|
Data Leak Prevention is not enabled by default. It has to be enabled from the Feature Visibility under Settings.
Once this is enabled, the DLP feature would be visible under Security Profiles.
1) The File-pattern for PDF has to be created first.
# config dlp filepattern
edit 10
set name "block-pdf"
set comment ''
# config entries
edit "pdf"
set filter-type type
set file-type pdf <----- Check for the available file type using 'set file-type ?'.
next
end
next
end
2) Configure the DLP Profile:
# config dlp profile
edit "profile-case3_pdf"
set feature-set proxy
# config rule
edit 1
set name "Block-file-pdf-5MB"
set proto smtp pop3 imap http-get http-post ftp nntp cifs <----- Add the protos to be blocked.
set file-size 5000 <----- Specify the size in KB to be blocked
set file-type 10 <----- This is the file pattern type created above for the PDF.
set action block
next
end
next
end
3) Add the DLP profile 'profile-case3_pdf' to the Policy:
# config firewall policy
edit 1
set status enable
set name "Test"
set srcintf "LAN"
set dstintf "WAN"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection" <----- Ensure that the policy is in the deep inspection.
set dlp-profile "profile-case3_pdf"
next
end
To view the logs, go to Log & Report -> Security Events -> DLP.
Sample log for the above configuration:
date=2023-05-01 time=08:17:22 eventtime=1682921842747701607 tz="+0200" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="Block-file-pdf-5MB" dlpextra="block-pdf;5000 kB" filtertype="none" filtercat="file" severity="medium" policyid=1 srcintf="LAN" dstport=443 dstintf="WAN" proto=6 service="HTTPS" filetype="pdf" direction="incoming" action="block" hostname="jsoncompare.org" url="https://jsoncompare.org/LearningContainer/SampleFiles/PDF/sample-pdf-download-10-mb.pdf" httpmethod="GET" filesize=10485760 profile="profile-case3_pdf"
|
