Data Leak Prevention – Fortinet FortiGate

Creating a file filter list

Before your FortiGate unit can filter files by pattern or type, you must create a file filter list. The action triggered by the contents of a file filter list will be decided in the sensor so it is important to make sure that when you are building a list that you intend for the same action to be applied to all of the entries in the same list.

To create a file filter list

  1. Go to Security Profiles > Data Leak Prevention > File Filter.
  2. Select Create New.
  3. Enter a Name for the new file filter list.
  4. Select OK.

The new list is created and the edit file filter list window appears. The new list is empty. You need to populate it with one or more file patterns or file types.

Creating a file pattern

A file pattern allows you to block or allow files based on the file name. File patterns are created within file filter lists.

To create a file pattern

  1. Go to Security Profiles > Data Leak Prevention > File Filter.
  2. Select a file filter list.
  3. Select the Edit
  4. Select Create New.
  5. Select File Name Pattern as the Filter Type.
  6. Enter the pattern in the Pattern The file pattern can be an exact file name or can include wildcards (*). The file pattern is limited to a maximum of 80 characters.
  7. Select OK.

Creating a file type

A file type allows you to block or allow files based on the kind of file. File types are created within file filter lists.

To create a file type

  1. Go to Security Profiles > Data Leak Prevention > File Filter.
  2. Select the Edit icon of the file filter list to which you will add the file type.
  3. Select Create New.
  4. Select File Type as the Filter Type.
  5. Select the kind of file from the File Type
  6. Select OK.

DLP can detect the following file types:

  • Archive (arj)
  • Archive (bzip)
  • Archive (bzip2)
  • Archive (cab)
  • Archive (gzip)
  • Archive (Archive (lzh)
  • Archive (rar)
  • Archive (tar)
  • Archive (zip)
  • Audio (wav)
  • Audio (wma)
  • BMP (bmp)
  • Batch File (bat)
  • Common Console Document (msc)
  • Encoded Data (base64)
  • Encoded Data (binhex)
  • Encoded Data (mime)
  • Encoded Data (uue)
  • Executable (elf)
  • Executable (exe)
  • GIF Image (gif)
  • HTML Application (hta)
  • HTML File (html)
  • Ignored File Type (ignored)
  • JPEG Image (jpeg)
  • Java Application Descriptor (jad)
  • Java Class File (class)
  • Java Compiled Bytecode (cod)
  • JavaScript File (javascript)
  • Microsoft Office (msoffice)
  • PDF (pdf)
  • PNG Image (png)
  • Packer (aspack)
  • Packer (fsg)
  • Packer (petite)
  • Packer (upx)
  • PalmOS Application (prc)
  • Real Media Streaming (rm)
  • Symbian Installer System File (sis)
  • TIFF Image (tiff)
  • Torrent (torrent)
  • Unknown File Type (unknown)
  • Video (mov)
  • Video (mpeg)
  • Windows Help File (hlp)

Preconfigured sensors

A number of preconfigured sensors are provided with your FortiGate unit. These can be edited or added to more closely match your needs.

Some of the preconfigured sensors with filters ready to go are:

  • Credit-Card – This sensor logs the traffic, both files and messages, that contain credit card numbers in the formates used by American Express, MasterCard and Visa.
  • Large-File – This sensor logs the traffic consisting of files larger than 5120 kB or approximately 5 MB.
  • SSN-Sensor – This sensor logs the traffic, both files and messages, that contain Social Security Numbers with the exception of those that are WebEx invitation emails.

DLP archiving

DLP is typically used to prevent sensitive information from getting out of your company network, but it can also be used to record network use. This is called DLP archiving. The DLP engine examines email, FTP, IM, NNTP, and web traffic. Enabling archiving for rules when you add them to sensors directs the FortiGate unit to record all occurrences of these traffic types when they are detected by the sensor.

Since the archive setting is configured for each rule in a sensor, you can have a single sensor that archives only the things you want.

You can archive Email, FTP, HTTP, IM, and session control content:

  • Email content includes IMAP, POP3, and SMTP sessions. Email content can also include email messages tagged as spam by Email filtering. If your unit supports SSL content scanning and inspection, Email content can also include IMAPS, POP3S, and SMTPS sessions.
  • HTTP content includes HTTP sessions. If your unit supports SSL content scanning and inspection HTTP content can also include HTTPS sessions.
  • IM content includes AIM, ICQ, MSN, and Yahoo! sessions.

DLP archiving comes in two forms: Summary Only, and Full.

Summary archiving records information about the supported traffic types. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the Web, every URL the user visits recorded. The result is a summary of all activity the sensor detected.

For more detailed records, full archiving is necessary. When an email message is detected, the message itself, including any attachments, is archived. When a user accesses the Web, every page the user visits is archived. Far more detailed than a summary, full DLP archives require more storage space and processing.

Because both types of DLP archiving require additional resources, DLP archives are saved to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service (subscription required).

You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the Fortinet configuration. The FortiGuard Analysis server becomes available when you subscribe to the FortiGuard Analysis and Management Service.

Two sample DLP sensors are provided with DLP archiving capabilities enabled. If you select the Content_Summary sensor in a security policy, it will save a summary DLP archive of all traffic the security policy handles. Similarly, the Content_Archive sensor will save a full DLP archive of all traffic handled the security policy you apply it to. These two sensors are configured to detect all traffic of the supported types and archive them.

DLP archiving is set in the CLI only.

To set the archive to Full

config dlp sensor edit <name of sensor> set full-archive-proto smtp pop3 imap http ftp nntp aim icq msn yahoo mapi

end

To set the archive to Summary Only

config dlp sensor edit <name of sensor> set summary-proto smtp pop3 imap http ftp nntp aim icq msn yahoo mapi end

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.