Web site filters
You can allow or block access to specific web sites by adding them to the URL filter list. You add the web sites by using patterns containing text and regular expressions. The unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead.
Web site blocking does not block access to other services that users can access with a web browser. For example, web site blocking does not block access to ftp://ftp.example.com. Instead, use firewall policies to deny ftp connections.
When adding a URL to the web site filter list, follow these rules:
- Type a top-level URL or IP address to control access to all pages on a web site. For example, www.example.com or 192.168.144.155 controls access to all pages at this web site.
- Enter a top-level URL followed by the path and file name to control access to a single page on a web site. For example, www.example.com/monkey.html or 192.168.144.155/monkey.html controls access to the monkey page on this web site.
- To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, and so on.
- Control access to all URLs that match patterns using text and regular expressions (or wildcard characters). For example, example.* matches example.com, example.org, example.net and so on.
URLs with an action set to exempt or pass are not scanned for viruses. If users on the network download files through the unit from a trusted web site, add the URL of this web site to the URL filter list with an action to pass it so the unit does not virus scan files downloaded from this URL.
To create a new web site filter:
- In either the New Web FilterProfile or Edit Web FilterProfile page, select Enable Web Site Filter.
- In the filter table, select Create New to add a new row to the table.
- Enter the URL to filter in the URL Enter a top-level domain suffix (for example, “com” without the leading period) to block access to all web sites with this suffix.
- Select the type from the drop-down list in the Type One of: Simple, Reg. Expression, or Wildcard.
- Select the action to take from the drop-down list in the Action One of:
- Exempt: Allow trusted traffic to bypass the antivirus proxy operations.
- Block: Block access to any URLs matching the URL pattern and display a replacement message. SeeReplacement messages on page 37.
- Allow: Allow access to any URL that matches the URL pattern.
- Monitor: Monitor traffic to and from URLs matching the URL pattern.
- Select the status of the filter from the drop-down list in the Status column, either Enable or Disable, to enable or disable the filter.
To edit a web site filter:
- In either the New Web FilterProfile or Edit Web FilterProfile page, select Enable Web Site Filter.
- In the filter table, double-click on a filter, or select the filter then select Edit in the toolbar.
- Edit the filter settings as required.
To delete a filter or filters:
- In either the New Web FilterProfile or Edit Web FilterProfile page, select Enable Web Site Filter.
- In the filter table, select the filter or filters that need to be deleted, then select delete in the toolbar.
- Select OK in the confirmation dialog box to delete the selected filter or filters.
Data Leak Prevention
The DLP system allows you to prevent sensitive data from leaving your network. Once sensitive data patterns are defined, data matching the patterns will either be blocked, or logged then allowed.
The DLP system is configured by creating filters based on various attributes and expressions within DLP sensors, then assigning the sensors to security policies.
DLP can also be used to prevent unwanted data from entering your network, and to archive content passing through the FortiCache device.
DLP sensors
A DLP sensor is a package of filters. To use DLP, a DLP sensor must be selected and enabled in a security policy. The traffic controlled by the security policy will be searched for the patterns defined in the filters contained in the DLP sensor. Matching traffic will be passed or blocked according to the filters.
To configure DLP sensors, go to Security Profiles > Data Leak Prevention.
Create New | Create a new sensor. |
Edit | Edit the selected sensor. |
Delete | Delete the selected sensor or sensors. |
Name | The name of the sensor. |
Comment | Optional description of the sensor. |
# Filters | The number of filters used by the sensor. |
Ref. | Displays the number of times the sensor is referenced to other objects. To view the location of the referenced sensor, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. |
To create a new DLP sensor:
- Go to Security Profiles > Data Leak Prevention and select Create New from the toolbar. The New Sensor window opens.
Data Leak Prevention
- Enter a name for the new sensor in the Name field and, optionally, enter a description of the sensor in the Comment
- Add filters to the sensor. See To create a new sensor filter: on page 94.
- Select OK to create the new sensor.
To edit a DLP sensor:
- Select the sensor you would like to edit then select Edit from the toolbar, or double-click on the sensor group in the table. The Edit Sensor window opens.
- Edit the sensor name and comments as required.
- Edit, create new, or delete sensor filters as required. See Sensor filters on page 94.
