Basic DLP settings
DLP settings can be configured for data types, dictionaries, EDM templates (CLI only), sensors, file patterns, and profiles. Most DLP settings can be configured in both the CLI and the GUI irrespective of firewall policy inspection mode.
|
To use DLP profile in a flow-based firewall policy, DLP profiles can only be added to a flow-based firewall policy from the CLI. |
On the Security Profiles > Data Loss Prevention page, there are Profiles, Sensors, and Dictionaries tabs to configure those DLP settings. DLP profiles can be added to proxy-based firewall policies and proxy policies from the GUI.
|
If Data Loss Prevention is not visible in the tree menu, go to System > Feature Visibility and enable it. |
This section breaks down the DLP configuration into a sequence of steps:
-
Configure the DLP dictionary and/or EDM template:
-
A DLP dictionary is a collection of data type entries. See Built-in DLP data type for more information.
-
An EDM template pairs the data from an external file, such as a data threat feed file, with built-in data types (CLI only).
-
-
Configure the DLP sensor:
-
A DLP sensor defines which dictionary and/or EDM template to check. It counts the number of dictionary matches to trigger the sensor.
-
-
Configure the DLP profile:
-
A DLP profile allows for filtering by size and file type. See DLP file pattern for custom file type.
-
-
Add the DLP profile to a firewall policy.
|
|
All the steps mentioned above should be configured in the exact order given for ease of configuration. |
Configuring DLP from the GUI
Use the following steps to configure DLP from the GUI.
To configure a DLP dictionary:
-
Go to Security Profiles > Data Loss Prevention.
-
Select the Dictionaries tab and click Create New.
-
Enter a name.
-
In the Dictionary Entries section, click Create New.
-
Set the Type and click OK.
-
Click OK to save the dictionary.
To configure a DLP sensor:
-
Go to Security Profiles > Data Loss Prevention.
-
Select the Sensors tab and click Create New.
-
Enter a name.
-
In the Sensors Entries section, click Create New.
-
Select the Dictionary from the dropdown menu and click OK.
-
Click OK to save the sensor.
To configure a DLP profile:
-
Go to Security Profiles > Data Loss Prevention.
-
Select the Profiles tab and click Create New.
-
Enter a name.
-
In the Rules section, click Create New.
-
Configure the following settings:
Name
Filter name.
Sensors
Select DLP sensors.
Severity
Select the severity or threat level that matches this filter.
Action
Action to take with content that this DLP profile matches.
Type
Select whether to check the content of messages (an email message) or files (downloaded files or email attachments).
File type
Select the number of a DLP file pattern table to match.
Protocol
Check messages or files over one or more of these protocols.
-
Click OK.
-
Click OK to save the profile.
To add the DLP profile to a firewall policy:
-
Go to Policy & Objects > Firewall Policy.
-
Click Create New.
-
Set the Inspection Mode to Proxy-based.
-
In the Security Profiles section, enable DLP Profile and select the desired profile.
-
Configure the other settings as needed.
-
Click OK.
Configuring DLP from the CLI
Use the following steps to configure DLP from the CLI.
To configure a DLP dictionary:
config dlp dictionary
edit <name>
config entries
edit 1
set type {credit-card | hex | keyword | mip-label | regex | ssn-us}
set pattern <string>
set repeat {enable | disable}
set status {enable | disable}
next
end
next
end
To configure an EDM template:
When configuring an EDM template from the CLI, you must link to a data file in CSV format on an external server; you cannot upload the data file to FortiGate.
-
Add the URL for the data threat feed file to FortiGate.
config system external-resource edit <name> set type data set resource <URL to resource file on external server> end next end -
Configure the EDM template.
config dlp exact-data-match edit <name> set optional <number of optional columns that must match> set data <name of external resource file> config columns edit <column index number> set type <pre-defined data type> next edit <column index number> set type <pre-defined data type> set optional enable next edit <column index number> set type <pre-defined data type> set optional enable next end next end
To configure a DLP sensor:
config dlp sensor
edit <name>
set match-type {match-all | match-any | match-eval}
set eval <string>
config entries
edit <id>
set dictionary <dlp dictionary or EDM template>
set count <integer>
set status {enable | disable}
next
end
next
end
See Evaluation by Logical relationship for more information about match-eval.
To configure a DLP profile:
config dlp profile
edit <name>
set feature-set {flow | proxy}
config rule
edit <id>
set proto <protocol> <protocol> ...
set sensor <dlp_sensor>
set action {allow | log-only | block | quarantine-ip}
next
end
next
end
To add the DLP profile to a firewall policy:
config firewall policy
edit <id>
set srcintf <interface>
set dstintf <interface>
set action accept
set srcaddr <address>
set dstaddr <address>
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set dlp-profile <string>
next
end
See DLP examples for sample configurations.