sender address (MSISDN) identifier.
If mm7-addr-source is http-header, the address and its identifier in the HTTP request header is in the format of:
<Sender Address Identifier>: <MSISDN Value>
For example, the HTTP header might contain:
x-up-calling-line-id: 6044301297
where x-up-calling-line-id would be the Sender Address Identifier.
If mm7-addr-source is cookie, the address and its identifier in the HTTP request header’s Cookie field is in the format of attribute-value pairs:
Cookie: id=<cookie-id>;
<Sender Address Identifier>=<MSISDN Value>
For example, the HTTP request headers might contain:
Cookie: id=0123jf!a;x-up-calling-line-id=6044301297
where x-up-calling-line-id would be the sender address identifier.
x-up-calling-line-id
mm7-addr-source {cookie | http-header}
Select to extract the sender’s address from the HTTP header field or a cookie.
http-header
mm7-convert-hex {enable | disable}
Select to convert the sender address from ASCII to hexadecimal or from hexadecimal to ASCII. This is required by some applications.
disable
mm7oversizelimit <limit_int>
Block files in MM7 streams that are over this file size limit in KB.
10240
mm7comfortamount <size_int>
Enter the number of bytes client comforting sends each interval to show a download is progressing.
The interval time is set using mm7comfortinterval.
1
mm7comfortinterval <seconds_int>
Enter the time in seconds before client comforting starts after a download has begun. It is also the interval between subsequent client comforting sends.
The amount of data sent each interval is set using mm7comfortamount.
10
mms-checksum-table <tableID_int>
Enter the MMS content checksum table ID.
 
mmsbwordthreshold <score_int>
Enter the maximum score an MMS message can have before being blocked. If the combined scores of the content block patterns appearing in an MMS message exceed the threshold value, the message will be blocked.
10
remove-blocked-const-length {enable | disable}
Select to preserve the length of the MMS message when removing blocked content, such as viruses.
disable