Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mgoswami
Staff
Staff

Created on ‎05-02-2023 12:13 AM Edited on ‎01-30-2024 02:51 AM By Community Manager

Article Id 254726

Technical Tip: How to block a file based on a pattern using DLP

Description This article describes how to block a file based on any pattern using DLP(Data Leak Prevention).
Scope FortiGate v7.2.
Solution

Data Leak Prevention is not enabled by default. It has to be enabled from the Feature Visibility under Settings. 

Once this is enabled, the DLP feature would be visible under Security Profiles

 

1) Dictionary for the pattern has to be created first. 

 

# config dlp dictionary
     edit "dic-pattern"
          set match-type match-all
             # config entries
                    edit 1
                         set type "keyword"
                     set pattern "test"  <----- Pattern which  to check for any attachment. 
                     set repeatenable
                         set comment "block_test-more_than_4"
                   next
               end
          next
      end

2) Configure the sensor for the dictionary created. 

 

# config dlp sensor
     edit "sensor-dic-pattern"
          # config entries
               edit 1
                 set dictionary "dic-pattern"  <----- Dictionary created above.
                 set count 4  <----- Set the count to check for. If a pattern 'test' occurs more than 4 times in an attachment, it will be blocked. 
               next
           end
       next
   end

 

 3) Create the DLP Profile.

 

# config dlp profile
     edit "Profile_block_pattern"
        set feature-set proxy
            # config rules
                     edit 3
                          set name "Block-pattern-Test"
                      set type message 
                      set proto smtp pop3 imap http-post nntp mapi
                      set filter-by sensor
                      set sensor "sensor-dic-pattern"  <----- Sensor created above.
                      set action block
                     next
                 end
           next
       end

 

4) Use the DLP profile created in an IPv4 policy.

 

 # config firewall policy 
     edit 1
          set status enable
          set srcintf "LAN"
          set dstintf "WAN"
          set action accept
          set schedule "always"
          set service "ALL"
        set utm-status enable
         set inspection-mode proxy  
        set ssl-ssh-profile "deep-inspection"<----- Deep Inspection has to be enabled 
        set dlp-profile "Profile_block_pattern"
    next
end

 

5) To view the logs, go to Log & Report -> Security Events -> DLP. 

Sample log for the above configuration: 

 

date=2023-05-01 time=10:33:48 eventtime=1682930028111513197 tz="+0200" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" 
filteridx=3 filtername="Block-patter-Test" dlpextra="sensor-dic-pattern" filtertype="sensor" filtercat="message" severity="medium" policyid=1 srcintf="LAN" dstintf="WAN" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="mail.google.com" 
agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) httpmethod="POST" profile="Profile_block_pattern" 

 

The above logs were generated while trying to upload a doc file to a Gmail attachment with the 'test' word included in the doc more than 4 times. 
975
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.