We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Virus Scanning for Mail Traffic

  • Last updated on

The CloudGen Firewall scans SMTP traffic in two steps:

  1. SSL Interception decrypts SSL-encrypted SMTP connections. For incoming connections, your mail server's SSL certificates are used.
  2. The DNS blacklist database is queried via a DNS lookup using the sender's IP address. If the DNS reputation database is not available, the email is not modified. If the domain or IP address is blacklisted, the email's subject line is modified to start with [SPAM] and the following non-configurable MIME-type headers are set:

    • X-Spam-Prev-Subject: Your email subject without the [SPAM] tag.

    • X-Spam-Flag: YES

    • X-Spam-Status: Yes

    • X-Spam-Level: ***

  3. Email attachments are scanned by the Virus Scanner. If malware is found, the attachment is stripped from the email and replaced by a customizable text informing the user that the malicious attachment has been removed.
Before You Begin

Step 1. Import the Mail Server Certificates

Import the SSL certificates of your internal mail server(s). For more information, see How to Use and Manage Certificates with the Certificate Manager.

Step 2. Enable the Virus Scanner for Mail Traffic

Enable virus scanning and SSL Interception in the firewall.

  1. Go to FIREWALL > Settings.
  2. In the Firewall Policy Settings section, enable TCP Stream Reassembly.
  3. Make sure that Application Control is enabled.
  4. In the Virus Scanner section:
    1. Set Enable Virus Scanner to Yes.
    2. Set Enable for SMTP & SMTPS to Yes.
      virus_protection_smtp_68_00.png 
  5. (optional) Configure advanced Virus Scanner settings:

    Changing settings for the Virus Scanner also affects virus scanning for other services. 

    1. In the Advanced Options section, click Advanced / Show.
    2. (optional) Change the default behavior If Virus Scanning is not available.

      • Block All – (default) All pages will be blocked.

      • Allow All –  All pages will be allowed.

    3. Configure the following settings:
      • Block Large Files / Large File Limit – To block files that exceed the Large File Limit, enable Block Large Files. The large file policy is set to a sensible value for your appliance. The maximum value is 1024 MB. If disabled, large files will not be scanned. Instead, they will be delivered directly to the client.
      • Scanned MIME TypesIf applicable, you can add MIME types of files you want the firewall to scan to the Scanned MIME Types list (see: Default MIME Types in Virus Scanner). To add a file type, enter the file path and click +. To remove a file type, click - next to the file entry in the list. Click Reset to Defaults to restore the default list.
    4. At the bottom of the page, click Save.
  6. (Optional) Enable Advanced Threat Protection. For more information, see Advanced Threat Protection (ATP).
  7. In the Mail Security section, enter the public IP address that your mail server domain's MX record resolves to in the Mail Server SSL Certificates section, select the mail server SSL certificate from the Certificate list, and click +.
  8. Enter the FQDN of the DNS Blacklist Server. Default: b.barracudacentral.org
    virus_protection_smtp_68_01.png
  9. Click Save.

Step 3. Create a Dst NAT Access Rule for Incoming SMTP Traffic

Enable Application Control, SSL Interception, and the Virus Scanner in the access rule.

  1. Go to FIREWALL > Access Rules.
  2. Create an access rule with the following settings:
    • Action – Select Dst NAT.
    • Connection – Select Original Source IP.
    • Source – Select Internet, and click +.
    • Network Services – Select SMTP, and click +.
    • Destination – Enter the public IP address that your mail server domain's MX record resolves to, and click +.
    • Redirect – Enter the IP address of your internal mail server. When using more than one mail servers, select Use Network Object as Target and add a network object. For more information, see How to Create Network Objects.
  3. Enable Application Control, SSL Interception, Virus Scanner, and Mail Security.
    virus_protection_smtp_68_02.png
  4. Click Save.

Step 4. (optional) Create an Access Rule for Outgoing SMTP Connections

Create an access rule to scan outgoing SMTP traffic from your internal mail server or mail clients for malware.

  1. Go to FIREWALL > Access Rules.
  2. Create an access rule with the following settings:
    • Action – Select Pass.
    • ConnectionIf used for an internal mail server, create and select a connection object using the public IP address that your mail server's MX record resolves to as the source IP address. If this rule applies to SMTP clients, select Dynamic NAT.
    • Source – Create and select a network object containing your mail server IP addresses, or for SMTP client connections the network containing the SMTP clients, and click +.
    • Network Services Select SMTP for outgoing mail server traffic, or create a service object for TCP port 587 for outgoing mail client traffic, and click +.
    • Destination Select Internet, and click +.
  3. Enable Application Control, SSL Interception, and Virus Scanner.
    virus_protection_smtp_68_03.png
  4. Click Save.

Monitoring and Testing

You can test the Virus Scanner setup by sending EICAR test files from http://www.eicar.com via email to a mail server located behind the firewall.

To monitor detected viruses and malware, go to the BASIC > Recent Threats page.

virus_protection_68_05.png

Next Steps

Last updated on