Data loss prevention (DLP) protection for secrets

DLP, or Data Loss Prevention, is a cybersecurity solution that detects and prevents data breaches. Since it blocks the extraction of sensitive data, users can use it for internal security and regulatory compliance.

The filters in a DLP sensor can examine traffic for the following:

Known files using DLP fingerprinting
Known files using DLP watermarking
Particular file types
Particular file names
Files larger than a specified size
Data matching a specified regular expression
Credit card and Social Security numbers

DLP is primarily used to stop sensitive data from leaving your network. DLP can also prevent unwanted data from entering your network and archive some or all of the content that passes through the FortiPAM. DLP archiving is configured per filter, which allows a single sensor to archive only the required data. You can configure the DLP archiving protocol in the CLI. Note, currently, DLP can only be configured in the CLI and can be applied to file-transfer-based launchers (WinSCP, Web SFTP, and Web SMB).

DLP related configurations can only be set via the CLI.

The following basic filter types can be configured in the CLI:

File type and name: A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list. See Supported file types.
File size: A file size filter checks for files that exceed the specific size and performs the DLP sensor's configured action on them.
Regular expression: A regular expression filter filters files or messages based on the configured regular expression pattern.
Credit card and SSN: The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It can be used to filter files or messages.

The SSN sensor can be used to filter files or messages for Social Security numbers.

DLP via the CLI Example

To configure a file type and name filter:

In the CLI console, enter the following commands to create a file pattern to filter files based on the file name pattern or file type. In this example, we intend to filter for GIFs and PDFs:
config dlp filepattern
edit 11
set name "sample_config"
config entries
edit "*.gif"
set filter-type pattern
next
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
Create the DLP sensor (Note: http-get and http-post protocols apply to Web SFTP and Web SMB launchers):
config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set proto {http-get http-post ssh}
set filter-by file-type
set file-type 11
set action {allow | log-only | block | quarantine-ip}
next
end
next
end

To configure a file size filtering:

In the CLI console, use the following commands:
config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set proto {http-get http-post ssh}
set filter-by file-size
set file-type 11
set action {allow | log-only | block | quarantine-ip}
next
end
next
end

To configure regular expression filtering:

In the CLI console, use the following commands:
config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set type {file | message}
set proto {http-get http-post ssh}
set filter-by regexp
set regexp <string>
set action {allow | log-only | block | quarantine-ip}
next
end
next
end

To configure credit card or SSN filtering:

In the CLI console, use the following commands:
config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set type {file | message}
set proto {http-get http-post ssh}
set filter-by {credit-card | ssn}
set action {allow | log-only | block | quarantine-ip}
next
end
next
end