Data leak prevention
The FortiGate data leak prevention (DLP) system prevents sensitive data from leaving or entering your network by scanning for various patterns while inspecting traffic passing through the FortiGate. Data matching defined sensitive data patterns is blocked, logged, allowed, or quarantined when it passes through the FortiGate.
The DLP system is configured based on the following components:
Component |
Description |
---|---|
Data type |
Define the type of pattern that DLP is trying to match. For example, this can be a pre-defined type such as keyword, regex, hex, credit card, US social security number (SSN), or other patterns. You can also create custom data types. |
Dictionary |
A collection of data type entries. When selecting a data type such as keyword, regex or hex, define the pattern that you are looking for. |
Sensor |
Define which dictionaries to check. You can match any dictionary, all dictionaries, or a special logical combination of the dictionaries. It can also count the number of dictionary matches to trigger the sensor. |
File pattern |
Define groups of file patterns based on pre-defined file types, or define your own pattern to match the file name. |
DLP profile |
Define rules for matching a sensor based on a file type or a message, and the type of protocol being used. It also allows you to choose the action to allow, log, block, or quarantine the address. |
A DLP profile selects one or more sensors, and applies the sensor’s pattern matching against the file type or message that is passing through selected protocols. The profile can be applied to a firewall policy where the traffic will be inspected.
In the backend, DLP uses Hyperscan to perform a one-parse algorithm for scanning multiple patterns. This allows DLP to scale up without any performance downgrade.
Protocol comparison between DLP inspection modes
The following table indicates which protocols can be inspected by DLP based on the specified inspection modes.
|
HTTP |
FTP |
IMAP |
POP3 |
SMTP |
NNTP |
MAPI |
CIFS |
SFTP/SCP |
---|---|---|---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Yes |
No |
DLP can be configured in both the CLI and the GUI irrespective or firewall policy inspection mode.
To use DLP profiles in a flow-based firewall policy, DLP profiles can only be added to a flow-based firewall policy from the CLI. |
Archiving
DLP can archive some or all of the content that passes through the DLP system. There are two forms of DLP archiving.
-
Summary only: a summary of all the activity detected by the profile is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses a web browser, every URL that they visit is recorded.
-
Full: detailed records of all the activity detected by the profile is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses a web browser, every page that they visit is archived.
You can configure the type of archiving per protocol.
Logging and blocking files by file name
Sometimes, file names are not accurately recorded in DLP logs, even though the files are blocked correctly based on the DLP profile. This is particularly apparent on cloud-based services, such as Google Drive or SharePoint.
For HTTP file uploads, some cloud services use proprietary encodings and APIs to transfer files and exchange metadata, instead of standard HTTP mechanisms, requiring custom handling of the proprietary API. If a cloud service changes the API without notice, the custom handling becomes outdated and file names might not be logged properly. Due to this, special consideration must be taken when using DLP to block files by file pattern. To block a specific file type, it is better to block by file type, and not by file name pattern.
The following topics provide information about DLP: