Description
This article describes the DLP configuration to block specific File types and troubleshoot.
Scope
Fortigate UTM (6.4 and above).
Solution
configure the DLP file pattern to specify the type of file that needs to be matched.
In this example, all PDF files are blocked.
config dlp filepattern
edit 11
set name "sample"
config entries
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
The next step will be configuring the DLP Sensor and using the file pattern in the DLP sensor.
config dlp sensor
edit "FortiDLP"
config filter
edit 1
set name "Block File Extension"
set proto http-get http-post
set filter-by file-type
set file-type 11
set action block
next
end
next
end
Then enable the DLP sensor on the Firewall policy that needs to block Data leak.
Note:
From v6.2.2 to v7.2.3, the DLP is unavailable in GUI and can only be configured through CLI. However, it was re-introduced in the v7.2.4 (If Data Leak Prevention is not visible in the tree menu, go to System -> Feature Visibility and enable it.)
config firewall policy
edit 1
set name "Internet"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "g-default"
set dlp-sensor "FortiDLP"
set application-list "g-default"
set nat enable
next
end
Note:
Deep inspection is required for DLP.
Troubleshooting:
During testing, make sure the traffic is handled by the correct policy where DLP and Deep Inspection are applied.
Like in this example the certificate is signed by the FortiGate used for SSL/SSH deep inspection profile applied to the policy.
If DLP is using Flow-based features.
For Flow-based features, IPS process is responsible for DLP inspection.
diagnose ips filter set "host <Source or destination IP address >"
diagnose ips debug enable all
diagnose debug enable
diagnose debug disable <- To disable debugging.
Note:
It is recommended to use an IPS filter to reduce the volume of debugs.
Example Output of a successful block.
[280@70649]ips_process_event: ctx 0: 0 => 3
[280@70649]ips_handle_pkt_verdict: drop a packet, size=735
Proxy Based Debugs:
For Proxy based Feature set Scanunit Process inspects traffic for DLP.
diagnose sys scanunit debug all
diagnose debug enable
Example Output of a successful block.
su 6149 job 2 MIME: done DLP file scan, file 'studyguide.pdf'
su 6149 job 2 DLP: Taking action 0x2, filter ID 1 <- 0x2 or 2 is Blocked.
Important Note:
If using the DLP Archiving feature it is only supported with Proxy-based inspection policies and Proxy-based DLP sensors.
config dlp sensor
edit <sensor name>
set feature-set proxy
end
In case the above debug of scanunit is not generating output, resp. is not triggerred, it can be useful to debug WAD daemon with below:
diagnose wad debug enable category scan
diagnose wad debug enable level verbose
diagnose debug enable
After testing, disable debugging with diagnose debug disable.
For more information on DLP Archiving, refer to Technical Tip: How to archive content of all emails passing through a FortiGate.
Related documents:
