DLP in the FortiOS 6.2.2 firmware and above is configured in the CLI. This configuration was tested using both flow/proxy features set with a DLP sensor and flow/proxy-inspection firewall policies. Both feature sets log the information about attached files in email, including file names. However, the proxy feature set will provide more information, such as the sizes of attached files. The mail server used in this example was Gmail, the attached file had a .PDF extension, and the web browsers used were Chrome, Firefox and Edge.

Configuration steps in the CLI:

1) Create a DLP file pattern to specify the desired file type:

config dlp filepattern

edit 3

set name "dl-fp"

config entries

edit "pdf"

set filter-type type

set file-type pdf <- To log .PDF file attachments.

next

end

next

end

2) Create a DLP sensor to specify the desired protocols:

config dlp sensor

edit "dlp-sens"

set feature-set flow <- Can be set to 'proxy' to match the firewall policy as applicable.

config filter

edit 1

set name "dlp-fltr"

set severity info <- Must be set to information level to work.

set proto smtp pop3 imap http-get http-post ftp <- Must include email protocols.

set filter-by file-type

set file-type 3 <- The configured file pattern.

set action log-only

next

end

set extended-log enable

next

end

3) Attach the DLP sensor to a flow-inspection firewall policy with deep packet inspection enabled:

config firewall policy

edit 1

set name "DLP-Policy"

set srcintf "lan"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set inspection-mode flow <- can be set to proxy to match DLP sensor

set ssl-ssh-profile "deep-inspection" <- necessary for traffic visibility

set dlp-sensor "dlp-sens" <- the configured DLP sensor

set logtraffic all

set nat enable

next

end

To see the logs using the CLI:

execute log filter category 9 <- 9 = utm-dlp category
execute log filter device 0 (or 1) <- 0 = memory (1 = disk)
execute log filter view-lines 1000 <- optional for more lines
execute log display

Sample log output:

1) Flow feature set:

1: date=2023-06-09 time=09:07:12 eventtime=1686316033088881918 tz="-0400" logid="0954024577" type="utm" subtype="dlp" eventtype="dlp" level="notice" vd="root" filteridx=1 filtername="dlp-fltr" filtertype="file-type" filtercat="file" severity="info" policyid=1 sessionid=125704 epoch=0 eventid=0 srcip=192.168.1.110 srcport=60182 srcintf="lan" srcintfrole="lan" dstip=216.58.214.165 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" filetype="pdf" direction="outgoing" action="log-only" hostname="mail.google.com" url="https://mail.google.com/_/upload?authuser=0&dcp=asu-n&upload_id=ADPycdv7V1BWnsLl1XGm5wWf2o2NEKGx8yA7a4rjuZXPK2usilVMoQOIf3EfarJNLDOt-kdV2GRjebOgN4-0zly_R-NNew&upload_protocol=resumable" agent="Chrome/114.0.0.0" filename="fortios-v6.0.0-release-notes.pdf" profile="dlp-sens" rawdata="Method=POST|Request-Content-Type=application/pdf|User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36|Referer=https://mail.google.com/mail/u/0/"

2) Proxy feature set:

1: date=2023-06-09 time=09:22:54 eventtime=1686316974707654567 tz="-0400" logid="0954024577" type="utm" subtype="dlp" eventtype="dlp" level="notice" vd="root" filteridx=1 filtername="dlp-fltr" dlpextra="dl-fp" filtertype="file-type" filtercat="file" severity="info" policyid=1 sessionid=129586 epoch=1532867407 eventid=0 srcip=192.168.1.110 srcport=60838 srcintf="lan" srcintfrole="lan" dstip=216.58.213.69 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" filetype="pdf" direction="outgoing" action="log-only" hostname="mail.google.com" url="https://mail.google.com/_/upload?authuser=0&dcp=asu-n&upload_id=ADPycdteAe8nAcucQ2eGNtiCdiNFP3R_gkrD..." agent="Chrome/114.0.0.0" filename="fortios-v6.0.0-release-notes.pdf" filesize=1154512 profile="dlp-sens" rawdata="Method=POST|Request-Content-Type=application/pdf|Referer=https://mail.google.com/mail/u/0/|User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"

Troubleshooting DLP traffic:

1) Flow feature set:

diagnose ips filter set "host <Source or destination IP address >"
diagnose ips debug enable all
diagnose debug enable
diagnose debug disable <- To disable Debugs.

2) Proxy feature set:

diagnose sys scanunit debug all
diagnose debug enable

diagnose debug disable <- To disable Debugs.

Note: It is necessary to download and install the CA certificate on all machines coming from the source subnet as per the firewall policy. This certificate is attached to the ssl-ssh deep packet inspection profile used in the firewall policy.