Description
This article describes the DLP configuration to block specific File types and troubleshoot.
Scope
Fortigate UTM (6.4 and above).
Solution
First, configure the DLP file pattern to specify the type of file that needs to be matched.
In this example, all PDF files are blocked.
# config dlp filepattern
edit 11
set name "sample"
config entries
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
The next step will be configuring DLP Sensor and using the file pattern in the DLP sensor.
# config dlp sensor
edit "FortiDLP"
config filter
edit 1
set name "Block File Extension"
set proto http-get http-post
set filter-by file-type
set file-type 11
set action block
next
end
next
end
Then enable the DLP sensor on the Firewall policy that needs to block Data leak.
Note: From Forti OS 6.2.2 and Higher DLP is not available in GUI and can only be configured through CLI.
# config firewall policy
edit 1
set name "Internet"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "g-default"
set dlp-sensor "FortiDLP"
set application-list "g-default"
set nat enable
next
end
Note: Deep inspection is required for DLP.
Troubleshooting
During testing make sure the traffic is handled by the correct policy where DLP and Deep Inspection are applied.
Like in this example the certificate is signed by the FortiGate used for SSL/SSH deep inspection profile applied to the policy.
If DLP is using Flow-based features.
For Flow-based features, IPS process is responsible for DLP inspection.
# diagnose ips filter set "host <Source or destination IP address >"
# diagnose ips debug enable all
# diagnose debug enable
# diagnose debug disable --------> To disable Debugs
Note: It is recommended to use an IPS filter to reduce the volume of debugs.
Example Output of a successful block.
[280@70649]ips_process_event: ctx 0: 0 => 3
[280@70649]ips_handle_pkt_verdict: drop a packet, size=735
Proxy Based Debugs:
For Proxy based Feature set Scanunit Process inspects traffic for DLP.
# diagnose sys scanunit debug all
# diagnose debug enable
Example Output of a successful block.
su 6149 job 2 MIME: done DLP file scan, file 'studyguide.pdf'
su 6149 job 2 DLP: Taking action 0x2, filter ID 1 ---------> 0x2 or 2 is Blocked
Important Note:
If using the DLP Archiving feature it is only supported with Proxy-based inspection policies and Proxy-based DLP sensors.
# config dlp sensor
edit <your sensor>
set feature-set proxy
end
For more information on DLP Archiving refer to:
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-archive-content-of-all-emails-pass...
Additional Reference - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-Data-Leak-Prevention-DLP/ta-p/19...
