Fortinet white logo
Fortinet white logo

Administration Guide

Sensitivity labels

Sensitivity labels

In order to safeguard your organization's data, labels can be employed as markers for sensitive information. Microsoft provides sensitivity labels, which act as identifiers emphasizing the importance of the data they're associated with, thereby enhancing the security measures in place. See Protect your sensitive data with Microsoft Purview (formerly MIP) for more information.

Any data traffic that includes a sensitivity label can be effectively managed using FortiGate. This is made possible through the utilization of a pre-defined data type, mip-label, specifically designed for MIP in the Data Leak Prevention (DLP) dictionary. See Microsoft Purview sensitivity labels for more information.

Example

This configuration will block HTTPS upload traffic that matches the DLP profile.

Note

When utilizing commonly-used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information.

Additionally, the client machine must have the corresponding deep inspection Certificate Authority (CA) certificate installed.

Sample topology

In this example, a Microsoft Office document that is marked with a sensitivity label is being attached to an email in the Chrome browser using Office Desktop. See Learn about sensitivity labels for more information. The FortiGate intercepts this traffic using deep inspection and blocks the attachment of the file because it matches the DLP profile that has been set up on this FortiGate.

When a sensitivity label is included in HTTPS upload traffic, the file is blocked and a DLP log is generated. See Sample log for a log sample.

Prerequisites

Before configuring FortiGate, complete the following steps:

  1. Create and configure sensitivity labels and their policies. See Create sensitivity labels for more information.

  2. Apply a sensitivity label to content. See Apply sensitivity labels to your files and email for more information.

    Once the sensitivity label is applied on a file, you'll see it displayed on the sensitivity bar.

  3. Obtain Globally Unique Identifier (GUID) for your sensitivity labels. See Search for documents by sensitivity label for more information.

    Sample GUID:

Note

FortiGate uses the GUID for label matching. The Pattern for mip-label is configured to correspond to the label’s GUID.

To block HTTPS upload traffic that includes MIP labels in the GUI:
  1. Configure the DLP dictionary:

    1. Go to Security Profiles > Data Leak Prevention, select the Dictionaries tab, and click Create New.

    2. Set Name to dic-case5.

    3. In the Dictionary Entries table click Create New:

      1. Set Type to mip-label.

      2. Set Pattern to ca51e4ff-0733-4744-bebb-d3e1eb6383f4.

        Note

        The pattern set here corresponds to the GUID of a specific sensitivity label. Please use your own GUID in this step. See step 3 of Prerequisites for how to obtain your label GUID.

      3. Click OK.

    4. Click OK.

  2. DLP profiles that filter by MIP can only be configured in the CLI. See Configure the DLP profile.

  3. Add the DLP profile to a firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Set the Inspection Mode to Proxy-based.

    3. In the Security Profiles section, enable DLP Profile and select profile-case5.

    4. Set SSL Inspection to deep-inspection.

    5. Configure the other settings as needed.

    6. Click OK.

To block HTTPS upload traffic that includes MIP labels in the CLI:
  1. Configure the DLP dictionary:

    config dlp dictionary
        edit "dic-case5"
            config entries
                edit 1
                    set type "mip-label"
                    set pattern "ca51e4ff-0733-4744-bebb-d3e1eb6383f4"
                next
            end
        next
    end

    Note

    The set pattern is set to the GUID of a specific sensitivity label. Please use your own GUID in this step. See step 3 of Prerequisites for how to obtain your label GUID.

  2. Configure the DLP profile:

    config dlp profile
        edit "profile-case5"
            set feature-set proxy
            config rule
                edit 1
                    set name "mip-label"
                    set severity critical
                    set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs
                    set filter-by mip
                    set file-type 1
                    set label "dic-case5"
                    set action block
                next
            end
        next
    end
  3. Add the DLP profile to a firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set dlp-profile "profile-case5"
            set nat enable
        next
    end
    
Sample log

An attempt was made to send an email from a Windows device using Gmail's webmail service. The email was intended to include an attachment with a sensitivity label, but the attachment failed to upload, resulting in the generation of a sample log.

1: date=2023-11-02 time=06:31:07 eventtime=1698863466313615946 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="1" dlpextra="dic-case5" filtertype="mip" filtercat="file" severity="critical" policyid=1 poluuid="8bd1908e-7839-51ee-e86b-e411056688ec" policytype="policy" sessionid=2988 epoch=1712884745 eventid=0 srcip=10.10.10.1 srcport=49985 srccountry="Reserved" srcintf="port2" srcintfrole="lan" srcuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" dstip=142.251.211.229 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="lan" dstuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" proto=6 service="HTTPS" filetype="msoffice" direction="outgoing" action="block" hostname="mail.google.com" url="https://mail.google.com/_/upload?authuser=0&dcp=asu-n&upload_id=ABPtcPoZPYAkCzE-FaGZS_QUNjml-0vPOGdjf7nk02kKLLnoTmg-wqsAbeWfuzerDACV0b8dZ6v0bkUZnB57Is1QdvjFBE2r90bT&upload_protocol=resumable" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://mail.google.com/mail/u/0/" filename="doc.doc" filesize=53248 profile="profile-case5"

Sensitivity labels

Sensitivity labels

In order to safeguard your organization's data, labels can be employed as markers for sensitive information. Microsoft provides sensitivity labels, which act as identifiers emphasizing the importance of the data they're associated with, thereby enhancing the security measures in place. See Protect your sensitive data with Microsoft Purview (formerly MIP) for more information.

