Technical Tip: Configure Data Leak/Loss Prevention (DLP)

lkanakala · ‎10-30-2019

Description

This article explains the GUI/CLI changes in configuring Data Leak/Loss Prevention (DLP).

Useful link:
File Filter - FortiGate cookbook.

Scope

FortiOS versions between 6.2.2 and 7.2.3.

Solution

CLI Changes:

The following option to enable/disable DLP feature visibility in the GUI has been removed:

config system settings
set gui-dlp [enable|disable]
end

GUI Changes:

No DLP profile in security profile.
No DLP profile section in IPv4, IPv6 and Proxy policy.
No DLP Log option in Log & Report.
No DLP option with NGFW.

The DLP option is no longer available on the GUI and cannot be made visible on the GUI using the CLI. Under 'config system settings', the option 'set gui-dlp enable' no longer exists.

config system settings

set gui-dlp
command parse error before 'gui-dlp'

DLP is still functional on the releases 6.2.2 and later, however. It is configurable only from the CLI.

The commands and configuration related to DLP still remain the same as shown in earlier code.

get system status
Version: FortiGate-VM64-KVM v6.2.2,build1010,191008 (GA)
<snip>

show

config dlp sensor
edit "default"
set comment "Default sensor."

        config filter
            edit 1
                set proto smtp pop3 imap http-get http-post ftp nntp mapi
                set filter-by file-type
                set file-type 3
                set action block
            next
        end
    next
    edit "sniffer-profile"
        set comment "Log a summary of email and web traffic."
        set summary-proto smtp pop3 imap http-get http-post
    next
end

config firewall policy
    edit 1
        set name "Full Access"
        set uuid b4b85de6-d4f2-51e9-5247-91c302c291e2
        set srcintf "port1"
        set dstintf "port10"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable    <- It is necessary to enable utm-status first.
        set dlp-sensor "default"
        set logtraffic all
        set fsso disable
        set nat enable
    next
end

The DLP functionality can be leveraged using the 'File Filter' feature under the Web Filter security profile, which provides flexibility to inspect HTTP and FTP traffic for selected files.

Though the ‘File Filter’ supports only inspection of HTTP and FTP traffic, DLP can still be configured to handle other types of file filtering:

File-size.
SSN and Credit Card.
File name.

Another Example:

To block any file name that contains the word 'startrek', the CLI syntax for this would be:

config dlp sensor
    edit "test2"
        set feature-set proxy
        config filter
            edit 1
                set name "filebanned"
                set severity critical
                set proto http-get http-post ssh
                set filter-by regexp
                set regexp "/startrek/i"
                set action block
            next
        end
        set extended-log enable
        set full-archive-proto http-get http-post ssh
    next
end

It will block any file with startrek in the name.

Important notes:

DLP configuration is available in Flow based and Proxy based inspection modes in 6.2.2.
If the unit is upgraded to FortiOS 6.2.2, firewall policies would lose the DLP sensor profile config on them and the DLP sensor profile needs to be manually added onto the firewall policy via CLI.
(set dlp-sensor default)
Any custom DLP sensors that were created on the firmware prior to 6.2.2 would still be available to use after the upgrade to 6.2.2. However, by default, removed from the firewall policies and needs to be manually added.
File filtering currently works only in Proxy based inspection mode.
There is no web filter profile in NGFW Policy mode.

As of FortiOS 7.2.4 GA and above, the DLP profile feature has been re-introduced in the GUI.

DLP can be enabled in the GUI or CLI:

config system settings
set gui-dlp-profile enable
end

See the FortiOS 7.2.4 release notes for more information.