Fortinet black logo

Handbook

Configuring sensors

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:19706
Download PDF

Configuring sensors

DLP sensors are collections of filters. You must also specify an action for the filter when you create it in a sensor. Once a DLP sensor is configured, you add it to a security policy profile. Any traffic handled by that security policy will be examined according to the DLP sensor configuration.

DLP is not available in flow-based inspection.

To create/edit a DLP sensor in the GUI
  1. Go to Security Profiles > Data Leak Prevention.
  2. Choose whether you want to edit an existing sensor or create a new one.
    1. The default sensor is the one displayed by default.
    2. To edit an existing sensor, select it by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, resembling a page with some lines on it), and then selecting the profile you want to edit from the list.
    3. To create a new sensor, select the Create New icon (a plus sign within a circle) or the List icon and then select the Create New link in the upper left corner of the window that appears.
  3. Enter a name in the Name field for any new DLP sensors.
  4. Optionally, you may also enter a comment. The comment appears in the DLP sensor list and can remind you of the details of the sensor.
  5. At this point you can add filters to the sensor (see adding filters to a DLP sensor) or select OK to save the sensor.

Without filters, the DLP sensor will do nothing.

Adding filters to a DLP sensor

Once you have created a DLP sensor, you need to add filters.

  1. To add filters to a DLP sensor
  2. Go to Security Profiles > Data Leak Prevention.
  3. Select the sensor you wish to edit using the drop-down menu or the sensor list window.
  4. Within the Edit DLP Sensor window select Create New. A New Filter window should pop up.
  5. Select the type of filter. You can choose either Messages or Files, depending on which of these two are chosen different options will be available. Message filter will have these configuration options:
    • [radio button] Containing: [drop-down menu including: Credit Card # or SSN]
    • [radio button] Regular Expression [input field]

    Examine the following services:

    Web Access

    • HTTP-POST

    Email

    • [check box] SMTP
    • [check box] POP3
    • [check box] IMAP
    • [check box] MAPI

    Others

    • [check box] NNTP

    Action [from drop-down menu]

    • Allow
    • Log Only (default)
    • Block
    • Quarantine IP address

    Files filter will allow you to choose one of these options:

    • Containing: drop-down menu including: Credit Card # or SSN
    • File Size > [ ]KB files greater than the number of KB entered
    • Specify File Types File Types: [“Click to add...”drop-down menu of File extensions] File Name Patterns:[“Click to add...”drop-down menu]
    • [radio button] Regular Expression [input field]
    • [radio button] Encrypted

    Examine the following services:

    Web Access

    • [check box] HTTP-POST
    • [check box] HTTP-GET

    Email

    • [check box] SMTP
    • [check box] POP3
    • [check box] IMAP
    • [check box] MAPI

    Others

    • [check box] FTP
    • [check box] NNTP

    Action [from drop-down menu]

    • Allow
    • Log Only (default)
    • Block
    • Quarantine IP address
  6. Select OK.
  7. Repeat Steps 5 and 6 for each filter.
  8. Select Apply to confirm the settings of the sensor.

caution icon

If you have configured DLP to block IP addresses and if the FortiGate unit receives sessions that have passed through a NAT device, all traffic from that NAT device — not just traffic from individual users — could be blocked. You can avoid this problem by implementing authentication.

note icon

To view or modify the replacement message text, go to System > Replacement Messages.

Configuring sensors

DLP sensors are collections of filters. You must also specify an action for the filter when you create it in a sensor. Once a DLP sensor is configured, you add it to a security policy profile. Any traffic handled by that security policy will be examined according to the DLP sensor configuration.

DLP is not available in flow-based inspection.

To create/edit a DLP sensor in the GUI
  1. Go to Security Profiles > Data Leak Prevention.
  2. Choose whether you want to edit an existing sensor or create a new one.
    1. The default sensor is the one displayed by default.
    2. To edit an existing sensor, select it by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, resembling a page with some lines on it), and then selecting the profile you want to edit from the list.
    3. To create a new sensor, select the Create New icon (a plus sign within a circle) or the List icon and then select the Create New link in the upper left corner of the window that appears.
  3. Enter a name in the Name field for any new DLP sensors.
  4. Optionally, you may also enter a comment. The comment appears in the DLP sensor list and can remind you of the details of the sensor.
  5. At this point you can add filters to the sensor (see adding filters to a DLP sensor) or select OK to save the sensor.

Without filters, the DLP sensor will do nothing.

Adding filters to a DLP sensor

Once you have created a DLP sensor, you need to add filters.

  1. To add filters to a DLP sensor
  2. Go to Security Profiles > Data Leak Prevention.
  3. Select the sensor you wish to edit using the drop-down menu or the sensor list window.
  4. Within the Edit DLP Sensor window select Create New. A New Filter window should pop up.
  5. Select the type of filter. You can choose either Messages or Files, depending on which of these two are chosen different options will be available. Message filter will have these configuration options:
    • [radio button] Containing: [drop-down menu including: Credit Card # or SSN]
    • [radio button] Regular Expression [input field]

    Examine the following services:

    Web Access

    • HTTP-POST

    Email

    • [check box] SMTP
    • [check box] POP3
    • [check box] IMAP
    • [check box] MAPI

    Others

    • [check box] NNTP

    Action [from drop-down menu]

    • Allow
    • Log Only (default)
    • Block
    • Quarantine IP address

    Files filter will allow you to choose one of these options:

    • Containing: drop-down menu including: Credit Card # or SSN
    • File Size > [ ]KB files greater than the number of KB entered
    • Specify File Types File Types: [“Click to add...”drop-down menu of File extensions] File Name Patterns:[“Click to add...”drop-down menu]
    • [radio button] Regular Expression [input field]
    • [radio button] Encrypted

    Examine the following services:

    Web Access

    • [check box] HTTP-POST
    • [check box] HTTP-GET

    Email

    • [check box] SMTP
    • [check box] POP3
    • [check box] IMAP
    • [check box] MAPI

    Others

    • [check box] FTP
    • [check box] NNTP

    Action [from drop-down menu]

    • Allow
    • Log Only (default)
    • Block
    • Quarantine IP address
  6. Select OK.
  7. Repeat Steps 5 and 6 for each filter.
  8. Select Apply to confirm the settings of the sensor.

caution icon

If you have configured DLP to block IP addresses and if the FortiGate unit receives sessions that have passed through a NAT device, all traffic from that NAT device — not just traffic from individual users — could be blocked. You can avoid this problem by implementing authentication.

note icon

To view or modify the replacement message text, go to System > Replacement Messages.