FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a use case to block SH file type using the DLP pattern.
Scope
FortiGate.
Solution
By default, the sh file type is not available under DLP. In this case, it is possible to create a pattern and apply in the DLP sensor. Also, note that it would require deep inspection.
config dlp dictionary edit "Test-Dictionary" set uuid fff805ca-8607-51ee-d5d5-84e013c472f2 config entries edit 1 set type "regex" set pattern "\\/bin\\/bash*." next end end
config dlp sensor edit "test" config entries edit 1 set dictionary "Test-Dictionary" next end next end
config dlp profile edit "Block sh" set feature-set proxy config rule edit 1 set name "Block sh" set severity critical set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs set filter-by sensor set file-type 3 set sensor "test" set action block next end next end
config firewall policy edit 2 set status enable set name "Default rule" set uuid f28e5370-885b-51ee-1df4-dc30ae3a156d set srcintf "port1" set dstintf "port2" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "custom-deep-inspection" set dlp-profile "Block sh" set logtraffic all set nat enable next end
