FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vanitha
Staff
Staff

Description

This article explains how to configure DLP (Data Leak Prevention) to block files passing through a FortiGate.


Scope

FortiGate v5.0, FortiAP v5.4, FortiGate v5.2,


Solution

1) Configure the file filters/file patterns for the respective file types. (For example: pdf)

vanitha_FD35108_DLP1.jpg

2) Create a new DLP sensor.

Choose the file pattern created earlier and set the action to block.

vanitha_FD35108_DLP2.jpg

3) Configure the firewall policy and apply the DLP sensor to the respective policy.

vanitha_FD35108_DLP3.jpg

Note: For lower-end models (FG-40C, FG-30B, FG-20C) only CLI configuration is available as shown below:

a) Config the file filters/file patterns for the respective file types. (For example: pdf)
 
# config dlp filepattern
# edit 1
# set name "Test_file_filter"
# config entries
# edit "pdf"
# set filter-type type
# set file-type pdf
# next
# end
# next
# end
 
b) Create a new DLP sensor and choose the file pattern already created.
 
# config dlp sensor
# edit "Test_dlp_sensor"
# set comment 'to block files'
# config filter
# edit 1
# set type file
# set proto smtp pop3 imap http-get http-post ftp
# set filter-by file-type
# set file-type 3
# set archive enable
# set action block
# next
# end
# set extended-utm-log enable
# set flow-based disable
# next
# end
 
c) Configure the firewall policy and apply the dlp sensor on the policy.
 
# config firewall policy
# edit 1
# set srcintf "internal1"
# set dstintf "wan1"
# set srcaddr "all"
# set dstaddr "all"
# set action accept
# set status enable
# set schedule "always"
# set service "ALL"
# set nat enable
# set utm-status enable
# set dlp-sensor "Test_dlp_sensor"
# set profile-protocol-options "default"
# next
# end

 

For FortiOS 6.2.2 & higher:

 

The following option to enable/disable DLP feature visibility in the GUI has been removed.

# config system settings
    set gui-dlp [enable|disable]
end

GUI Changes:

- No DLP profile in the security profile.
- No DLP profile section in IPv4, IPv6 and Proxy policy.
- No DLP Log option in Log & Report.
- No DLP option with NGFW.

Contributors