Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
atif_jauhar
New Contributor

DLP Testing

I am trying to test DLP in my lab environment. I have tried lot of default options like Credit Card by email example etc but not able to block and also not able to view in logs. My Topology is PC --- (Internal) --Fortigate 50B-- (WAN) --- Office LAN with Email Server --- Office WAN I have tried every step of example from Cookbook but failed. My Fortigate have Firmware v400 build 0342. Any one help me to write any regular expression so that If I have any world or phrase in Email body or subject... I am able to get logs and if I tried to block that email I am able to do it. One more note that I didn' t have Email filter license, any issue with it.
3 REPLIES 3
Sumanth_FTNT
Staff
Staff

Hi Atif, As per you Topology i am not clear if you are applying the policy in the right place. PC(Internal)--> FGT50B --> WAN ( Which contains Email Server) If this is the setup then the policy is between Internal & WAN1 . I will be posting the exact config that you can try in the next post.. " One more note that I didn' t have Email filter license, any issue with it. " You have nothing to do with Email Filter license if in case you are testing the local DLP filtering Testing. You should be able to do it successfully.
Sumanth_FTNT

Hi Atif, Please find the Basic regular expression that you can configure under FW Policy. FGT # sh dlp sensor test config dlp sensor edit " test" config rule edit " Hello" next end set dlp-log enable next end FGT # sh dlp rule Hello config dlp rule edit " Hello" set protocol email set sub-protocol smtp pop3 imap smtps pop3s imaps set field subject set regexp " Hello" next end Once you test this basic one, if you send any mail with any of the above mentioned protocols with " Hello" in subject of the email it will log the DLP Action as in this case it is log-only.
phil_rose

I know this is an old thread, but I was just trying to test dlp and it helped a lot.  The config on a 7.0 FGT may be slightly different so I thought I'd put syntax for my test here:
config dlp sensor
 edit "test"
  config filter
   edit 1
    set type message
    set proto smtp
    set filter-by regexp
    set regexp "Hello"
    set archive enable
    set action block
   next
  end
 next

end

 

Then just used telnet on port 25 to a mailserver to send a test message and got back "The transfer attempt has been blocked because it appears to contain a data leak"

Top Kudoed Authors