Staff

Technical Tip: Configure Data Leak/Loss Prevention (DLP)

Forum|Forum|6 years ago
October 30, 2019
0 replies
86537 views

Description

This article describes the GUI/CLI changes in configuring Data Leak/Loss Prevention (DLP).

Related document:
File Filter

Scope

FortiOS.

Solution

CLI Changes:
The following option to enable/disable DLP feature visibility in the GUI has been removed:

config system settings
set gui-dlp [enable|disable]
end

GUI Changes:

No DLP profile in the security profile.
No DLP profile section in IPv4, IPv6, and Proxy policy.
No DLP Log option in Log & Report.
No DLP option with NGFW.

The DLP option is no longer available on the GUI and cannot be made visible on the GUI using the CLI. Under 'config system settings', the option 'set gui-dlp enable' no longer exists.

config system settings

set gui-dlp
command parse error before 'gui-dlp'

DLP is still functional on the releases v6.2.2 and later, however. It is configurable only from the CLI. The commands and configuration related to DLP remain the same as shown in earlier code.

get system status
Version: FortiGate-VM64-KVM v6.2.2,build1010,191008 (GA)
<snip>

Commands for versions between v6.2.2 and v7.2.3:

show

config dlp sensor
edit default
set comment Default sensor

config filter
edit 1
set proto smtp pop3 imap http-get http-post ftp nntp mapi
set filter-by file-type
set file-type 3
set action block
next
end

next
    edit sniffer-profile
        set comment Log a summary of email and web traffic
        set summary-proto smtp pop3 imap http-get http-post
    next
end

config firewall policy
    edit 1
        set name Full Access
        set uuid b4b85de6-d4f2-51e9-5247-91c302c291e2
        set srcintf port1
        set dstintf port10
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
        set utm-status enable    <- It is necessary to enable utm-status first.
        set dlp-sensor default
        set logtraffic all
        set fsso disable
        set nat enable
    next
end

The DLP functionality can be leveraged using the 'File Filter' feature under the Web Filter security profile, which provides flexibility to inspect HTTP and FTP traffic for selected files.

Though the ‘File Filter’ supports only inspection of HTTP and FTP traffic, DLP can still be configured to handle other types of file filtering:

File-size.
SSN and Credit Card.
File name.

Another Example:

To block any file name that contains the word 'startrek', the CLI syntax for this would be:

config dlp sensor
    edit test2
        set feature-set proxy
config filter
edit 1
set name filebanned
set severity critical
set proto http-get http-post ssh
set filter-by regexp
set regexp /startrek/i
set action block
next
end
set extended-log enable
        set full-archive-proto http-get http-post ssh
    next
end

It will block any file with 'startrek' in the name.

Important notes:

DLP configuration is available in Flow-based and Proxy-based inspection modes in v6.2.2.
If the unit is upgraded to v6.2.2, firewall policies would lose the DLP sensor profile config on them, and the DLP sensor profile needs to be manually added onto the firewall policy via CLI (set dlp-sensor default).
Any custom DLP sensors that were created on the firmware before v6.2.2 would still be available to use after the upgrade to v6.2.2. However, by default, removed from the firewall policies and needs to be manually added.
File filtering currently works only in Proxy-based inspection mode.
There is no web filter profile in NGFW Policy mode.
DLP requires a valid license.
It is recommended to use deep inspection for DLP to work seamlessly.
If using the DLP Archiving feature, it is only supported with Proxy-based inspection policies and Proxy-based DLP sensors.
If DLP is using Flow-based features, the IPS process is responsible for DLP inspection.
For the Proxy-based Feature set, the Scanunit Process inspects traffic for DLP

As of v7.2.4 GA and above, the DLP profile feature has been reintroduced in the GUI.

DLP can be enabled in the GUI or CLI:

config system settings
set gui-dlp-profile enable
end

On the new version, to enable the DLP profile on the firewall policy, use the following command:

config firewall policy
edit <policy id>
set dlp-profile ' '
end

See the FortiOS 7.2.4 release notes for more information. In v7.2.4 and above, the CLI commands are changed a bit as shown below:

config dlp profile
edit default
set comment Default sensor

config rule
edit 1
set proto smtp pop3 imap http-get http-post ftp nntp cifs
set filter-by encrypted
set file-type 2
set action block
next
end

From v7.4, the 'set filter-by' command has 4 values that can be set.

sensor <----- Use DLP sensors to match content.
mip <----- Use MIP label dictionary to match content.
encrypted <-----Look for encrypted files.
none <----- No content scan.

On v7.2, the 'set filter-by' command has 3 values.

sensor <----- Use DLP sensors to match content.
encrypted <----- Look for encrypted files.
none <----- No content scan.

Note: In the newer FortiGate versions, such as v7.4.x and v7.6.x, the DLP option is not available under Security Profiles and Feature Visibility to access from the GUI.

To configure Data Loss Prevention UTM on FortiGate firewall policies, add /utm/dlp to the URL or IP address used to access FortiGate.

When multiple VDOMs are enabled, the VDOM name may need to be specified in the URL /utm/dlp?vdom=<vdom name>.

For example, the URL used to access DLP using the GUI is https://10.5.210.81/utm/dlp.