Hi all,
We want to implement basic file-blocking from certain URL categories. The device is operating in profile mode in flow mode. Under system for feature visibility we are not finding DLP sensor. On the Cli tried creating a new DLP sensor and "set flow-mode enable" command but still not able to view the DLP sensor in the Gui.
We are able to see DLP sensor when using proxy mode. However, as per documentation DLP is supported on Flow mode as well not sure how to turn it on. We don't want to use proxy mode for performance implications.
Any help would be greatly appreciated.
Sebastan
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
I checked the only way to get to see the DLP sensor in GUI is by setting the whole device is proxy mode. Once that is done then we have the option for setting the DLP sensor in flow mode. However, since the device is in proxy mode the default proxy profile is enabled and that cannot be disabled.
Because of this when I try to enable the anti-virus profile and though I set the AV profile to flow mode it will not let me use that profile in the rule unless i set the AV profile in proxy mode.
looks like if the device is set to proxy mode then all the profiles need to be in proxy mode only. But not sure then how it's letting me use the DLP sensor in flow mode.
Does anyone have any clue into this.
Regards
Sebastan
hi, my fortigate vm is running on NAT (Proxy mode), I was able to convert my dlp profile frm proxy to flow based mode. below are the commands
FortiGate-VM64 # config dlp sensor
FortiGate-VM64 (sensor) # edit default
FortiGate-VM64 (default) # set flow-based
enable Enable flow-based DLP.
disable Disable flow-based DLP.
FortiGate-VM64 (default) # get
name : default
comment : Default sensor.
replacemsg-group :
filter:
dlp-log : enable
nac-quar-log : disable
flow-based : disable
full-archive-proto :
summary-proto :
FortiGate-VM64 (default) # set flow-based enable
Fortigate Newbie
Hi,
Thanks but I think you didn't get my query. If the appliance is in proxy mode only then we get to see the DLP sensor. Then we are allowed to change the DLP sensor in flow mode. But when we try applying a AV profile in flow mode to the same rule in which you have applied the DLP sensor. Firewall will not allow you to set that.
This is not working at all. please try the above and let me know your findings that would be helpful.
Sebastan
hi sebastan, i agree with you, accidentally, upon playing around with my VM early in the morning unforeseen trick pops up. :)
apply the desired av profile (running in proxy mode) to your fw policy, then via command line edit the proxy and set it to flow based. Now, in gui edit the profile and see what will happen.
FortiGate-VM64 # get system settings opmode : nat inspection-mode : proxy
FortiGate-VM64 # config antivirus profile FortiGate-VM64 (profile) # edit av\ flow\ in\ proxy\ mode (AV Profile name) FortiGate-VM64 (av flow in proxy~ode) # set inspection-mode flow-based FortiGate-VM64 (av flow in proxy~ode) # end
edit 2 set name "demo" set uuid 1befc9e2-2fc5-51e8-dfe8-4e91f16f38a6 set srcintf "port3" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "av flow in proxy mode" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next end
Fortigate Newbie
Hi Fullmoon,
his problem is about adding one dlp profile in flow mode and one av profile in flow mode to the same policy.
Best Regards
Dominik
NSE 4/5/7
@bommi, thank you.I woke early today without taking coffee. now, here's the result after I took coffee while playing again with my VM running on proxy mode, having 1 firewall policy with dlp and av profile running on flow based inspection.
FortiGate-VM64 # config dlp sensor FortiGate-VM64 (sensor) # edit default FortiGate-VM64 (default) # show config dlp sensor edit "default" set comment "Default sensor." set flow-based enable next end
FortiGate-VM64 # config antivirus profile
FortiGate-VM64 (profile) # edit av\ flow\ in\ proxy\ mode FortiGate-VM64 (av flow in proxy~ode) # get name : av flow in proxy mode comment : replacemsg-group : inspection-mode : flow-based
config firewall policy
set name "demo" set uuid 1befc9e2-2fc5-51e8-dfe8-4e91f16f38a6 set srcintf "port3" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "av flow in proxy mode" set dlp-sensor "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next end
Fortigate Newbie
I have tried all the options above but it still does not enable DLP in flow-mode.
[ol]
So even though DLP has an option to be put into flow mode, the ipv4 policy does not support a dlp-sensor while the firewall is in flow-mode. I think this needs to be fixed. I am running 6.0.1.
DLP is only available in a FGT/VDOM that's configured in proxy mode, it's not a bug.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.