Technical Tip: How to configure a DLP with Explicit Web Proxy, to block a particular keyword on DOC and PDF file formats

1. 'Explicit Web Proxy' on FortiOS 7.2.4, can be enabled after executing the below commands:

config system settings
    set gui-proxy-inspection enable
end

config web-proxy explicit
    set status enable
end

2. To display the 'Explicit Proxy' on GUI, go to System -> Feature Visibility -> enable Explicit Proxy -> Apply.

After the above commands, execute the below commands, in order to define the 'https-inspection-port' as: 8080:

config web-proxy explicit
    set https-incoming-port 8080
end

In this case, on the FortiGate: 

'port1' is configured for management,

'port2' is configured for LAN connectivity,

'port3' is configured for Internet connectivity.

Since 'port2' is used for LAN connectivity, it should be defined as 'Listen on Interfaces', as below:

Also 'Explicit Web Proxy' should be enabled on 'port2', as below:

config system interface
   edit port2

            set explicit-web-proxy enable
end

On the user device connected with the FortiGate on 'port2', on 'Proxy settings' should be defined the IP of 'port2' interface, of the FortiGate as below:

The user device has an IP address: 10.191.101.1.

After the above steps, create a 'Proxy Policy', as below:

config firewall proxy-policy
   edit 1

             set name "Test"

      set proxy explicit-web

      set dstinf "port3"

      set srcaddr "all"
      set dstaddr "all"
      set service "webproxy"
      set action accept
      set schedule "always"
      set logtraffic all
      set utm-status enable   
   end

end

To configure a DLP profile go to the Feature Visibility: System -> Feature Visibility -> enable Data Leak Prevention -> Apply.

Create a DLP configuration where every 'DOC' and 'PDF' file format which contains the keyword: 'CONFIDENTIAL', will be blocked.

Create a 'Dictionary' as below:

config dlp dictionary
   edit "CONF_Dictionary"

    config entries

     edit 1

       set type "keyword"

       set pattern "CONFIDENTIAL"

       set repeat enable

   end

end

After creating the Dictionary, create the Sensor as below:

config dlp sensor
   edit "CONF_Sensor"

    config entries

     edit 1

      set dictionary "CONF_Dictionary'

     end

end

After creating the Sensor, create a File pattern as below:

config dlp filepattern
   edit 3

    set name "CONF_Filepattern"
    config entries
     edit "msoffice"
      set filter-type type
      set file-type msoffice
     next

     edit "pdf"
      set filter-type type
      set file-type pdf
     next
    end

end

After creating the pattern, create a DLP profile as below:

config dlp profile
   edit "CONF_DLP_Profile"

    set feature-set proxy
    config rule
     edit 1
      set name "1"
      set severity critical
      set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs

      set filter-by sensor
      set file-type 3
      set sensor "CONF_Sensor"

      set action block
    end

end

After creating the DLP profile, create the DLP profile on the Proxy Policy and set the inspection to Deep Inspection, with the below commands:

config firewall proxy-policy
   edit 1

             set dlp-profile CONF_DLP_Profil

      set ssl-ssh-profile deep-inspection

end

Since 'deep inspection' is enabled, 'Fortinet_CA_SSL' certificate should be downloaded from FortiGate System -> Certificates -> select Fortinet_CA_SSL -> Download and upload it on the browser of the user device, which is connected with FortiGate on 'port2'.

After the above changes, try to upload the below files with the below content, on Gmail for the example, to show that the DLP profile is able to block the files, but can also be used also other applications:

It is not possible to download the same files from Gmail.

So, the DLP is blocking the files with the keyword: CONFIDENTIAL, from being uploaded and downloaded.