Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DLP Testing
I am trying to test DLP in my lab environment. I have tried lot of default options like Credit Card by email example etc but not able to block and also not able to view in logs.
My Topology is
PC --- (Internal) --Fortigate 50B-- (WAN) --- Office LAN with Email Server --- Office WAN
I have tried every step of example from Cookbook but failed.
My Fortigate have Firmware v400 build 0342.
Any one help me to write any regular expression so that If I have any world or phrase in Email body or subject... I am able to get logs and if I tried to block that email I am able to do it.
One more note that I didn' t have Email filter license, any issue with it.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Atif,
As per you Topology i am not clear if you are applying the policy in the right place.
PC(Internal)--> FGT50B --> WAN ( Which contains Email Server)
If this is the setup then the policy is between Internal & WAN1 . I will be posting the exact config that you can try in the next post..
" One more note that I didn' t have Email filter license, any issue with it. "
You have nothing to do with Email Filter license if in case you are testing the local DLP filtering Testing. You should be able to do it successfully.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Atif,
Please find the Basic regular expression that you can configure under FW Policy.
FGT # sh dlp sensor test
config dlp sensor
edit " test"
config rule
edit " Hello"
next
end
set dlp-log enable
next
end
FGT # sh dlp rule Hello
config dlp rule
edit " Hello"
set protocol email
set sub-protocol smtp pop3 imap smtps pop3s imaps
set field subject
set regexp " Hello"
next
end
Once you test this basic one, if you send any mail with any of the above mentioned protocols with " Hello" in subject of the email it will log the DLP Action as in this case it is log-only.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is an old thread, but I was just trying to test dlp and it helped a lot. The config on a 7.0 FGT may be slightly different so I thought I'd put syntax for my test here:
config dlp sensor
edit "test"
config filter
edit 1
set type message
set proto smtp
set filter-by regexp
set regexp "Hello"
set archive enable
set action block
next
end
next
end
Then just used telnet on port 25 to a mailserver to send a test message and got back "The transfer attempt has been blocked because it appears to contain a data leak"
Phil Rose