Description
This article describes the GUI/CLI changes in configuring Data Leak/Loss Prevention (DLP).
Related document:
File Filter
Scope
FortiOS.
Solution
CLI Changes:
The following option to enable/disable DLP feature visibility in the GUI has been removed:
config system settings
set gui-dlp [enable|disable]
end
GUI Changes:
- No DLP profile in the security profile.
- No DLP profile section in IPv4, IPv6, and Proxy policy.
- No DLP Log option in Log & Report.
- No DLP option with NGFW.
The DLP option is no longer available on the GUI and cannot be made visible on the GUI using the CLI. Under 'config system settings', the option 'set gui-dlp enable' no longer exists.
config system settings
set gui-dlp
command parse error before 'gui-dlp'
DLP is still functional on the releases v6.2.2 and later, however. It is configurable only from the CLI. The commands and configuration related to DLP remain the same as shown in earlier code.
get system status
Version: FortiGate-VM64-KVM v6.2.2,build1010,191008 (GA)
<snip>
Commands for versions between v6.2.2 and v7.2.3:
show
config dlp sensor
edit default
set comment Default sensor
edit default
set comment Default sensor
config filter
edit 1
set proto smtp pop3 imap http-get http-post ftp nntp mapi
set filter-by file-type
set file-type 3
set action block
next
end
edit 1
set proto smtp pop3 imap http-get http-post ftp nntp mapi
set filter-by file-type
set file-type 3
set action block
next
end
next
edit sniffer-profile
set comment Log a summary of email and web traffic
set summary-proto smtp pop3 imap http-get http-post
next
end
edit sniffer-profile
set comment Log a summary of email and web traffic
set summary-proto smtp pop3 imap http-get http-post
next
end
config firewall policy
edit 1
set name Full Access
set uuid b4b85de6-d4f2-51e9-5247-91c302c291e2
set srcintf port1
set dstintf port10
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set utm-status enable <- It is necessary to enable utm-status first.
set dlp-sensor default
set logtraffic all
set fsso disable
set nat enable
next
end
The DLP functionality can be leveraged using the 'File Filter' feature under the Web Filter security profile, which provides flexibility to inspect HTTP and FTP traffic for selected files.
Though the ‘File Filter’ supports only inspection of HTTP and FTP traffic, DLP can still be configured to handle other types of file filtering:
- File-size.
- SSN and Credit Card.
- File name.
Another Example:
To block any file name that contains the word 'startrek', the CLI syntax for this would be:
config dlp sensor
edit test2
set feature-set proxy
config filter
edit 1
set name filebanned
set severity critical
set proto http-get http-post ssh
set filter-by regexp
set regexp /startrek/i
set action block
next
end
set extended-log enable
set full-archive-proto http-get http-post ssh
next
end
edit test2
set feature-set proxy
config filter
edit 1
set name filebanned
set severity critical
set proto http-get http-post ssh
set filter-by regexp
set regexp /startrek/i
set action block
next
end
set extended-log enable
set full-archive-proto http-get http-post ssh
next
end
- It will block any file with 'startrek' in the name.
Important notes:
- DLP configuration is available in Flow-based and Proxy-based inspection modes in v6.2.2.
- If the unit is upgraded to v6.2.2, firewall policies would lose the DLP sensor profile config on them, and the DLP sensor profile needs to be manually added onto the firewall policy via CLI (set dlp-sensor default).
- Any custom DLP sensors that were created on the firmware before v6.2.2 would still be available to use after the upgrade to v6.2.2. However, by default, removed from the firewall policies and needs to be manually added.
- File filtering currently works only in Proxy-based inspection mode.
- There is no web filter profile in NGFW Policy mode.
- DLP requires a valid license.
- It is recommended to use deep inspection for DLP to work seamlessly.
As of v7.2.4 GA and above, the DLP profile feature has been reintroduced in the GUI.
DLP can be enabled in the GUI or CLI:
config system settings
set gui-dlp-profile enable
end
set gui-dlp-profile enable
end
On the new version, to enable the DLP profile on the firewall policy, use the following command:
config firewall policy
edit <policy id>
set dlp-profile ' '
end
edit <policy id>
set dlp-profile ' '
end
See the FortiOS 7.2.4 release notes for more information. In v7.2.4 and above, the CLI commands are changed a bit as shown below:
config dlp profile
edit default
set comment Default sensor
edit default
set comment Default sensor
config rule
edit 1
set proto smtp pop3 imap http-get http-post ftp nntp cifs
set filter-by encrypted
set file-type 2
set action block
next
end
edit 1
set proto smtp pop3 imap http-get http-post ftp nntp cifs
set filter-by encrypted
set file-type 2
set action block
next
end
next
end
From v7.4, 'set filter-by' command has 4 values that can be set.
sensor <----- Use DLP sensors to match content.
mip <----- Use MIP label dictionary to match content.
encrypted <-----Look for encrypted files.
none <----- No content scan.
mip <----- Use MIP label dictionary to match content.
encrypted <-----Look for encrypted files.
none <----- No content scan.
On 7.2, 'set filter-by' command has 3 values.
sensor <----- Use DLP sensors to match content.
encrypted <----- Look for encrypted files.
none <----- No content scan.
encrypted <----- Look for encrypted files.
none <----- No content scan.
Note: In the newer FortiGate versions, such as v7.4.x and v7.6.x, the DLP option is not available under Security Profiles and Feature Visibility to access from the GUI.
To configure Data Loss Prevention UTM on FortiGate firewall policies, add /utm/dlp to the URL or IP address used to access FortiGate.
When multiple VDOMs are enabled, the VDOM name may need to be specified in the URL /utm/dlp?vdom=<vdom name>.
For example, the URL used to access DLP using the GUI is https://10.5.210.81/utm/dlp
Related document:
