FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lkanakala
Staff
Staff

Description
This article explains the GUI/CLI changes in configuring Data Leak Prevention (DLP)

Useful link:
Fortinet Documentation : https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/610893/file-filter

Scope
Concerns FortiOS version 6.2.2 and higher

Solution
CLI Changes:

The following option to enable/disable DLP feature visibility in the GUI has been removed.

# config system settings
    set gui-dlp [enable|disable]
end

GUI Changes:

- No DLP profile in security profile
- No DLP profile section in IPv4, IPv6 and Proxy policy
- No DLP Log option in Log & Report
- No DLP option with NGFW

The DLP option is no longer available on the GUI and cannot be made visible on the GUI using the CLI. Under "config system settings", the option "set gui-dlp enable" no longer exists.

# Skywalker-kvm55 # config system settings
# Skywalker-kvm55 (settings) # set gui-dlp
command parse error before 'gui-dlp'
DLP is still functional on the releases 6.2.2 and later, however, configurable only from the CLI.
The commands and configuration related to DLP stills remains the same as earlier code.
# Skywalker-kvm55 # get system status
Version: FortiGate-VM64-KVM v6.2.2,build1010,191008 (GA)
<snip>

# Skywalker-kvm55 (sensor) # show

config dlp sensor
    edit "default"
        set comment "Default sensor."
        config filter
            edit 1
                set proto smtp pop3 imap http-get http-post ftp nntp mapi
                set filter-by file-type
                set file-type 3
                set action block
            next
        end
    next
    edit "sniffer-profile"
        set comment "Log a summary of email and web traffic."
        set summary-proto smtp pop3 imap http-get http-post
    next
end

# config firewall policy
    edit 1
        set name "Full Access"
        set uuid b4b85de6-d4f2-51e9-5247-91c302c291e2
        set srcintf "port1"
        set dstintf "port10"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set dlp-sensor "default"    <<<<<<
        set logtraffic all
        set fsso disable
        set nat enable
    next
end
The DLP functionality can be leveraged using "File Filter" feature under Web Filter security profile which provides flexibility to inspect HTTP and FTP traffic for selected files.
 
 
Though the ‘File Filter’ supports only inspection of HTTP and FTP traffic, DLP can still be configured to handle other types of file filtering
- File-size
- SSN & Credit Card
- File name
 
Important Notes:
- DLP configuration is available in Flow based and Proxy based inspection modes in 6.2.2.
-  If the unit is upgraded to FortiOS 6.2.2, firewall policies would lose the DLP sensor profile config on them and the DLP sensor profile needs to be manually added onto the firewall policy via CLI.
(set dlp-sensor default)
-  Any custom DLP sensors that were created on the firmware prior to 6.2.2 would still be available to use after the upgrade to 6.2.2. However, by default, removed from the firewall policies and needs to be manually added.
- File filtering currently works only in Proxy based inspection mode. 
- There is no web filter profile in NGFW Policy mode.



Contributors