Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sebastan_bach
New Contributor

DLP Sensor not seen in profile mode in Flow mode 5.6

Hi all,

 

We want to implement basic file-blocking from certain URL categories. The device is operating in profile mode in flow mode. Under system for feature visibility we are not finding DLP sensor. On the Cli tried creating a new DLP sensor and "set flow-mode enable" command but still not able to view the DLP sensor in the Gui.

 

We are able to see DLP sensor when using proxy mode. However, as per documentation DLP is supported on Flow mode as well not sure how to turn it on. We don't want to use proxy mode for performance implications.

 

Any help would be greatly appreciated.

 

Sebastan

11 REPLIES 11
Fullmoon
Contributor III

Fortigate Newbie
sebastan_bach

Hi,

 

I checked the only way to get to see the DLP sensor in GUI is by setting the whole device is proxy mode. Once that is done then we have the option for setting the DLP sensor in flow mode. However, since the device is in proxy mode the default proxy profile is enabled and that cannot be disabled.

 

Because of this when I try to enable the anti-virus profile and though I set the AV profile to flow mode it will not let me use that profile in the rule unless i set the AV profile in proxy mode.

 

looks like if the device is set to proxy mode then all the profiles need to be in proxy mode only. But not sure then how it's letting me use the DLP sensor in flow mode.

 

Does anyone have any clue into this.

 

Regards

 

Sebastan

Fullmoon

hi, my fortigate vm is running on NAT (Proxy mode), I was able to convert my dlp profile frm proxy to flow based mode. below are the commands

 

FortiGate-VM64 # config dlp sensor 
 
FortiGate-VM64 (sensor) # edit default 
 
FortiGate-VM64 (default) # set flow-based 
enable     Enable flow-based DLP.
disable    Disable flow-based DLP.
 
FortiGate-VM64 (default) # get
name                : default
comment             : Default sensor.
replacemsg-group    : 
filter:
dlp-log             : enable 
nac-quar-log        : disable 
flow-based          : disable 
full-archive-proto  : 
summary-proto       : 
  
FortiGate-VM64 (default) # set flow-based enable 
 

 

 

Fortigate Newbie

Fortigate Newbie
sebastan_bach

Hi,

 

Thanks but I think you didn't get my query. If the appliance is in proxy mode only then we get to see the DLP sensor. Then we are allowed to change the DLP sensor in flow mode. But when we try applying a AV profile in flow mode to the same rule in which you have applied the DLP sensor. Firewall will not allow you to set that.

 

This is not working at all. please try the above and let me know your findings that would be helpful.

 

Sebastan

Fullmoon

hi sebastan, i agree with you, accidentally, upon playing around with my VM early in the morning unforeseen trick pops up. :)

 

apply the desired av profile (running in proxy mode) to your fw policy, then via command line edit the proxy and set it to flow based. Now, in gui edit the profile and see what will happen.

FortiGate-VM64 # get system settings opmode : nat inspection-mode : proxy

 

FortiGate-VM64 # config antivirus profile FortiGate-VM64 (profile) # edit av\ flow\ in\ proxy\ mode (AV Profile name) FortiGate-VM64 (av flow in proxy~ode) # set inspection-mode flow-based FortiGate-VM64 (av flow in proxy~ode) # end

 

edit 2 set name "demo" set uuid 1befc9e2-2fc5-51e8-dfe8-4e91f16f38a6 set srcintf "port3" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "av flow in proxy mode" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next end

Fortigate Newbie

Fortigate Newbie
bommi
Contributor III

Hi Fullmoon,

 

his problem is about adding one dlp profile in flow mode and one av profile in flow mode to the same policy.

 

Best Regards

Dominik

NSE 4/5/7

NSE 4/5/7
Fullmoon
Contributor III

@bommi, thank you.I woke early today without taking coffee. now,  here's the result after I took coffee while playing again with my VM running on proxy mode, having 1 firewall policy with dlp and av profile running on flow based inspection.

 

FortiGate-VM64 # config dlp sensor FortiGate-VM64 (sensor) # edit default FortiGate-VM64 (default) # show config dlp sensor edit "default" set comment "Default sensor." set flow-based enable next end

 

FortiGate-VM64 # config antivirus profile

FortiGate-VM64 (profile) # edit av\ flow\ in\ proxy\ mode FortiGate-VM64 (av flow in proxy~ode) # get name : av flow in proxy mode comment : replacemsg-group : inspection-mode : flow-based

 

config firewall policy

set name "demo" set uuid 1befc9e2-2fc5-51e8-dfe8-4e91f16f38a6 set srcintf "port3" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "av flow in proxy mode" set dlp-sensor "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next end

Fortigate Newbie

Fortigate Newbie
samroy92

I have tried all the options above but it still does not enable DLP in flow-mode.

[ol]
  • My flow-mode dlp-sensor is erased from the policy as soon as the device is switched back into flow mode.
  • Once in proxy mode, the CLI option to set dlp-sensor is shown again.[/ol]

     

    So even though DLP has an option to be put into flow mode, the ipv4 policy does not support a dlp-sensor while the firewall is in flow-mode. I think this needs to be fixed. I am running 6.0.1. 

  • neonbit
    Valued Contributor

    DLP is only available in a FGT/VDOM that's configured in proxy mode, it's not a bug.

    Labels
    Top Kudoed Authors