Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
thegost4u
New Contributor

Created on ‎02-23-2015 04:07 AM

DLP log only mode is not working !!

Hello all !

IN DLP, i have a sensor which checks if files has the word "test", and the action is "log only", but it does not show anything in logs when i pass files.. why ??

i have enabled extended-utm-logs already.

my device is 100D and the software is v5.0,build0310 (GA Patch 11) [was on latest 5.3 and downgraded]

here is a screenshots of my current situation:

 

 

 

 

See it only logs when i set action to "block"

 

6596
0 Kudos
4 REPLIES 4
thegost4u
New Contributor

Created on ‎02-24-2015 11:52 PM

Ok, i made it work.. this is what i changed 

 

config dlp sensor edit "test" set comment "This is a test sensor" set replacemsg-group '' config filter edit 1 set type file set proto smtp pop3 imap http-post ftp nntp mapi set filter-by regexp set regexp "(T|t)(E|e)(S|s)(T|t)" set action log-only next end set extended-utm-log enable set dlp-log enable set nac-quar-log enable set flow-based disable unset options set full-archive-proto smtp pop3 imap http-get http-post ftp nntp aim icq msn yahoo mapi unset summary-proto next end

 

 

so others can make use of it in future ! 

thanks all for not helping :\ 

2077
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎02-25-2015 12:24 AM

hey,

 

no need to be rude, especially not here in a self-help forum. I get it that this upset you but you resolved the issue by yourself within 24 hours. I've been on a recent problem for more than 4 months until I found the solution, and didn't whince (much).

 

Back to your filter. If you are using an RE you can use the "i" switch to make the pattern case-insensitive, like in

"i/test/". FortiOS RE follow the perl syntax as far as I remember so switches should be included.

Maybe that'll help you in the future.


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
2077
0 Kudos
thegost4u
New Contributor
In response to ede_pfau

Created on ‎02-25-2015 03:24 AM

ede_pfau wrote:

hey,

 

no need to be rude, especially not here in a self-help forum. I get it that this upset you but you resolved the issue by yourself within 24 hours. I've been on a recent problem for more than 4 months until I found the solution, and didn't whince (much).

 

Back to your filter. If you are using an RE you can use the "i" switch to make the pattern case-insensitive, like in

"i/test/". FortiOS RE follow the perl syntax as far as I remember so switches should be included.

Maybe that'll help you in the future.

 

Sorry for misunderstanding, i was implying that am sad not rude ^^

back to my filter, thanks for the case sensitive help ! i've been working so fast on it and i can't focus everywhere.

so if i want to apply a filter for "secret document" (in both capital and small letters) what do you advice to use as regex ?

2077
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎02-25-2015 06:01 AM

Alright.

I'd use "i/secret document/" but be aware that there is meant to be only 1 space between words.

"i/secret\s+document/" would match variable spaces or tabs between words.


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
2077
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.