Fortinet white logo
Fortinet white logo

Administration Guide

Basic DLP settings

Basic DLP settings

DLP settings can be configured for data types, dictionaries, sensors, file patterns, and profiles. DLP can be configured in both the CLI and the GUI irrespective of firewall policy inspection mode.

Note

To use DLP profile in a flow-based firewall policy, set feature-set flow must be set from the CLI. See Configuring DLP from the CLI for more information.

DLP profiles can only be added to a flow-based firewall policy from the CLI.

On the Security Profiles > Data Leak Prevention page, there are Profiles, Sensors, and Dictionaries tabs to configure those DLP settings. DLP profiles can be added to proxy-based firewall policies and proxy policies from the GUI.

Tooltip

If Data Leak Prevention is not visible in the tree menu, go to System > Feature Visibility and enable it.

This section breaks down the DLP configuration into a sequence of steps:

  1. Configure the DLP dictionary:

  2. Configure the DLP sensor:

    • A DLP sensor defines which dictionary to check. It counts the number of dictionary matches to trigger the sensor.

  3. Configure the DLP profile:

    • A DLP profile allows for filtering by size and file type. See DLP file pattern for custom file type.

  4. Add the DLP profile to a firewall policy.

Note

All the steps mentioned above should be configured in the exact order given for ease of configuration.

Configuring DLP from the GUI

Use the following steps to configure DLP from the GUI.

To configure a DLP dictionary:
  1. Go to Security Profiles > Data Leak Prevention.

  2. Select the Dictionaries tab and click Create New.

  3. Enter a name.

  4. In the Dictionary Entries section, click Create New.

  5. Set the Type and click OK.

  6. Click OK to save the dictionary.

To configure a DLP sensor:
  1. Go to Security Profiles > Data Leak Prevention.

  2. Select the Sensors tab and click Create New.

  3. Enter a name.

  4. In the Sensors Entries section, click Create New.

  5. Select the Dictionary from the dropdown menu and click OK.

  6. Click OK to save the sensor.

To configure a DLP profile:
  1. Go to Security Profiles > Data Leak Prevention.

  2. Select the Profiles tab and click Create New.

  3. Enter a name.

  4. In the Rules section, click Create New.

  5. Configure the following settings:

    Name

    Filter name.
    Sensors Select DLP sensors.
    Severity Select the severity or threat level that matches this filter.
    Action Action to take with content that this DLP profile matches.
    Type Select whether to check the content of messages (an email message) or files (downloaded files or email attachments).
    File type Select the number of a DLP file pattern table to match.
    Protocol Check messages or files over one or more of these protocols.
  6. Click OK.

  7. Click OK to save the profile.

To add the DLP profile to a firewall policy:
  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New.

  3. Set the Inspection Mode to Proxy-based.

  4. In the Security Profiles section, enable DLP Profile and select the desired profile.

  5. Configure the other settings as needed.

  6. Click OK.

Configuring DLP from the CLI

Use the following steps to configure DLP from the CLI.

To configure a DLP dictionary:
config dlp dictionary
    edit <name>
        config entries
            edit 1
                set type {credit-card | hex | keyword | mip-label | regex | ssn-us}
                set pattern <string>
                set repeat {enable | disable}
                set status {enable | disable}
            next
        end
    next
end
To configure a DLP sensor:
config dlp sensor
    edit <name>
        set match-type {match-all | match-any | match-eval}
        set eval <string>
        config entries
            edit <id>
                set dictionary <dlp_dictionary>
                set count <integer>
                set status {enable | disable}
            next
        end
    next
end

See Evaluation by Logical relationship for more information about match-eval.

To configure a DLP profile:
config dlp profile
    edit <name>
        set feature-set {flow | proxy}
        config rule
            edit <id>
                set proto <protocol> <protocol> ...
                set sensor <dlp_sensor>
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end
To add the DLP profile to a firewall policy:
config firewall policy
    edit <id>
        set srcintf <interface>
        set dstintf <interface>
        set action accept
        set srcaddr <address>
        set dstaddr <address>
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set dlp-profile <string>
    next
end

See DLP examples for sample configurations.

