FortiOS 6 – Data leak prevention

Enable data leak prevention

DLP examines your network traffic for data patterns you specify. The FortiGate unit then performs an action based on the which pattern is found and a configuration set for each filter trigger.

DLP is not available in flow-based inspection.

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create a DLP sensor.

New DLP sensors are empty. You must create one or more filters in a sensor before it can examine network traffic.

  1. Add one or more filters to the DLP sensor.

Each filter searches for a specific data pattern. When a pattern in the active DLP sensor appears in the traffic, the FortiGate unit takes the action configured in the matching filter. Because the order of filters within a sensor cannot be changed, you must configure DLP in sequence.

  1. Add the DLP sensor to one or more firewall policies that control the traffic to be examined.

Creating/editing a DLP sensor

DLP sensors are collections of filters. You must also specify an action for the filter when you create it in a sensor. Once a DLP sensor is configured, you add it to a security policy profile. Any traffic handled by that security policy will be examined according to the DLP sensor configuration.

DLP is not available in flow-based inspection.

To create/edit a DLP sensor in the GUI

  1. Go to Security Profiles > Data Leak Prevention.
  2. Choose whether you want to edit an existing sensor or create a new one.
    • The default sensor is the one displayed by default.
    • To edit an existing sensor, select it by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, resembling a page with some lines on it), and then selecting the profile you want to edit from the list.
    • To create a new sensor, select the Create New icon (a plus sign within a circle) or the List icon and then select the Create New link in the upper left corner of the window that appears.
  3. Enter a name in the Name field for any new DLP sensors.
  4. Optionally, you may also enter a comment. The comment appears in the DLP sensor list and can remind you of the details of the sensor.
  5. At this point you can add filters to the sensor (see adding filters to a DLP sensor) or select OK to save the sensor. Without filters, the DLP sensor will do nothing.

 

Creating/editing a DLP sensor

Adding filters to a DLP sensor

Once you have created a DLP sensor, you need to add filters.

  1. To add filters to a DLP sensor
  2. Go to Security Profiles > Data Leak Prevention.
  3. Select the sensor you wish to edit using the drop-down menu or the sensor list window.
  4. Within the Edit DLP Sensor window select Create New. A New Filter window should pop up.
  5. Select the type of filter. You can choose either Messages or Files, depending on which of these two are chosen different options will be available.

Message filter will have these configuration options: l [radio button] Containing: [drop-down menu including: Credit Card # or SSN] l [radio button] Regular Expression [input field] Examine the following services:

Web Access l HTTP-POST Email l [check box] SMTP l [check box] POP3 l [check box] IMAP l [check box] MAPI Others l [check box] NNTP Action [from drop-down menu]

  • Allow l Log Only (default) l Block
  • Quarantine IP address

Files filter will allow you to choose one of these options:

  • Containing: drop-down menu including: Credit Card # or SSN l File Size > [ ]KB files greater than the number of KB entered l Specify File Types

File Types: [“Click to add…”drop-down menu of File extensions]

File Name Patterns:[“Click to add…”drop-down menu] l [radio button] Regular Expression [input field] l [radio button] Encrypted

Examine the following Services:

Web Access

archiving

  • [check box] HTTP-POST l [check box] HTTP-GET Email l [check box] SMTP l [check box] POP3 l [check box] IMAP l [check box] MAPI Others l [check box] FTP l [check box] NNTP Action [from drop-down menu]
  • Allow l Log Only (default) l Block l Quarantine IP address
  1. Select OK.
  2. Repeat Steps 6 and 7 for each filter.

DLP archiving

DLP is typically used to prevent sensitive information from getting out of your company network, but it can also be used to record network use. This is called DLP archiving. The DLP engine examines email, FTP, NNTP, and web traffic. Enabling archiving for rules when you add them to sensors directs the FortiGate unit to record all occurrences of these traffic types when they are detected by the sensor.

Since the archive setting is configured for each rule in a sensor, you can have a single sensor that archives only the things you want.

You can archive Email, FTP, HTTP, and session control content:

  • Email content includes IMAP, POP3, and SMTP sessions. Email content can also include email messages tagged as spam by Email filtering. If your unit supports SSL content scanning and inspection, email content can also

include IMAPS, POP3S, and SMTPS sessions.

  • HTTP content includes HTTP sessions. If your unit supports SSL content scanning and inspection HTTP content can also include HTTPS sessions.

DLP archiving comes in two forms: Summary and Full.

Summary archiving records information about the supported traffic types. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the Web, every URL the user visits recorded. The result is a summary of all activity the sensor detected.

For more detailed records, use full archiving . When an email message is detected, the message itself, including any attachments, is archived. When a user accesses the Web, every page the user visits is archived. Far more detailed than a summary, full DLP archives require more storage space and processing.

Because both types of DLP archiving require additional resources, DLP archives are saved to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service (subscription required).

You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the

FortiGuard Analysis and Management Service. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the Fortinet configuration. The FortiGuard Analysis server becomes available when you subscribe to the FortiGuard Analysis and Management Service.

Two sample DLP sensors are provided with DLP archiving capabilities enabled. If you select the Content_ Summary sensor in a security policy, it will save a summary DLP archive of all traffic the security policy handles. Similarly, the Content_Archive sensor will save a full DLP archive of all traffic handled the security policy you apply it to. These two sensors are configured to detect all traffic of the supported types and archive them. You can see these sensors in the GUI but the configuration is only visible through the CLI; DLP archiving is set in the CLI only.

To set the archive to Summary

config dlp sensor edit <name of sensor> set summary-proto smtp pop3 imap http ftp nntp msn yahoo mapi

end

To set the archive to Full

config dlp sensor edit <name of sensor> set full-archive-proto smtp pop3 imap http ftp nntp msn yahoo mapi

end

DLP examples

You can configure DLP sensors and filters when your FortiGate is operating in proxy-based inspection.

examples

l Blocking content with credit card numbers l Blocking emails larger than 15 MB and logging emails from 5 MB to 15 MB l Blocking selectively based on a fingerprint

Blocking content with credit card numbers

When the objective is to block credit card numbers one of the important things to remember is that two filters will need to be used in the sensor. One filter is to prevent sensitive files from being leaked and another is to retain any sensitive data that is not a file (for example, messages or email content).

In the default Credit-Card sensor, you will notice a few things.

l The Action is set to Log Only l In the Files filter not all of the services are being examined.

If you wish to block as much content as possible with credit card numbers in it instead of just logging most the traffic that has it, the existing sensor will have to be edited.

  1. Go to Security Profiles > Data Leak Prevention.

Some configurations will have a preconfigured Credit Card sensor where you can use the drop down menu to select Credit-Card. If your configuration doesn’t already have one create a new sensor.

  1. Use the Create New icon to add a new sensor.
  2. Create/edit the first filter. Set Type to Messages and select Containing Credit Card #.
  3. Go to Examine the Following Services and select all services .
  4. Set Action to Block.
  5. Select OK or Apply.
  6. Create/edit the second filter. Set Type to Files and select Containing Credit Card #.
  7. Go to Examine the Following Services and select all services .
  8. Set Action to Block.
  9. Select OK or Apply.
  10. Edit the appropriate policies so that under Security Profiles, DLP is turned on and the Credit-Card sensor is selected.

This entry was posted in Administration Guides, FortiOS 6 and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.