Data leak prevention
The FortiGate Data Leak Prevention (DLP) system prevents sensitive data from leaving your network. Data matching defined sensitive data patterns are blocked, logged, or allowed when passing through the FortiGate unit.
The DLP system is configured by creating individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule in a DLP sensor, and assigning the sensor to a security policy.
A DLP sensor is made of filters that are configured within it. The filters examine traffic for:
- Known files used DLP Fingerprints l Known files using DLP Watermark l Files of a particular type l Files with a particular name l Files larger than a specified size l Data matching a specified regular expression l Credit card and SSN numbers
When a match to a filter is detected, the possible actions include:
- Allow: No action is taken, even if the pattern specified in the filter is matched. l Log: The filter match is logged. l Block: Traffic matching the filter is blocked. l Quarantine IP address: Traffic matching the filter is blocked, and the client initiating the traffic is soure IP banned.
The primary use of the DLP feature is to stop sensitive data from the leaving the network. It can also be used to prevent unwanted data from entering the network, and to archive some or all of the content that is passing through the FortiGate device. DLP archiving is configured per filter, allowing for a single sensor that archives only the required data.
There are two forms of DLP archiving: l Summary Only
A summary of all the activity that the sensor detected is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the web, every URL that they visit is recorded. l Full
Detailed records of all the activity that the sensor detects is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses the web, every page that they visit is archived.
Be aware that “cloning” a DLP profile does *NOT* really clone it, but references internally to the same objects, such as the file-type entities. I ran into a couple of issues until I understood that Fortinet isn’t really cloning those DLP profiles but doing some stupid links within the CLI. ;( Ref: https://twitter.com/webernetz/status/1123128989042847745