Fortinet black logo

Handbook

Examples

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:198276
Download PDF

Examples

You can configure DLP sensors and filters when your FortiGate is operating in proxy-based inspection.

Blocking content with credit card numbers

When the objective is to block credit card numbers one of the important things to remember is that two filters will need to be used in the sensor. One filter is to prevent sensitive files from being leaked and another is to retain any sensitive data that is not a file (for example, messages or email content).

In the default Credit-Card sensor, you will notice a few things.

  • The Action is set to Log Only
  • In the Files filter not all of the services are being examined.

If you wish to block as much content as possible with credit card numbers in it instead of just logging most the traffic that has it, the existing sensor will have to be edited.

  1. Go to Security Profiles > Data Leak Prevention.

    Some configurations will have a preconfigured Credit Card sensor where you can use the drop down menu to select Credit-Card. If your configuration doesn’t already have one create a new sensor.

  2. Use the Create New icon to add a new sensor.
  3. Create/edit the first filter. Set Type to Messages and select Containing Credit Card #.
  4. Go to Examine the Following Services and select all services .
  5. Set Action to Block.
  6. Select OK or Apply.
  7. Create/edit the second filter. Set Type to Files and select Containing Credit Card #.
  8. Go to Examine the Following Services and select all services .
  9. Set Action to Block.
  10. Select OK or Apply.
  11. Edit the appropriate policies so that under Security Profiles, DLP is turned on and the Credit-Card sensor is selected.

Blocking emails larger than 15 MB and logging emails from 5 MB to 15 MB

Multiple filters will have to be used in this case and the order that they are used is important. Because there is no mechanism to move the filters within the sensor the order that they are added to the sensor is important.

  1. Go to Security Profiles > Data Leak Prevention.
  2. Use the Create New icon to add a new sensor. Give it a descriptive Name, such as block_large_emails. Optionally, enter a descriptive comment.

    Once the sensor has been created, a new filter will need to be added.

  3. Create the filter to block the emails over 15 MB. In the filters table select Create New.
  4. Set Type to Messages and enter 15360 in the field next to File size over. (1MB = 1024KB, 15 MB = 15 x 1024KB = 15360KB)
  5. Go to Examine the Following Services and select all Email services .
  6. Set Action to Block.
  7. Select OK.
  8. Create the filter to log emails between 5 MB and 10 MB. In the filters table select Create New.
  9. Set Type to Files.
  10. Enter 5120 in the field next to File size over. (1MB = 1024KB, 5 MB = 5 x 1024KB = 5124KB)
  11. Go to Examine the Following Services and select all the email services .
  12. Set action to Log Only.
  13. Select OK.

The reason that the block filter is placed first is because the filters are applied in sequence and once the traffic triggers a filter, the action is applied and then the traffic is passed on to the next test. If the Log Only filter which checks for anything over 1MB is triggered this would include traffic over 15MB, so a 16 MB file would only be logged. In the described order, the 16 MB file will be blocked and the 3 MB file will be logged.

Blocking selectively based on a fingerprint

The following is a fairly complex example but shows what can be done by combining various components in the correct configuration.

The company has a number of copyrighted documents that it does not want “escaping” to the Internet but it does want to be able to send those documents to the printers for turning into hardcopy.

The policies and procedures regarding this issue state that:

  • Only members of the group Senior_Editors can send copyrighted material to the printers.
  • Every member of the company by default is included in the group employees.
  • Even permitted transmission of copyrighted material should be recorded.
  • All of the printers IP addresses are in a group called approved_printers.
  • There is a file share called copyrighted where any file that is copyrighted is required to have a copy stored.
  • It doesn’t happen often but for legal reasons sometimes these files can be changed, but all versions of a file in this directory need to be secured.
  • All network connections to the Internet must have AntiVirus enabled using at least the default profile.
  • The SSL/SSH Inspection profile used will be default.

It is assumed for the purposes of this example that:

  • Any addresses or address groups have been created.
  • User accounts and groups have been created.
  • The account used by the FortiGate is fgtaccess.
  • The copyrighted sensitivity level needs to be created.
  • The copyrighted material is stored at \\192.168.27.50\books\copyrighted\
  1. Add a new Sensitivity Level by running the following commands in the CLI:

    config dlp fp-sensitivity

    edit copyrighted

    end

  2. Apply files to the fingerprint database by running these commands in the CLI:

    Two sensors need to be created. One for blocking the transmission of copyrighted material and a second for allowing the passing of copyrighted material under specific circumstances.

