We just deployed fortimail 200e in production about an hour ago and inbound emails were started queued up in outbreak queue instantantly. Why?
We did the testing deployment last Tursday night and none of the legit inbound emails got put into the outbreak queue...
One the other question, what should be lowest interval number configured for "outbreak-protection-period"? 30-minute is the default and we configured 15-minute. Should we go down to 5-min without affecting the performance?
Outbreak Protection will queue suspicious emails for reprocessing at a later (configurable) time. The purpose of this feature is that FortiMail has detected some unusual characteristics indicative of spam/malware so queues the email for a short period to give the opportunity for our FortiGuard data analytics to detect such a pattern globally. This small delay can result in significant increase in catch rate with minimal of false positive.
Reducing the default hold timer is possible but will have some impact on the overall catch rate (the longer you are willing to accept, the better the catch rate).
Carl WindsorSenior Director, Product ManagementFortinet
Products Solutions Support Partners Threat Research Contact Us