Additional Configuration - Fortinet
Key Fortinet policies to configure when setting up your Secure Schools phishing simulations
This guide is for informational purposes only and is based on publicly available procedures to bypass security filters within Fortinet FortiMail and related Fortinet Security products (like FortiGate Web Filter) to accommodate security testing platforms and was authored with the assistance of AI. (Sources)
If you encounter any issues with these steps, please get in touch with your usual support representative at Fortinet directly.
The primary method for FortiMail is to create an IP-based exemption policy and add the source to the System Safe List.
Part 1: FortiMail Email Security Gateway
This part applies to FortiMail Appliances, VMs, or the FortiMail Cloud SaaS service, which acts as your email gateway. You must exempt the IP address listed in our Domains and IP Addresses article from detection.
A. Configure an IP-Based Safe List
This is the most reliable method for ensuring email delivery.
- Log in to your FortiMail Administration Interface.
- Navigate to Security → Block/Safe List → System.
- From the List drop-down menu, select Safe.
- Click New to add an entry.
In the field, enter the IP address listed in our Domains and IP Addresses article
(e.g., 185.250.239.80/32). - Click Create.
B. Create an IP-Based Policy for Bypass (Advanced)
This ensures that the email bypasses all deep security checks, including Anti-Spam and Anti-Virus profiles.
- Navigate to Policy → IP Policy → IP Policy.
- Click New (or select an existing policy to modify).
- Configure the following settings:
- Status: Enabled
- Source: Select IP/Netmask and enter the IP address listed in our Domains and IP Addresses article.
- Destination: Select IP/Netmask and enter 0.0.0.0/0 (to match all destinations, including your own mail server).
- Session Profile: Select a Custom Session Profile that has all antispam and advanced checks disabled. If you do not have one, you will need to create one first under Profile → Session → Session.
- (Optional, but recommended) Ensure Take precedence over recipient based policy match is enabled to ensure this rule is always applied.
- Click Create.
Part 2: FortiMail Workspace Security (Integrated Cloud Email Security)
If you are using FortiMail Workspace Security for Microsoft 365 or Google Workspace (which often uses API integration), the configuration may be different; however, it still requires the core FortiMail actions above.
For FortiMail Workspace Security customers using cloud platforms, you should also check your settings for:
- Anti-Phishing/BEC Exemption: Ensure the domains listed in our Domains and IP Addresses article are specifically excluded from any behavioural or machine learning analysis features that detect impersonation.
- URL Exemption: The URL checks performed by the Workspace Security suite should be exempted for domains listed in our Domains and IP Addresses article.
Part 3: FortiGate Firewall/Web Filter (Landing Pages)
If your users access the phishing landing pages through a FortiGate firewall, the URL may be blocked by the Web Filter security profile.
- Log in to your FortiGate Firewall Administration Interface.
- Navigate to Security Profiles → Web Filter.
- Create a new Web Filter profile or select the profile applied to your users.
- Expand the Static URL Filter section, ensure URL Filter is enabled, and click Create.
- Enter the domains listed in our Domains and IP Addresses article Landing Page URLs
(e.g., notificationdispersalhub.com). Note: Enter the URL without the https:// prefix. - Set the Type to Simple.
- Set the Action to Allow.
- Ensure the Status is Enabled.
- Click OK and apply the updated security profile to the relevant firewall policy.
Always get the most current and complete list of exact IP addresses listed in our article here: Domains and IP Addresses. Note that these lists can change over time. Using an outdated list will result in failed delivery.