Enable data leak prevention
DLP examines your network traffic for data patterns you specify. The FortiGate unit then performs an action based on the which pattern is found and a configuration set for each filter trigger.
General configuration steps
Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.
- Create a DLP sensor.
New DLP sensors are empty. You must create one or more filters in a sensor before it can examine network traffic.
- Add one or more filters to the DLP sensor.
Each filter searches for a specific data pattern. When a pattern in the active DLP sensor appears in the traffic, the FortiGate unit takes the action configured in the matching filter. Because the order of filters within a sensor cannot be changed, you must configure DLP in sequence.
- Add the DLP sensor to one or more firewall policies that control the traffic to be examined.
Creating a DLP sensor
DLP sensors are collections of filters. You must also specify an action for the filter when you create it in a sensor. Once a DLP sensor is configured, you can select it a security policy profile. Any traffic handled by the security policy will be examined according to the DLP sensor configuration.
To create a DLP sensor
- Go to Security Profiles > Data Leak Prevention > Sensor.
- Select the Create New icon on the Edit DLP Sensor window title bar.
- In the Name field, enter the name of the new DLP sensor.
- Optionally, you may also enter a comment. The comment appears in the DLP sensor list and can remind you of the details of the sensor.
- Select OK.
The DLP sensor is created and the sensor configuration window appears.
- Select OK.
A newly created sensor is empty, containing no filters. Without filters, the DLP sensor will do nothing.
Adding filters to a DLP sensor
Once you have created a DLP sensor, you need to add filters.
- To add filters to a DLP sensor
- Go to Security Profiles > Data Leak Prevention> Sensor.
- Select the Sensor in the Edit DLP Sensor window title bar drop-down list.
- Select Create New.
- Enter a filter name.
- Select the type of filter. You can choose either Messages or Files. Depending on which of these two are chosen different options will be available Message filter will have these configuration options:
- [radio button] Containing: [drop down menu including: Credit Card # or SSN]
- [radio button] Regular Expression [input field]
- [radio button] Encrypted
Examine the following Services:
Web Access
- HTTP-POST
- [check box] SMTP
- [check box] POP3
- [check box] IMAP
- [check box] MAPI
Others
- [check box] NNTP
Action [from drop down menu]
- None
- Log Only,
- Block
- Quarantine User,
- Quarantine IP address
- Quarantine Interface
Files filter will have these options:
- [radio button] Containing: drop down menu including: Credit Card # or SSN
- [radio button] File Size >= [ ]kb
- [radio button] File Type included in [drop down menu of File Filters]
- [radio button] File Finger Print : [drop down menu]
- [radio button] Watermark Sensitivity: [drop down menu] and Corporate Identifier [id field]
- [radio button] Regular Expression [input field]
- [radio button] Encrypted
Examine the following Services:
Web Access
- [check box] HTTP-POST
- [check box] HTTP-GET
- [check box] SMTP
- [check box] POP3
- [check box] IMAP
- [check box] MAPI
Others
- [check box] FTP
- [check box] NNTP
Action [from drop down menu]
- None
- Log Only,
- Block
- Quarantine User,
- Quarantine IP address
- Quarantine Interface
Table 8: Option explanations
Option | Description |
Containing.. | the predefined settings for this filter are:
• Credit Card numbers – The number formats used by American Express, Visa, and Mastercard credit cards are detected. • Social Security Numbers. |
Regular
Expression |
Network traffic is examined for the pattern described by the regular expression. |
Encrypted | This filter is triggered by encrypted files. |
File Size | Enter a file size in kilobytes. Files larger than the specified size are treated according to the selected action. |
File Type | Select a file filter list that includes the file patterns and file types the network traffic will be examined for. Files matching the types or patterns in the selected list are treated according to the selected action.
To create a file filter list, see “Cr eating a file filter list” on page 132. |
File Finger Print | A fingerprint filter checks files in traffic against those in the FortiGate unit document fingerprint database. A match triggers the configured action.
You must configure a document source or uploaded documents to the FortiGate unit for fingerprint scanning to work. For more information about document fingerprinting, see “Fingerprint” on page 122. |
Watermark
Sensitivity |
If you are using watermarking on your files you can use this filter to check for watermarks that correspond to sensitivity categories that you have set up. The Corporate Identifier is to make sure that you are only blocking watermarks that your company has place on the files, not watermarks with the same name by other companies. |
Services | Configure the filter to examine the traffic over the selected services. This setting gives you a tool to optimized the resources of the FortiGate unit by only using processing cycles on the relevant traffic. Just check the boxes associated with the service / protocol that you want to have checked for filter triggers. |
Table 9: Action Options
Action | Description |
None | No action is taken if filter even if filter is triggered |
Log Only | The FortiGate unit will take no action on network traffic matching a rule with this action. The filter match is logged, however. Other matching filters in the same sensor may still operate on matching traffic. |
Block | Traffic matching a filter with the block action will not be delivered. The matching message or download is replaced with the data leak prevention replacement message. |
Table 9: Action Options
Action | Description |
Quarantine User | If the user is authenticated, this action blocks all traffic to or from the user using the protocol that triggered the rule and adds the user to the Banned User list. If the user is not authenticated, this action blocks all traffic of the protocol that triggered the rule from the user’s IP address.
If the banned user is using HTTP, FTP, or NNTP (or HTTPS if the FortiGate unit supports SSL content scanning and inspection) the FortiGate unit displays the “Banned by data leak prevention” replacement message. If the user is using IM, the IM and P2P “Banned by data leak prevention” message replaces the banned IM message and this message is forwarded to the recipient. If the user is using IMAP, POP3, or SMTP (or IMAPS, POP3S, SMTPS if your FortiGate unit supports SSL content scanning and inspection) the Mail “Banned by data leak prevention” message replaces the banned email message and this message is forwarded to the recipient. These replacement messages also replace all subsequent communication attempts until the user is removed from the banned user list. If this action is chosen the additional field for [ ] minutes will appear so that a time limit can be set for the duration of the quarantine. This field cannot be left blank. |
Quarantine IP
Address |
This action blocks access for any IP address that sends traffic matching a filter with this action. The IP address is added to the Banned User list. The FortiGate unit displays the “NAC Quarantine DLP Message” replacement message for all connection attempts from this IP address until the IP address is removed from the banned user list.
If this action is chosen the additional field for [ ] minutes will appear so that a time limit can be set for the duration of the quarantine. This field cannot be left blank. |
Quarantine
Interface |
This action blocks access to the network for all users connecting to the interface that received traffic matching a filter with this action. The FortiGate unit displays the “NAC Quarantine DLP Message” replacement message for all connection attempts to the interface until the interface is removed from the banned user list.
If this action is chosen the additional field for [ ] minutes will appear so that a time limit can be set for the duration of the quarantine. This field cannot be left blank. |
Quarantine User, Quarantine IP, and Quarantine Interface provide functionality similar to NAC quarantine. However, these DLP actions block users and IP addresses at the application layer while NAC quarantine blocks IP addresses and interfaces at the network layer.
- Select OK.
- Repeat Steps 6 and 7 for each filter.
- Select Apply to confirm the settings of the sensor.
If you have configured DLP to block IP addresses and if the FortiGate unit receives sessions that have passed through a NAT device, all traffic from that NAT device — not just traffic from individual users — could be blocked. You can avoid this problem by implementing authentication.