Any data traffic that includes a sensitivity label can be effectively managed using FortiGate. This is made possible through the utilization of a pre-defined data type, mip-label, specifically designed for MIP in the Data Leak Prevention (DLP) dictionary. See Microsoft Purview sensitivity labels for more information.

Example

This configuration will block HTTPS upload traffic that matches the DLP profile.

Note

When utilizing commonly-used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information.

Additionally, the client machine must have the corresponding deep inspection Certificate Authority (CA) certificate installed.

Sample topology

In this example, a Microsoft Office document that is marked with a sensitivity label is being attached to an email in the Chrome browser using Office Desktop. See Learn about sensitivity labels for more information. The FortiGate intercepts this traffic using deep inspection and blocks the attachment of the file because it matches the DLP profile that has been set up on this FortiGate.

When a sensitivity label is included in HTTPS upload traffic, the file is blocked and a DLP log is generated. See Sample log for a log sample.

Prerequisites

Before configuring FortiGate, complete the following steps:

  1. Create and configure sensitivity labels and their policies. See Create sensitivity labels for more information.

  2. Apply a sensitivity label to content. See Apply sensitivity labels to your files and email for more information.

    Once the sensitivity label is applied on a file, you'll see it displayed on the sensitivity bar.

  3. Obtain Globally Unique Identifier (GUID) for your sensitivity labels. See Search for documents by sensitivity label for more information.

    Sample GUID:

Note

FortiGate uses the GUID for label matching. The Pattern for mip-label is configured to correspond to the label’s GUID.

To block HTTPS upload traffic that includes MIP labels in the GUI:
  1. Configure the DLP dictionary:

    1. Go to Security Profiles > Data Leak Prevention, select the Dictionaries tab, and click Create New.

    2. Set Name to dic-case5.

    3. In the Dictionary Entries table click Create New:

      1. Set Type to mip-label.

      2. Set Pattern to ca51e4ff-0733-4744-bebb-d3e1eb6383f4.

        Note

        The pattern set here corresponds to the GUID of a specific sensitivity label. Please use your own GUID in this step. See step 3 of Prerequisites for how to obtain your label GUID.

      3. Click OK.

    4. Click OK.

  2. DLP profiles that filter by MIP can only be configured in the CLI. See Configure the DLP profile.

  3. Add the DLP profile to a firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Set the Inspection Mode to Proxy-based.

    3. In the Security Profiles section, enable DLP Profile and select profile-case5.

    4. Set SSL Inspection to deep-inspection.

    5. Configure the other settings as needed.

    6. Click OK.

To block HTTPS upload traffic that includes MIP labels in the CLI:
  1. Configure the DLP dictionary:

    config dlp dictionary
        edit "dic-case5"
            config entries
                edit 1
                    set type "mip-label"
                    set pattern "ca51e4ff-0733-4744-bebb-d3e1eb6383f4"
                next
            end
        next
    end

    Note

    The set pattern is set to the GUID of a specific sensitivity label. Please use your own GUID in this step. See step 3 of Prerequisites for how to obtain your label GUID.

  2. Configure the DLP profile:

    config dlp profile
        edit "profile-case5"
            set feature-set proxy
            config rule
                edit 1
                    set name "mip-label"
                    set severity critical
                    set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs
                    set filter-by mip
                    set file-type 1
                    set label "dic-case5"
                    set action block
                next
            end
        next
    end
  3. Add the DLP profile to a firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set dlp-profile "profile-case5"
            set nat enable
        next
    end
    
Sample log

An attempt was made to send an email from a Windows device using Gmail's webmail service. The email was intended to include an attachment with a sensitivity label, but the attachment failed to upload, resulting in the generation of a sample log.

1: date=2023-11-02 time=06:31:07 eventtime=1698863466313615946 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="1" dlpextra="dic-case5" filtertype="mip" filtercat="file" severity="critical" policyid=1 poluuid="8bd1908e-7839-51ee-e86b-e411056688ec" policytype="policy" sessionid=2988 epoch=1712884745 eventid=0 srcip=10.10.10.1 srcport=49985 srccountry="Reserved" srcintf="port2" srcintfrole="lan" srcuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" dstip=142.251.211.229 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="lan" dstuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" proto=6 service="HTTPS" filetype="msoffice" direction="outgoing" action="block" hostname="mail.google.com" url="https://mail.google.com/_/upload?authuser=0&dcp=asu-n&upload_id=ABPtcPoZPYAkCzE-FaGZS_QUNjml-0vPOGdjf7nk02kKLLnoTmg-wqsAbeWfuzerDACV0b8dZ6v0bkUZnB57Is1QdvjFBE2r90bT&upload_protocol=resumable" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://mail.google.com/mail/u/0/" filename="doc.doc" filesize=53248 profile="profile-case5"