  3. config dlp fp-doc-source

    edit "copyrighted_material"

    set server-type smb

    set server 192.168.27.50

    set username fgtaccess

    set password ******

    set file-path books/copyrighted/

    set file-pattern *.pdf

    set sensitivity copyrighted

    set period daily

    set tod-hour 2

    set tod-min 0

    set scan-subdirectories enable

    set remove-deleted disable

    set keep-modified enable

    next

    end

  4. Create the first DLP sensor with the following commands in CLI:
  5. config dlp sensor

    edit block_copyrighted

    config filter

    edit 1

    set proto smtp pop3 imap http-get http-post ftp nntp mapi

    set filter-by fingerprint

    set fp-sensitivity copyrighted

    set action block

    next

    end

    next

  6. Create the second DLP sensor
  7. config dlp sensor

    edit allow_copyrighted

    config filter

    edit 2

    set proto smtp pop3 imap http-get http-post ftp nntp mapi

    set filter-by fingerprint

    set fp-sensitivity copyrighted

    set action log-only

    next

    end

    next

  8. Create a policy to allow transmission of copyrighted material.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Select Create New.
    3. Use the following values in the policy:

    Incoming Interface

    LAN

    Source Address

    all

    Outgoing Interface

    wan1

    Destination Address

    all

    Schedule

    always

    Service

    all

    Action

    ACCEPT

    Enable NAT

    enabled -- Use Destination Interface Address

    AntiVirus

    <ON> default

    DLP

    <ON> Copyrighted

    SSL/SSH Inspection

    <ON> default

    Enable this policy

    <ON>

    This policy should be placed as close to the beginning of the list of policies so the it is among the first tested against.

  9. Create a policy to block transmission of copyrighted material. This will in effect be the default template for all following policies in that they will have to use the DLP profile that blocks the transmission of the copyrighted material.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Select Create New or Edit an existing policy.
    3. Use the following values in the Policy:

The fields should include what ever values you need to accomplish your requirements are but each policy should include the DLP sensor block_copyrighted. Alternatively, if a different DLP configuration is required it should include a filter that blocks copyrighted fingerprinted file.

If you need to create a policy that is identity based make sure that there is an Authentication rule for the group employees that uses the DLP sensor that blocks copyrighted material.

Examples

You can configure DLP sensors and filters when your FortiGate is operating in proxy-based inspection.

Blocking content with credit card numbers

When the objective is to block credit card numbers one of the important things to remember is that two filters will need to be used in the sensor. One filter is to prevent sensitive files from being leaked and another is to retain any sensitive data that is not a file (for example, messages or email content).

In the default Credit-Card sensor, you will notice a few things.

  • The Action is set to Log Only
  • In the Files filter not all of the services are being examined.

If you wish to block as much content as possible with credit card numbers in it instead of just logging most the traffic that has it, the existing sensor will have to be edited.

  1. Go to Security Profiles > Data Leak Prevention.

    Some configurations will have a preconfigured Credit Card sensor where you can use the drop down menu to select Credit-Card. If your configuration doesn’t already have one create a new sensor.

  2. Use the Create New icon to add a new sensor.
  3. Create/edit the first filter. Set Type to Messages and select Containing Credit Card #.
  4. Go to Examine the Following Services and select all services .
  5. Set Action to Block.
  6. Select OK or Apply.
  7. Create/edit the second filter. Set Type to Files and select Containing Credit Card #.
  8. Go to Examine the Following Services and select all services .
  9. Set Action to Block.
  10. Select OK or Apply.
  11. Edit the appropriate policies so that under Security Profiles, DLP is turned on and the Credit-Card sensor is selected.

Blocking emails larger than 15 MB and logging emails from 5 MB to 15 MB

Multiple filters will have to be used in this case and the order that they are used is important. Because there is no mechanism to move the filters within the sensor the order that they are added to the sensor is important.

  1. Go to Security Profiles > Data Leak Prevention.
  2. Use the Create New icon to add a new sensor. Give it a descriptive Name, such as block_large_emails. Optionally, enter a descriptive comment.

    Once the sensor has been created, a new filter will need to be added.

