Fortinet black logo

Handbook

Home FortiADC 7.4.2 Handbook
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Data Loss Prevention

Data Loss Prevention

The FortiADC Data Loss Prevention (DLP) module prevents sensitive data from leaving or entering your network by scanning for various patterns while inspecting traffic passing through the FortiADC. Data matching defined sensitive data patterns is blocked, logged, or allowed when it passes through the FortiADC.

The FortiADC DLP module has integrated with the FortiGuard DLP service, allowing FortiADC to download DLP signatures directly from FortiGuard to enrich the FortiADC DLP signature data types. For more information, see FortiGuard DLP service.

Alternatively, Data Loss Prevention can still function without the FortiGuard DLP service. You can still configure a DLP Policy to defend against data loss using only Sensitive Data Type.

The DLP module is configured based on the following components:

Component

Description
DLP Policy

Define rules for matching a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the address.
Sensitive Data Type Define the type of pattern that DLP is trying to match. For example, this can be a predefined type including credit card or US social security number (SSN), or you can use keyword, regular expression, or a hexadecimal value to match data.
DLP Sensor

Define which dictionaries to check. You can match any or all dictionaries. It can also count the number of dictionary matches to trigger the sensor.

Note: This DLP component requires the FortiGuard DLP service to be enabled.
DLP Dictionary

Combine multiple data type entries to match all or any. When selecting a data type such as keyword, regex or hex, define the pattern that you are looking for.

Note: This DLP component requires the FortiGuard DLP service to be enabled.

In the backend, DLP uses Hyperscan to perform a one-parse algorithm for scanning multiple patterns. This allows DLP to scale up without any performance downgrade.

Basic configuration

To deploy Data Loss Prevention, follow the workflow below:

  1. Configure the DLP Dictionary to define the collection of data type entries to use in the DLP Sensor. For details, see Configuring a DLP Dictionary object.
  2. Configure the DLP Sensor to define which dictionary to check. For details, see Configuring a DLP Sensor object.
  3. Configure the Sensitive Data Type to define the type of pattern that DLP is trying to match. For details, see Configuring a Sensitive Data Type object.
  4. Configure the DLP Policy to define the rules for matching a sensor or sensitive data type. For details, see Configuring a DLP Policy.
  5. Apply the DLP Policy to a WAF profile. For details, see Configuring a WAF Profile.
Previous
Next

Data Loss Prevention

The FortiADC Data Loss Prevention (DLP) module prevents sensitive data from leaving or entering your network by scanning for various patterns while inspecting traffic passing through the FortiADC. Data matching defined sensitive data patterns is blocked, logged, or allowed when it passes through the FortiADC.

The FortiADC DLP module has integrated with the FortiGuard DLP service, allowing FortiADC to download DLP signatures directly from FortiGuard to enrich the FortiADC DLP signature data types. For more information, see FortiGuard DLP service.

Alternatively, Data Loss Prevention can still function without the FortiGuard DLP service. You can still configure a DLP Policy to defend against data loss using only Sensitive Data Type.

The DLP module is configured based on the following components:

Component

Description
DLP Policy

Define rules for matching a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the address.
Sensitive Data Type Define the type of pattern that DLP is trying to match. For example, this can be a predefined type including credit card or US social security number (SSN), or you can use keyword, regular expression, or a hexadecimal value to match data.
DLP Sensor

Define which dictionaries to check. You can match any or all dictionaries. It can also count the number of dictionary matches to trigger the sensor.

Note: This DLP component requires the FortiGuard DLP service to be enabled.
DLP Dictionary

Combine multiple data type entries to match all or any. When selecting a data type such as keyword, regex or hex, define the pattern that you are looking for.

Note: This DLP component requires the FortiGuard DLP service to be enabled.

In the backend, DLP uses Hyperscan to perform a one-parse algorithm for scanning multiple patterns. This allows DLP to scale up without any performance downgrade.

Basic configuration

To deploy Data Loss Prevention, follow the workflow below:

  1. Configure the DLP Dictionary to define the collection of data type entries to use in the DLP Sensor. For details, see Configuring a DLP Dictionary object.
  2. Configure the DLP Sensor to define which dictionary to check. For details, see Configuring a DLP Sensor object.
  3. Configure the Sensitive Data Type to define the type of pattern that DLP is trying to match. For details, see Configuring a Sensitive Data Type object.
  4. Configure the DLP Policy to define the rules for matching a sensor or sensitive data type. For details, see Configuring a DLP Policy.
  5. Apply the DLP Policy to a WAF profile. For details, see Configuring a WAF Profile.
Previous
Next