Connecting the world…


FortiMail – Howto configure DLP

The previous post showed the steps necessary to enable DLP. This post describes the workflow to configure DLP. I needed DLP to relay outbound messages to a specific mail relay based on header information.

At first I create a DLP rule to define the matching conditions. I match specific header information, which is added to a message by the internal MS Exchange server.

DLP Rule

You can match multiple conditions, like subject, recipient, sender, body or attachments and you can also use regular expressions. This makes it very powerful to match specific or multiple characteristics from a message. You can also add exceptions to the DLP rule.

The next steps involves creating a DLP Profile. The DLP profile sets the action, when the DLP rule is matched. You need to specify a default action and you can overwrite is by defining specific actions for specific DLP rules. I create an action to deliver mail to an alternate host. The action can be configured from the DLP profile pane or you can configure the action under the Content Profile Actions. I needed to configure an outbound action, which needs to be created under the Content Profile Action.Relay Action

I use the above action as default in the DLP Profile and set my scan rule to use the default action.

DLP Profile

The DLP profile can be assigned to an IP Policy or Recipient Policy. I need to relay message in the outbound direction, so I create an Outbound Recipient Policy and assign the DLP profile.

FML DLP Recipient Policy

Configure VPN client on IOS router

One way to remotely access a network is using the Cisco VPN client. Nowadays more and more implementations of SSL VPN are being done and Cisco stopped their development on their VPN client and pushes their Cisco AnyConnect client.

Still the Cisco VPN client is often used to remotely gain access to a network. The Cisco VPN client supports:

  • Windows XP, Vista (x86/32-bit only) and Windows 7 (x86/32-bit only);
  • Linux (Intel);
  • Mac OS X 10.4 & 10.5;
  • Solaris UltraSparc (32 and 64-bit);

The Cisco VPN client is available for download if you have a SMARTnet support contract and encryption entitlements. The client can be used in conjunction with VPN concentrators, PIX and ASA firewall and IOS routers. Below you can find a template configuration for enabling the Cisco VPN client on an IOS router (all used IP addresses and credentials are chosen randomly and don’t represent a real configuration). I used the setup from the picture below:


The configuration uses the local database to authenticate users and split-tunneling is configured to only encrypt traffic destined for the LAN network. With split-tunneling enabled you still can access all local resources and the internet.

aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group booches-vpn-client
key pr3sh@r3dk3y
domain booches.local
pool vpnpool
acl 110
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
crypto dynamic-map dynamicmap 10
set transform-set vpn-ts-set
crypto map client-vpn-map client authentication list userauthen
crypto map client-vpn-map isakmp authorization list groupauthor
crypto map client-vpn-map client configuration address initiate
crypto map client-vpn-map client configuration address respond
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
interface FastEthernet0/0
ip address
ip nat outside
crypto map client-vpn-map
interface FastEthernet0/1
ip address
ip nat inside
ip local pool vpnpool
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 deny   ip
access-list 100 permit ip any
access-list 110 permit ip

Simply back to startup-config

There are multiple ways to get back from the running-configuration to the startup-configuration on a Cisco router. One of the simplest ways is just rebooting the router, but this takes a couple of minutes. You can also issue a copy startup-config running-config, but that doesn’t actually replace the configuration, but merges both together.

A very powerful command to revert to the startup-configuration is:

configure replace nvram:startup-config

This command saves you some time because a reboot is not required.

Alias IOS Command

When configuring a router I often use different show commands to check or troubleshoot the configuration. I always hate to type in the whole show command, so I use aliases instead. Aliases are also used in the Open Source community, when working with a terminal.

There are multiple options for the alias command, lets take a closer look:

  • Alias exec: for Privileged Mode (for Router# prompt);
  • Alias configure: for Global Configuration Mode (for Router(config)# prompt);
  • Alias interface: for Interface Configuration Mode (for Router(config-if)# prompt;

Cisco IOS includes some built-in command aliases (of course, the Cisco IOS always accepts the shortest unique command). Default command aliases are for example:

p for ping h for help
lo for logout u and un for undebug
w for where r for resume


Next are some alias command, which I use very often:


Router(config)# alias exec s show ip int brie | exclu unass

Router(config)# alias exec si show int status

Router(config)# alias exec r show run

Router(config)# alias exec rr show ip route


Router(config)# alias configure vl1 interface vlan1

Router(config)# alias configure eigrp router eigrp 1024


Router(config)# alias interface ns no shutdown

Router(config)# alias interface load load-interval 30