Data loss prevention (DLP) protection for secrets
DLP, or Data Loss Prevention, is a cybersecurity solution that detects and prevents data breaches. Since it blocks the extraction of sensitive data, users can use it for internal security and regulatory compliance.
The filters in a DLP sensor can examine traffic for the following:
-
Known files using DLP fingerprinting
-
Known files using DLP watermarking
-
Particular file types
-
Particular file names
-
Files larger than a specified size
-
Data matching a specified regular expression
-
Credit card and Social Security numbers
DLP is primarily used to stop sensitive data from leaving your network. DLP can also prevent unwanted data from entering your network and archive some or all of the content that passes through the FortiPAM. DLP archiving is configured per filter, which allows a single sensor to archive only the required data. You can configure the DLP archiving protocol in the CLI. Note, currently, DLP can only be configured in the CLI and can be applied to file-transfer-based launchers (WinSCP, Web SFTP, and Web SMB).
DLP related configurations can only be set via the CLI. |
The following basic filter types can be configured in the CLI:
-
File type and name: A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list. See Supported file types.
-
File size: A file size filter checks for files that exceed the specific size and performs the DLP sensor's configured action on them.
-
Regular expression: A regular expression filter filters files or messages based on the configured regular expression pattern.
-
Credit card and SSN: The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It can be used to filter files or messages.
The SSN sensor can be used to filter files or messages for Social Security numbers.
DLP via the CLI Example
To configure a file type and name filter:
-
In the CLI console, enter the following commands to create a file pattern to filter files based on the file name pattern or file type. In this example, we intend to filter for GIFs and PDFs:
config dlp filepattern
edit 11
set name "sample_config"
config entries
edit "*.gif"
set filter-type pattern
next
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
-
Create the DLP sensor (Note:
http-get
andhttp-post
protocols apply to Web SFTP and Web SMB launchers):config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set proto {http-get http-post ssh}
set filter-by file-type
set file-type 11
set action {allow | log-only | block | quarantine-ip}
next
end
next
end
To configure a file size filtering:
- In the CLI console, use the following commands:
config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set proto {http-get http-post ssh}
set filter-by file-size
set file-type 11
set action {allow | log-only | block | quarantine-ip}
next
end
next
end
To configure regular expression filtering:
- In the CLI console, use the following commands:
config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set type {file | message}
set proto {http-get http-post ssh}
set filter-by regexp
set regexp <string>
set action {allow | log-only | block | quarantine-ip}
next
end
next
end
To configure credit card or SSN filtering:
-
In the CLI console, use the following commands:
config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set type {file | message}
set proto {http-get http-post ssh}
set filter-by {credit-card | ssn}
set action {allow | log-only | block | quarantine-ip}
next
end
next
end