Fortinet black logo

Administration Guide

Data leak prevention

Data leak prevention

The FortiGate data leak prevention (DLP) system prevents sensitive data from leaving or entering your network. You can customize the default sensor or create your own by adding individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule. Once configured, you can apply the DLP sensor to a firewall policy. Data matching defined sensitive data patterns is blocked, logged, or allowed when it passes through the FortiGate.

DLP can only be configured in the CLI.

The filters in a DLP sensor can examine traffic for the following:

  • Known files using DLP fingerprinting
  • Known files using DLP watermarking
  • Particular file types
  • Particular file names
  • Files larger than a specified size
  • Data matching a specified regular expression
  • Credit card and social security numbers
Note

Filters are ordered, but there is no precedence between the possible actions

DLP is primarily used to stop sensitive data from leaving your network. DLP can also be used to prevent unwanted data from entering your network and to archive some or all of the content that passes through the FortiGate. DLP archiving is configured per filter, which allows a single sensor to archive only the required data. You can configure the DLP archiving protocol in the CLI (see Configure DLP sensors).

There are two forms of DLP archiving:

  • Summary only: a summary of all the activity detected by the sensor is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the web, every URL that they visit is recorded.
  • Full: detailed records of all the activity detected by the sensor is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses the web, every page that they visit is archived.

Protocol comparison between DLP inspection modes

The following table indicates which protocols can be inspected by DLP based on the specified inspection modes.

HTTP

FTP

IMAP

POP3

SMTP

NNTP

MAPI

CIFS

SFTP/SCP

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Flow

Yes

Yes

Yes

Yes

Yes

No

No

Yes

No

The following topics provide information about DLP:

Data leak prevention

Data leak prevention

The FortiGate data leak prevention (DLP) system prevents sensitive data from leaving or entering your network. You can customize the default sensor or create your own by adding individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule. Once configured, you can apply the DLP sensor to a firewall policy. Data matching defined sensitive data patterns is blocked, logged, or allowed when it passes through the FortiGate.

DLP can only be configured in the CLI.

The filters in a DLP sensor can examine traffic for the following:

  • Known files using DLP fingerprinting
  • Known files using DLP watermarking
  • Particular file types
  • Particular file names
  • Files larger than a specified size
  • Data matching a specified regular expression
  • Credit card and social security numbers
Note

Filters are ordered, but there is no precedence between the possible actions

DLP is primarily used to stop sensitive data from leaving your network. DLP can also be used to prevent unwanted data from entering your network and to archive some or all of the content that passes through the FortiGate. DLP archiving is configured per filter, which allows a single sensor to archive only the required data. You can configure the DLP archiving protocol in the CLI (see Configure DLP sensors).

There are two forms of DLP archiving:

  • Summary only: a summary of all the activity detected by the sensor is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the web, every URL that they visit is recorded.
  • Full: detailed records of all the activity detected by the sensor is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses the web, every page that they visit is archived.

Protocol comparison between DLP inspection modes

The following table indicates which protocols can be inspected by DLP based on the specified inspection modes.

HTTP

FTP

IMAP

POP3

SMTP

NNTP

MAPI

CIFS

SFTP/SCP

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Flow

Yes

Yes

Yes

Yes

Yes

No

No

Yes

No

The following topics provide information about DLP: