Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

DLP Testing

I am trying to test DLP in my lab environment. I have tried lot of default options like Credit Card by email example etc but not able to block and also not able to view in logs. My Topology is PC --- (Internal) --Fortigate 50B-- (WAN) --- Office LAN with Email Server --- Office WAN I have tried every step of example from Cookbook but failed. My Fortigate have Firmware v400 build 0342. Any one help me to write any regular expression so that If I have any world or phrase in Email body or subject... I am able to get logs and if I tried to block that email I am able to do it. One more note that I didn' t have Email filter license, any issue with it.

Hi Atif, As per you Topology i am not clear if you are applying the policy in the right place. PC(Internal)--> FGT50B --> WAN ( Which contains Email Server) If this is the setup then the policy is between Internal & WAN1 . I will be posting the exact config that you can try in the next post.. " One more note that I didn' t have Email filter license, any issue with it. " You have nothing to do with Email Filter license if in case you are testing the local DLP filtering Testing. You should be able to do it successfully.

Hi Atif, Please find the Basic regular expression that you can configure under FW Policy. FGT # sh dlp sensor test config dlp sensor edit " test" config rule edit " Hello" next end set dlp-log enable next end FGT # sh dlp rule Hello config dlp rule edit " Hello" set protocol email set sub-protocol smtp pop3 imap smtps pop3s imaps set field subject set regexp " Hello" next end Once you test this basic one, if you send any mail with any of the above mentioned protocols with " Hello" in subject of the email it will log the DLP Action as in this case it is log-only.

I know this is an old thread, but I was just trying to test dlp and it helped a lot.  The config on a 7.0 FGT may be slightly different so I thought I'd put syntax for my test here:
config dlp sensor
 edit "test"
  config filter
   edit 1
    set type message
    set proto smtp
    set filter-by regexp
    set regexp "Hello"
    set archive enable
    set action block



Then just used telnet on port 25 to a mailserver to send a test message and got back "The transfer attempt has been blocked because it appears to contain a data leak"

Top Kudoed Authors