Description
MIP is a solution that helps you discover, classify, and protect sensitive information wherever it lives or travels by applying labels to content.
AIP extends this functionality to the Azure cloud.
Consult Microsoft’s documents for further reading on Microsoft Information Protection and Azure Information Protection.
FortiGate integrates with MIP and AIP by scanning traffic for these labels, and taking action when it matches.
This is accomplished by defining a Data Leak Prevention sensor to match the label, and apply an action such as dropping the traffic.
This sensor is added to a policy which matches the route your sensitive information could take to leave the secure network.
This article provides details how to configure the FortiGate to detect labels applied to your data by AIP/MIP.
Solution
To implement label matching using DLP regex with the following steps:
1) Create the DLP sensor using the generated label.
2) Optionally, you may need to define custom ports to inspect.
3) Add the DLP sensor and optionally a different profile-protocol-options to the policy which would pass the data to detect.
1) DLP sensor sample configuration
DLP uses regex to match the MIP/AIP label. You must also use the proxy feature set, which relies on the policy using proxy inspection mode.
Starting with FOS version 6.2.2, the DLP sensor is only configurable through the CLI.
#
config dlp sensor
edit mipaip
set feature-set proxy
# config filter
edit 0
set proto smtp pop3 imap http-get http-post
set filter-by regexp
set regexp “0011bc0f-dd9a-47b5-9a61-bc3b5f442af7”
set action block
next
end
next
end
2) Customize the protocol options
Because DLP leverages protocols to define the traffic it inspects, it may be necessary to update the default ports should the organization .
To adjust these ports, navigate to Policy & Object -> Protocol Options. If the default profile is not used, customize the ports.
Otherwise, create a new profile to customize the ports.
This protocol options profile is referenced alongside the DLP profile in the FortiGate policy.
2) Configure the policy which evaluates the traffic
Note that this policy is wide open and is not recommended for production.
Only the bolded values are important to the implementation of this article.
# config firewall policy
edit 1
set name outbound_traffic
set srcintf lan
set dstintf wan
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set profile-protocol-options “Custom protocol options”
set ssl-ssh-profile "deep-inspection"
set dlp-sensor "mipaip"
set nat enable
next
end
Results
When trying to download a file which contains the label, FortiGate will block the download. Depending on the protocol used, the block message will vary.
Here is an example of an HTTP POST request for a MIP protected file:
