Description
This article explains the GUI/CLI changes in configuring Data Leak/Loss Prevention (DLP).
Useful link:
File Filter - FortiGate cookbook
Scope
FortiOS versions between 6.2.2 and 7.2.3.
Solution
CLI Changes:
The following option to enable/disable DLP feature visibility in the GUI has been removed:
config system settings
set gui-dlp [enable|disable]
end
GUI Changes:
- No DLP profile in security profile.
- No DLP profile section in IPv4, IPv6 and Proxy policy.
- No DLP Log option in Log & Report.
- No DLP option with NGFW.
The DLP option is no longer available on the GUI and cannot be made visible on the GUI using the CLI. Under 'config system settings', the option 'set gui-dlp enable' no longer exists.
config system settings
set gui-dlp
command parse error before 'gui-dlp'
DLP is still functional on the releases 6.2.2 and later, however. It is configurable only from the CLI.
The commands and configuration related to DLP remain the same as shown in earlier code.
get system status
Version: FortiGate-VM64-KVM v6.2.2,build1010,191008 (GA)
<snip>
show
config dlp sensor
edit "default"
set comment "Default sensor."
config filter
edit 1
set proto smtp pop3 imap http-get http-post ftp nntp mapi
set filter-by file-type
set file-type 3
set action block
next
end
next
edit "sniffer-profile"
set comment "Log a summary of email and web traffic."
set summary-proto smtp pop3 imap http-get http-post
next
end
config firewall policy
edit 1
set name "Full Access"
set uuid b4b85de6-d4f2-51e9-5247-91c302c291e2
set srcintf "port1"
set dstintf "port10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable <- It is necessary to enable utm-status first.
set dlp-sensor "default"
set logtraffic all
set fsso disable
set nat enable
next
end
The DLP functionality can be leveraged using the 'File Filter' feature under the Web Filter security profile, which provides flexibility to inspect HTTP and FTP traffic for selected files.
Though the ‘File Filter’ supports only inspection of HTTP and FTP traffic, DLP can still be configured to handle other types of file filtering:
- File-size.
- SSN and Credit Card.
- File name.
Another Example:
To block any file name that contains the word 'startrek', the CLI syntax for this would be:
config dlp sensor
edit "test2"
set feature-set proxy
config filter
edit 1
set name "filebanned"
set severity critical
set proto http-get http-post ssh
set filter-by regexp
set regexp "/startrek/i"
set action block
next
end
set extended-log enable
set full-archive-proto http-get http-post ssh
next
end
- It will block any file with startrek in the name.
Important notes:
- DLP configuration is available in Flow-based and Proxy-based inspection modes in 6.2.2.
- If the unit is upgraded to FortiOS 6.2.2, firewall policies would lose the DLP sensor profile config on them and the DLP sensor profile needs to be manually added onto the firewall policy via CLI (set dlp-sensor default).
- Any custom DLP sensors that were created on the firmware before 6.2.2 would still be available to use after the upgrade to 6.2.2. However, by default, removed from the firewall policies and needs to be manually added.
- File filtering currently works only in Proxy-based inspection mode.
- There is no web filter profile in NGFW Policy mode.
- DLP requires a valid license.
As of FortiOS 7.2.4 GA and above, the DLP profile feature has been re-introduced in the GUI.
DLP can be enabled in the GUI or CLI:
config system settings
set gui-dlp-profile enable
end