  3. Create the filter to block the emails over 15 MB. In the filters table select Create New.
  4. Set Type to Messages and enter 15360 in the field next to File size over. (1MB = 1024KB, 15 MB = 15 x 1024KB = 15360KB)
  5. Go to Examine the Following Services and select all Email services .
  6. Set Action to Block.
  7. Select OK.
  8. Create the filter to log emails between 5 MB and 10 MB. In the filters table select Create New.
  9. Set Type to Files.
  10. Enter 5120 in the field next to File size over. (1MB = 1024KB, 5 MB = 5 x 1024KB = 5124KB)
  11. Go to Examine the Following Services and select all the email services .
  12. Set action to Log Only.
  13. Select OK.

The reason that the block filter is placed first is because the filters are applied in sequence and once the traffic triggers a filter, the action is applied and then the traffic is passed on to the next test. If the Log Only filter which checks for anything over 1MB is triggered this would include traffic over 15MB, so a 16 MB file would only be logged. In the described order, the 16 MB file will be blocked and the 3 MB file will be logged.

Blocking selectively based on a fingerprint

The following is a fairly complex example but shows what can be done by combining various components in the correct configuration.

The company has a number of copyrighted documents that it does not want “escaping” to the Internet but it does want to be able to send those documents to the printers for turning into hardcopy.

The policies and procedures regarding this issue state that:

  • Only members of the group Senior_Editors can send copyrighted material to the printers.
  • Every member of the company by default is included in the group employees.
  • Even permitted transmission of copyrighted material should be recorded.
  • All of the printers IP addresses are in a group called approved_printers.
  • There is a file share called copyrighted where any file that is copyrighted is required to have a copy stored.
  • It doesn’t happen often but for legal reasons sometimes these files can be changed, but all versions of a file in this directory need to be secured.
  • All network connections to the Internet must have AntiVirus enabled using at least the default profile.
  • The SSL/SSH Inspection profile used will be default.

It is assumed for the purposes of this example that:

  • Any addresses or address groups have been created.
  • User accounts and groups have been created.
  • The account used by the FortiGate is fgtaccess.
  • The copyrighted sensitivity level needs to be created.
  • The copyrighted material is stored at \\192.168.27.50\books\copyrighted\
  1. Add a new Sensitivity Level by running the following commands in the CLI:

    config dlp fp-sensitivity

    edit copyrighted

    end

  2. Apply files to the fingerprint database by running these commands in the CLI:

    Two sensors need to be created. One for blocking the transmission of copyrighted material and a second for allowing the passing of copyrighted material under specific circumstances.

  3. config dlp fp-doc-source

    edit "copyrighted_material"

    set server-type smb

    set server 192.168.27.50

    set username fgtaccess

    set password ******

    set file-path books/copyrighted/

    set file-pattern *.pdf

    set sensitivity copyrighted

    set period daily

    set tod-hour 2

    set tod-min 0

    set scan-subdirectories enable

    set remove-deleted disable

    set keep-modified enable

    next

    end

  4. Create the first DLP sensor with the following commands in CLI:
  5. config dlp sensor

    edit block_copyrighted

    config filter

    edit 1

    set proto smtp pop3 imap http-get http-post ftp nntp mapi

    set filter-by fingerprint

    set fp-sensitivity copyrighted

    set action block

    next

    end

    next

  6. Create the second DLP sensor
  7. config dlp sensor

    edit allow_copyrighted

    config filter

    edit 2

    set proto smtp pop3 imap http-get http-post ftp nntp mapi

    set filter-by fingerprint

    set fp-sensitivity copyrighted

    set action log-only

    next

    end

    next

  8. Create a policy to allow transmission of copyrighted material.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Select Create New.
    3. Use the following values in the policy:

    Incoming Interface

    LAN

    Source Address

    all

    Outgoing Interface

    wan1

    Destination Address

    all

    Schedule

    always

    Service

    all

    Action

    ACCEPT

    Enable NAT

    enabled -- Use Destination Interface Address

    AntiVirus

    <ON> default

    DLP

    <ON> Copyrighted

    SSL/SSH Inspection

    <ON> default

    Enable this policy

    <ON>

    This policy should be placed as close to the beginning of the list of policies so the it is among the first tested against.

  9. Create a policy to block transmission of copyrighted material. This will in effect be the default template for all following policies in that they will have to use the DLP profile that blocks the transmission of the copyrighted material.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Select Create New or Edit an existing policy.
    3. Use the following values in the Policy:

The fields should include what ever values you need to accomplish your requirements are but each policy should include the DLP sensor block_copyrighted. Alternatively, if a different DLP configuration is required it should include a filter that blocks copyrighted fingerprinted file.

If you need to create a policy that is identity based make sure that there is an Authentication rule for the group employees that uses the DLP sensor that blocks copyrighted material.