Preventing data leaks
In this recipe, you will keep files containing sensitive information from leaving your network. To do this, criteria for retaining files are created and applied in a Data Leak Prevention (DLP) security profile. This example applies DLP to retain Windows executable (.exe) files and files matching a specific file name pattern. Note: DLP can only be configured for FortiGate units in proxy-based inspection.
1. Enabling DLP and Multiple Security Profiles
Go to System > Feature Select and confirm that DLP and Multiple Security Profiles are enabled.
2. Creating a DLP profile
Go to Security Profiles > Data Leak Prevention. In the Filter list, select Create New.
Set the filter to look for Files. Select Specify File Types and set File Types to Executable (exe).
Set Examine the Following Services to all the services required by your network.
Set Action to Block.
Create a second filter.
Set the filter to look for Files. Select Specify File Types. In the File Name Patterns field, enter the pattern you wish to match. If desired, use a wildcard character in the pattern.
Set Action to Block.
Both filters now appear in the Filter list.
3. Adding the profile to a security policy
Go to Policy & Objects > IPv4 Policy and edit your Internet-access policy.
Under Security Profiles, enable DLP Sensor and set it to use the new profile.
SSL Inspection is automatically enabled. Set it to use the deep-inspection profile to ensure that DLP is applied to encrypted traffic. Using the deep-inspection profile may cause certificate erros. See Preventing certificate warnings for more information.
Under Logging Options, enable Log Allowed Traffic and select Security Events.
4. Results
Attempt to send either an .exe file or a file that fits the file naming pattern blocked in step 2. Use a protocol that the DLP filter is set to examine. For example, send a file called securityleak.pdf via email or WeTransfer. Depending on which protocol is used, the attempt will either be blocked by the FortiGate or it will timeout.
Go to FortiView > All Sessions and select the 24 hours view for information about the blocked session. Note that the Security Event identified is DLP.
For further reading, check out Data leak prevention in the FortiOS 5.4 Handbook.