Basic DLP settings

Basic DLP settings

DLP settings can be configured for data types, dictionaries, sensors, file patterns, and profiles. DLP can be configured in both the CLI and the GUI irrespective of firewall policy inspection mode.

Note

To use DLP profile in a flow-based firewall policy, set feature-set flow must be set from the CLI. See Configuring DLP from the CLI for more information.

DLP profiles can only be added to a flow-based firewall policy from the CLI.

On the Security Profiles > Data Leak Prevention page, there are Profiles, Sensors, and Dictionaries tabs to configure those DLP settings. DLP profiles can be added to proxy-based firewall policies and proxy policies from the GUI.

Tooltip

If Data Leak Prevention is not visible in the tree menu, go to System > Feature Visibility and enable it.

This section breaks down the DLP configuration into a sequence of steps:

  1. Configure the DLP dictionary:

  2. Configure the DLP sensor:

    • A DLP sensor defines which dictionary to check. It counts the number of dictionary matches to trigger the sensor.

  3. Configure the DLP profile:

    • A DLP profile allows for filtering by size and file type. See DLP file pattern for custom file type.

  4. Add the DLP profile to a firewall policy.

Note

All the steps mentioned above should be configured in the exact order given for ease of configuration.

Configuring DLP from the GUI

Use the following steps to configure DLP from the GUI.

To configure a DLP dictionary:
  1. Go to Security Profiles > Data Leak Prevention.

  2. Select the Dictionaries tab and click Create New.

  3. Enter a name.

  4. In the Dictionary Entries section, click Create New.

  5. Set the Type and click OK.

  6. Click OK to save the dictionary.

To configure a DLP sensor:
  1. Go to Security Profiles > Data Leak Prevention.

  2. Select the Sensors tab and click Create New.

  3. Enter a name.

  4. In the Sensors Entries section, click Create New.

  5. Select the Dictionary from the dropdown menu and click OK.

  6. Click OK to save the sensor.

To configure a DLP profile:
  1. Go to Security Profiles > Data Leak Prevention.

  2. Select the Profiles tab and click Create New.

  3. Enter a name.

  4. In the Rules section, click Create New.

  5. Configure the following settings:

    Name

    Filter name.
    Sensors Select DLP sensors.
    Severity Select the severity or threat level that matches this filter.
    Action Action to take with content that this DLP profile matches.
    Type Select whether to check the content of messages (an email message) or files (downloaded files or email attachments).
    File type Select the number of a DLP file pattern table to match.
    Protocol Check messages or files over one or more of these protocols.
  6. Click OK.

  7. Click OK to save the profile.

To add the DLP profile to a firewall policy:
  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New.

  3. Set the Inspection Mode to Proxy-based.

  4. In the Security Profiles section, enable DLP Profile and select the desired profile.

  5. Configure the other settings as needed.

  6. Click OK.

Configuring DLP from the CLI

Use the following steps to configure DLP from the CLI.

To configure a DLP dictionary:
config dlp dictionary
    edit <name>
        config entries
            edit 1
                set type {credit-card | hex | keyword | mip-label | regex | ssn-us}
                set pattern <string>
                set repeat {enable | disable}
                set status {enable | disable}
            next
        end
    next
end
To configure a DLP sensor:
config dlp sensor
    edit <name>
        set match-type {match-all | match-any | match-eval}
        set eval <string>
        config entries
            edit <id>
                set dictionary <dlp_dictionary>
                set count <integer>
                set status {enable | disable}
            next
        end
    next
end

See Evaluation by Logical relationship for more information about match-eval.

To configure a DLP profile:
config dlp profile
    edit <name>
        set feature-set {flow | proxy}
        config rule
            edit <id>
                set proto <protocol> <protocol> ...
                set sensor <dlp_sensor>
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end
To add the DLP profile to a firewall policy:
config firewall policy
    edit <id>
        set srcintf <interface>
        set dstintf <interface>
        set action accept
        set srcaddr <address>
        set dstaddr <address>
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set dlp-profile <string>
    next
end

See DLP examples for sample configurations.