- Select OK to apply your changes.
To delete a sensor or sensors:
- From the sensor list, select the sensor or sensors that you would like to delete, then select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected sensor or sensors.
To clone a sensor:
- From the sensor list, right-click a sensor and select Clone.
- Enter a name for the sensor in the dialog box, then select OK. The sensor list opens, with the clone added.
- Edit the clone as required.
Sensor filters
Each DLP sensor must have one or more filters configured within it. Filters can examine traffic for:
l Known files using DLP fingerprints l Files of a particular name or type l Files larger than a specified size l Data matching a specified regular expression l Traffic matching an advanced or compound rule.
To create a new sensor filter:
- From the New Sensor or Edit Sensor window, select Create New in the filter table toolbar. The New Filter window opens.
- Configure the following information:
Filter | Select Messages or Files to filter for specific messages or based on file attributes, respectively. | |
Containing | Select, then select Credit Card # or SSN from the drop-down list. | |
File Size >= | Select, then enter the maximum file size allowed, in KB. This option is only available when filtering files. | |
Specify File Types | Select, then select File Types and File Name Patterns from the dropdown menus provided. See File filter on page 97.
This option is only available when filtering files. |
|
Watermark
Sensitivity |
If you are using watermarking on your files you can use this filter to check for watermarks that correspond to sensitivity categories that you have setup. See Watermarking on page 96.
The Corporate Identifier ensures that you are only blocking watermarks that your company has placed on files, not watermarks with the same name from other companies. This option is only available when filtering files. |
|
Regular
Expression |
Network traffic is examined for the pattern described by the regular expression. See Regular expressions on page 96 | |
Encrypted | Select to cause encrypted files to trigger the filter. This option is only available when filtering files. | |
Examine Services | the Following | Select the services whose traffic the filter will examine. This allows resources to be optimized by only examining relevant traffic. The available services are:
l Web Access: HTTP-POST and HTTP-GET l Email: SMTP, POP3, IMAP, and MAPI l Others: FTP and NNTP |
Action | Select an action to take if the filter is triggered from the drop-down list. | |
None | No action is taken when the filter is triggered. |
Data Leak Prevention
Log Only | When the filter is triggered, the match is logged, but no other action is taken. |
Block | Traffic matching the filter is blocked and replaced with a replacement message. See Replacement messages on page 37. |
Quarantine IP Address | Block access for any IP address that sends traffic matching the filter. The IP address is added to the banned user list (see ), and an appropriate replacement message is sent for all connection attempts until the quarantine time expires.
Enter the amount of time that the IP address will be quarantined for (>= 1 minute). |
Archive | Select Enable to enable archiving. |
- Select OK to create the new filter.
To edit a sensor filter:
- From the New Sensor or Edit Sensor window, either double-click on a filter, or select a filter then select Edit in the filter table toolbar. The Edit Filter window opens.
- Edit the filter as required and select OK to apply your changes.
To delete sensor filters:
- From the New Sensor or Edit Sensor window, select the filter or filters that you would like to delete, then select Delete from the filter table toolbar.
- Select OK in the confirmation dialog box to delete the selected filter or filters.
Regular expressions
Network traffic is examined for the pattern described by the regular expression specified in the DLP sensor filters. Fortinet uses a variation of the Perl Compatible Regular Expressions (PCRE) library. For some examples of Perl expressions, see Appendix A – Perl Regular Expressions on page 148. For more information about using Perl regular expressions, go to http://perldoc.perl.org/perlretut.html.
By adding multiple filters containing regular expressions to a sensor, a dictionary can be developed within the sensor. The filters can include expressions that accomodate copmlex variations of words or target phrases. Within the sensors each expression can be assigned a different action, allowing for a very granular implementation.
Watermarking
Watermarking means marking files with a digital pattern to designate them as proprietary to a specific company.
Fortinet’s watermarking tool is built in to FortiExplorer. It can add watermarks to single files as well as entire directories. The tool adds a small (~178B) pattern to a file that is recognized by the DLP watermark filter configured on your device.
The DLP system only works with Fortinet’s watermaking tool. For more information, see the FortiExplorerUser Guide, available from the Fortinet Document Library.