|
DLP (Data Leak Prevention) debug:
FortiGate UTM inspects traffic in two modes: Proxy-based inspection and flow-based inspection.
Depending on the type of inspection configured, the daemons handling the DLP inspection will be different. The section below identifies the ways of fetching basic DLP debugs based on the inspection type.
DLP in Proxy-based Mode:
In Proxy mode, the proxy DLP and scanunit daemon will be involved in the DLP filtering. The intention in this example is to enable scanunit debug along with DLP because the scanunit daemon scans the traffic and passes the packets to the DLP daemon.
For instance, a lot of times, if DLP is not detecting violating traffic, the issue can often be identified when the scanunit does not pass anything to DLP. In the example below, debug output shows both the scanunit and DLP daemon.
| Debug commands: |
Comments: |
diagnose sys scanunit debug all
diagnose debug enable
|
Enable debug to see if scanunit passes the packet to DLP. |
diagnose wad debug enable all
diagnose debug enable |
This enables all debug categories for the WAD process and sets it to the maximum level. |
diagnose sys scanunit debug dlp
diagnose debug enable |
To filter the debug only for DLP traffic. |
diagnose wad debug enable category scan
diagnose debug enable |
To filter the debug only for the UTM Scan. |
WAD debug logs can generate too much output and debug lines that might impact device performance. It is highly recommended to use as many filters as possible that can narrow down the generated logs by the WAD daemon.
To verify that the DLP fingerprint database is present on the FortiGate, use this command: 'diagnose test application dlpfingerprint 2'.
To restart this daemon, 'diagnose test application dlpfingerprint 99'.
Example usage is shown below :
diagnose debug disable
diagnose debug reset
diagnose sys scanunit debug dlp
diagnose sys scanunit debug level verbose
diagnose wad filter clear
diagnose debug console time enable
diagnose wad filter src x.x.x.x <----- x.x.x.x is the client IP address.
diagnose wad debug enable category all
diagnose wad debug enable level verbose
diagnose wad filter list
diagnose wad debug show
diagnose debug enable
To stop debugging:
diagnose debug disable
diagnose wad filter clear
diagnose debug reset
Note:
Most of the times when firewall-policies mixes UTM-DLP & UTM-WF, the DLP feature did not take effect on sites that are exempt from inspection in URL-Filter: Difference between action 'Allow' and 'Exempt' in static URL filter.
URL or FortiGuard-Category must be set to Monitor so that the DLP feature takes effect.
To view the DLP dictionary managed by FortiGuard services and managed locally, use the following command.
get dlp dictionary
Related articles:
FortiGuard managed DLP dictionaries
Troubleshooting Tip: Unable to Install DLP Profiles to FortiGate from FortiManager
Technical Tip: DLP Configuration to Block by file-type and Troubleshooting
Troubleshooting Tip: DLP credit card built-in type not matching ChatGPT Transactions
|
