Mail Filtering Logs

Mail filtering logs provide visibility into the protocol types used by users to send and receive emails, size of a single attachment in an email, number of attachments in an email, and reasons why emails are blocked. Mail filtering logs help you locate faults in email services.

Context

The FW deployed between an intranet and the Internet generates mail filtering logs when any of the following conditions is met:

The email address of an email sender or receiver matches the email address group referenced by a mail filtering profile.
Anonymous mails are sent or received.
The mail subject, body, or attachment name matches the keyword pattern group referenced by a data filtering profile.
The number of attachments contained in an email exceeds the upper threshold defined in a mail filtering profile.
The size of a single attachment contained in an email exceeds the upper threshold defined in a mail filtering profile.
The source IP address of an email matches the local RBL blacklist and whitelist or remote RBL whitelist.

Before viewing mail filtering logs, ensure that you have configured the mail filtering function on the FW.

Before querying mail filtering logs on the USG6510E/6510E-POE/6530E, you have run the log type mail-filter enable command on the FW to enable the recording of mail filtering logs.

Procedure

Choose Monitor > Logs > Mail Filtering Logs to view mail filtering logs.
Choose Customize and select/deselect conditions for the display of mail filtering logs.
Optional: Click to export mail filtering logs in CSV format to the management PC.
Click Add Filter and select search conditions to filter logs.
If the device has no disk, click Advanced Search to filter logs.
Optional: You can click to save the current log query conditions as a log query template for future use.
The next time you want to use these query conditions, you only need to click to select the template name and click OK. Then the system queries logs based on the template conditions. The device administrator can click Template Distribution to view the number of templates created by each user. In addition, you can click to delete a log query template.

Only the user that creates a log query template can view or use this template.

Each log page supports a maximum of 10 log query templates, and a device supports a maximum of 1000 log query templates.

Log Sample

The following figure shows the mail filtering logs generated within a specific time range:

The following table lists the fields in a mail filtering log.

Field	Description
View	Click . In View Mail Filtering Log Details, the details of each field in a mail filtering log are displayed. In View Mail Filtering Log Details, click the Source Region/Source Address/NAT Source Address/Source User/Destination Region/Destination Address/NAT Destination Address/Security Policy/Profile/Email Address Group field value. You can view and operate existing field settings.
Time	Time when a mail filtering log is generated
Type	Mail filtering log types: Blacklist Mail Filtering
Filtering Type	Mail filtering types: Remote Blacklist Local Blacklist Local Whitelist Email Address Attachment Count Attachment Size Anonymous Mail
Source Zone	Destination security zone of traffic
Destination Zone	Destination security zone of traffic
Source Region	Source region of the traffic
Destination Region	Destination region of the traffic
Source Address	Source IP address of traffic
Destination Address	Destination IP address of traffic
Source User	User who generates traffic
Source Port	Source port of traffic
Destination Port	Destination port of traffic
Protocol	Protocol type of traffic
Security policy	Security policy that traffic matches
Profile	Mail filtering profile that traffic matches
Attachment Size	Size of a single attachment contained in a mail
Attachment Count	Number of attachments contained in a mail
Mail Protocol	Mail protocol types: SMTP POP3 IMAP
Email Address Group	Email address group for sending and receiving emails
Virtual System	Virtual system that generates the traffic

During the analysis of mail filtering logs, you can click Advanced Search and select remote blacklist, local blacklist, local whitelist, mail address, number of attachments, attachment size, and anonymous mails in to Filtering Type to display logs of different mail filtering types. These log help administrators learn the user/source IP address/destination IP address of blocked mails and the reason why legitimate mails are blocked. You can take the following measures accordingly if necessary.

Detailed operations are as follows:

**Table 1** Settings of the fields in a mail filtering log
Field	Setting
Source Address/Destination Address	Click the Source Address/Destination Address field value of a specific mail filtering log. Add Blacklist Entry is displayed. The parameters in Add Blacklist Entry are as follows: Type: The source/destination address is automatically blacklisted. Source IP/Destination IP: The source/destination IP address is automatically blacklisted. Protocol: The protocol type is automatically blacklisted. Source Port/Destination Port: The source/destination port is automatically blacklisted. Timeout: You can use either of the following methods to set a timeout period for a blacklist entry: Select Unlimited to permanently blacklist the source/destination address. Enter a timeout period.
Source Region/Destination Region	Click the Source Region/Destination Region field of a mail filtering log, access Edit Region, and change the region configuration as required.
Source User	Click the Source User field value of a specific mail filtering log. Modify User is displayed. You can modify user configurations.
Security Policy	Click the Security Policy field value of a specific mail filtering log. Modify Security Policy is displayed. You can change the settings of the source address, destination address, user, application, time range, action, and mail filtering profile.
Email Address Group	Click the Email Address Group field value of a specific mail filtering log. Modify Email Address Group is displayed.
Profile	Click the Profile field value of a specific mail filtering log. Modify Mail Content Filtering Profile is displayed. You can reconfigure the mail filtering profile. Take the following actions if you find that emails are incorrectly blocked: If the size of a single attachment or the number of attachments contained in an email is greater than the upper threshold defined in the mail filtering profile, change the upper threshold in the mail filtering profile or change the action to alarm. If a valid mail is blocked because the action is set to block for the address of the mail sender or receiver, change the action to permit.