FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description MIP is a solution that helps you discover, classify, and protect sensitive information wherever it lives or travels by applying labels to content. AIP extends this functionality to the Azure cloud.
Consult Microsoft’s documents for further reading on Microsoft Information Protection and Azure Information Protection.
FortiGate integrates with MIP and AIP by scanning traffic for these labels, and taking action when it matches. This is accomplished by defining a Data Leak Prevention sensor to match the label, and apply an action such as dropping the traffic.
This sensor is added to a policy which matches the route your sensitive information could take to leave the secure network.
This article provides details how to configure the FortiGate to detect labels applied to your data by AIP/MIP.
To implement label matching using DLP regex with the following steps:
1) Create the DLP sensor using the generated label. 2) Optionally, you may need to define custom ports to inspect. 3) Add the DLP sensor and optionally a different profile-protocol-options to the policy which would pass the data to detect.
1) DLP sensor sample configuration
regex to match the MIP/AIP label. You must also use the proxy feature set,
which relies on the policy using proxy inspection mode.
with FOS version 6.2.2, the DLP sensor is only configurable through the CLI.
config dlp sensor edit mipaip set feature-set proxy # config filter edit 0 set proto smtp pop3 imap http-get
http-post set filter-by regexp set regexp
“0011bc0f-dd9a-47b5-9a61-bc3b5f442af7” set action block next end next end
2) Customize the protocol options
Because DLP leverages protocols to define the traffic it inspects, it may be necessary to update the default ports should the organization .
To adjust these
ports, navigate to Policy & Object -> Protocol Options. If the default profile is not used, customize the ports.
Otherwise, create a new profile to customize the ports.
This protocol options profile
is referenced alongside the DLP profile in the FortiGate policy.
2) Configure the policy which evaluates the traffic
Note that this policy is wide open and is not recommended for production.
Only the bolded values are important to the implementation of this article.
# config firewall
policy edit 1 set name outbound_traffic set srcintf lan set dstintf wan set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set profile-protocol-options “Custom
protocol options” set ssl-ssh-profile "deep-inspection" set
dlp-sensor "mipaip" set nat enable next
to download a file which contains the label, FortiGate will block the download.
Depending on the protocol used, the block message will vary.
Here is an
example of an HTTP POST request for a MIP protected file: