dlp sensor
Use this command to create a DLP sensor. The DLP sensor includes settings such as action, archive, and severity for each rule or compound rule. A number of preconfigured sensors are provided with your FortiGate. These can be edited to more closely match your needs. Consult the Handbook's discussion of data leak prevention concepts for more detail.
Use diagnose test application dlpfingerprint
to view statistics, dump all chunks, or refresh all document sources in all VDOMs.
Command | Description |
---|---|
set extended-log {enable | disable} |
When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens. Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for. |
config dlp sensor edit {name} # Configure DLP sensors. set name {string} Name of the DLP sensor. size[35] set comment {string} Comment. size[255] set replacemsg-group {string} Replacement message group used by this DLP sensor. size[35] - datasource(s): system.replacemsg-group.name config filter edit {id} # Set up DLP filters for this sensor. set id {integer} ID. range[0-4294967295] set name {string} Filter name. size[35] set severity {option} Select the severity or threat level that matches this filter. info Informational. low Low. medium Medium. high High. critical Critical. set type {file | message} Select whether to check the content of messages (an email message) or files (downloaded files or email attachments). file Check the contents of downloaded or attached files. message Check the contents of email messages, web pages, etc. set proto {option} Check messages or files over one or more of these protocols. smtp SMTP. pop3 POP3. imap IMAP. http-get HTTP GET. http-post HTTP POST. ftp FTP. nntp NNTP. mapi MAPI mm1 MM1 mm3 MM3 mm4 MM4 mm7 MM7 set filter-by {option} Select the type of content to match. credit-card Match credit cards. ssn Match social security numbers. regexp Use a regular expression to match content. file-type Match a DLP file pattern list. file-size Match any file over with a size over the threshold. fingerprint Match against a fingerprint sensitivity. watermark Look for defined file watermarks. encrypted Look for encrypted files. set file-size {integer} Match files this size or larger (0 - 4294967295 kbytes). range[0-4294967295] set company-identifier {string} Enter a company identifier watermark to match. Only watermarks that your company has placed on the files are matched. size[35] config fp-sensitivity edit {name} # Select a DLP file pattern sensitivity to match. set name {string} Select a DLP sensitivity. size[35] - datasource(s): dlp.fp-sensitivity.name next set match-percentage {integer} Percentage of fingerprints in the fingerprint databases designated with the selected fp-sensitivity to match. range[0-100] set file-type {integer} Select the number of a DLP file pattern table to match. range[0-4294967295] - datasource(s): dlp.filepattern.id set regexp {string} Enter a regular expression to match (max. 255 characters). size[255] set archive {disable | enable} Enable/disable DLP archiving. set action {allow | log-only | block | quarantine-ip} Action to take with content that this DLP sensor matches. allow Allow the content to pass through the FortiGate and do not create a log message. log-only Allow the content to pass through the FortiGate, but write a log message. block Block the content and write a log message. quarantine-ip Quarantine all traffic from the IP address and write a log message. set expiry {string} Quarantine duration in days, hours, minutes format (dddhhmm). next set dlp-log {enable | disable} Enable/disable DLP logging. set extended-log {enable | disable} Enable/disable extended logging for data leak prevention. set nac-quar-log {enable | disable} Enable/disable NAC quarantine logging. set flow-based {enable | disable} Enable/disable flow-based DLP. set full-archive-proto {option} Protocols to always content archive. smtp SMTP. pop3 POP3. imap IMAP. http-get HTTP GET. http-post HTTP POST. ftp FTP. nntp NNTP. mapi MAPI mm1 MM1 mm3 MM3 mm4 MM4 mm7 MM7 set summary-proto {option} Protocols to always log summary. smtp SMTP. pop3 POP3. imap IMAP. http-get HTTP GET. http-post HTTP POST. ftp FTP. nntp NNTP. mapi MAPI mm1 MM1 mm3 MM3 mm4 MM4 mm7 MM7 next end
Additional information
The following section is for those options that require additional explanation.
dlp-log {enable | disable}
Enable (by default) or disable logging for data leak prevention.
flow-based {enable | disable}
Enable or disable (by default) Flow-based DLP. It's strongly recommended to keep this set to disable
, as DLP is primarily a Proxy-based security profile.
full-archive-proto {smtp | pop3 | imap | http-get | http-post ftp | nntp | mapi}
Record a full log for any of the protocols available. This can be useful for forensic investigation, however it should not be used extensively as large amounts of the FortiGate's CPU and RAM are required.
nac-quar-log {enable | disable}
Enable or disable (by default) logging for network access control (NAC) quarantine creation.
replacemsg-group <group_name>
Specify which replacement message group to use, as configured under config system replacemsg-group.
summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}
Record a summary log for any of the protocols available. Email messages, for example, would record the recipient's email address and the size of the email.
config filter
Use this configuration method to create DLP filters.
action {allow | log-only | block | quarantine-ip}
Specify action to take when a match is detected:
- allow: No action is taken even if the patterns specified in the filter are matched (set by default).
- log-only: The FortiGate will take no action on network traffic matching a rule with this action. The filter match is logged.
- block: Traffic matching a filter with the block action will not be delivered.
- quarantine-ip: Block access through the FortiGate unit for any IP address that sends traffic matching a sensor with this action. The IP address is added to the Banned User list for a duration of time that is determined by
set expiry
.
company-identifier <id>
Note: This entry is only available when type
is set to file
and filter-by
is set to watermark
.
Company identifier for watermarking. Ensures that you are only blocking watermarks that your company has placed on the files, not watermarks with the same name but placed by other companies.
expiry <###d##h##m>
Note: This entry is only available if action is set to quarantine-ip.
Set the duration of the quarantine in the days, hours, minutes format of ###d##h#m. Set the range between 0d0h1m-364d23h59m. The default is set to 5m
.
file-size <kb>
Note: This entry is only available when type
is set to file
and filter-by
is set to file-size
.
Set the file size in KB. Files over this size will match with the filter. Set the range between 0-4294967295. The default is set to 0
.
file-type <integer>
Note: This entry is only available when type
is set to file
and filter-by
is set to file-type
.
File pattern table for files to match in this filter. Set the range between 0-4294967295. The default is set to 0
. There are two predefined options available by default: 1
(builtin-patterns
) and 2
(all_executables
).
filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprint | watermark | encrypted}
Select a filter for the sensor.
- credit-card: Preconfigured sensor that logs the traffic, both files and messages, that contain credit card numbers in the formats used by American Express, MasterCard and Visa (set by default).
- ssn: Preconfigured sensor that logs the traffic containing Social Security numbers (with the exception of WebEx invitation emails).
- regexp: Match defined regular expression, as determined by
set gexp
. - file-type: Match defined file type.
- file-size: Match any file over a certain size threshold.
- fingerprint: Match defined fingerprint sensitivity, as determined by
set fp-sensitivity
. - watermark: Match defined file watermarks. Fortinet provides a Linux-based utility that applies a digital watermark to files. The utility adds a small (approximately 100 byte) pattern to the file that is recognized by the DLP watermark filter. The pattern is invisible to the end user. Consult the Handbook's discussion of data leak prevention concepts for more detail.
- encrypted: Look for encrypted files. The filter is a binary one. If the files going through the policy is encrypted, the action is triggered.
fp-sensitivity <sensitivity-level>
Note: This entry is only available when type
is set to file
and filter-by
is set to either fingerprint
or watermark
.
Match against a fingerprint sensitivity, as configured under config dlp fp-sensitivity.
match-percentage <percentage>
Note: This entry is only available when type
is set to file
and filter-by
is set to fingerprint
.
Percentage of chunks required to constitute a match. Set the range between 0-100. The default is set to 0
.
proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}
Identify the protocols to detect.
gexp <string>
Note: This entry is only available when type
is set to file
and filter-by
is set to either regexp
.
The FortiGate checks network traffic for the regular expression specified in this regular expression filter. The regular expression library used by Fortinet is a variation of a library called PCRE (Perl Compatible Regular Expressions).
severity {info | low | medium | high | critical}
Set the event severity. The default is set to medium
.
type {file | message}
Select whether to check messages (e.g. content of an email message) or files (e.g. downloaded files or the content of files attached to an email). The default is set to message
.