Fortinet white logo
Fortinet white logo

Administration Guide

Data loss prevention

Data loss prevention

The FortiGate data loss prevention (DLP) system prevents sensitive data from leaving or entering your network by scanning for various patterns while inspecting traffic passing through the FortiGate. Data matching defined sensitive data patterns is blocked, logged, allowed, or quarantined when it passes through the FortiGate.

The DLP system is configured based on the following components:

Component

Description

Data type

Define the type of pattern that DLP is trying to match. For example, this can be a pre-defined type such as keyword, regex, hex, credit card, US social security number (SSN), or other patterns. You can also create custom data types.

Dictionary

A collection of data type entries. When selecting a data type such as keyword, regex or hex, define the pattern that you are looking for.

EDM template

An exact data match (EDM) template pairs the data from an external file, such as a data threat feed file, with built-in FortiGate data types. The EDM template links to a file on an external server to support dynamic updates.

Sensor

Define which dictionaries to check. You can match any dictionary, all dictionaries, or a special logical combination of the dictionaries. It can also count the number of dictionary matches to trigger the sensor.

File pattern

Define groups of file patterns based on pre-defined file types, or define your own pattern to match the file name.

DLP profile

Define rules for matching a sensor based on a file type or a message, and the type of protocol being used. It also allows you to choose the action to allow, log, block, or quarantine the address.

A DLP profile selects one or more sensors, and applies the sensor’s pattern matching against the file type or message that is passing through selected protocols. The profile can be applied to a firewall policy where the traffic will be inspected.

In the backend, DLP uses Hyperscan to perform a one-parse algorithm for scanning multiple patterns. This allows DLP to scale up without any performance downgrade.

The FortiGuard Data Loss Prevention service enables the identification, monitoring, and protection of an organization's data through data breaches, insider threats, and data exfiltration. It uses a customizable database of more than 500 predefined data patterns and policies to simplify and expedite DLP deployment and integration into existing environments (see FortiGuard DLP service for more information).

Protocol comparison between DLP inspection modes

The following table indicates which protocols can be inspected by DLP based on the specified inspection modes.

HTTP

FTP

IMAP

POP3

SMTP

NNTP

MAPI

CIFS

SFTP/SCP

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Flow

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

DLP can be configured in both the CLI and the GUI irrespective or firewall policy inspection mode.

Note

To use DLP profiles in a flow-based firewall policy, set feature-set flow must be set from the CLI. See Configuring DLP from the CLI for more information.

DLP profiles can only be added to a flow-based firewall policy from the CLI.

Archiving

DLP can archive some or all of the content that passes through the DLP system. There are two forms of DLP archiving.

  • Summary only: a summary of all the activity detected by the profile is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses a web browser, every URL that they visit is recorded.

  • Full: detailed records of all the activity detected by the profile is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses a web browser, every page that they visit is archived.

You can configure the type of archiving per protocol.

Logging and blocking files by file name

Sometimes, file names are not accurately recorded in DLP logs, even though the files are blocked correctly based on the DLP profile. This is particularly apparent on cloud-based services, such as Google Drive or SharePoint.

For HTTP file uploads, some cloud services use proprietary encodings and APIs to transfer files and exchange metadata, instead of standard HTTP mechanisms, requiring custom handling of the proprietary API. If a cloud service changes the API without notice, the custom handling becomes outdated and file names might not be logged properly. Due to this, special consideration must be taken when using DLP to block files by file pattern. To block a specific file type, it is better to block by file type, and not by file name pattern.

The following topics provide information about DLP:

Data loss prevention

Data loss prevention

The FortiGate data loss prevention (DLP) system prevents sensitive data from leaving or entering your network by scanning for various patterns while inspecting traffic passing through the FortiGate. Data matching defined sensitive data patterns is blocked, logged, allowed, or quarantined when it passes through the FortiGate.

The DLP system is configured based on the following components:

Component

Description

Data type

Define the type of pattern that DLP is trying to match. For example, this can be a pre-defined type such as keyword, regex, hex, credit card, US social security number (SSN), or other patterns. You can also create custom data types.

Dictionary

A collection of data type entries. When selecting a data type such as keyword, regex or hex, define the pattern that you are looking for.

EDM template

An exact data match (EDM) template pairs the data from an external file, such as a data threat feed file, with built-in FortiGate data types. The EDM template links to a file on an external server to support dynamic updates.

Sensor

Define which dictionaries to check. You can match any dictionary, all dictionaries, or a special logical combination of the dictionaries. It can also count the number of dictionary matches to trigger the sensor.

File pattern

Define groups of file patterns based on pre-defined file types, or define your own pattern to match the file name.

DLP profile

Define rules for matching a sensor based on a file type or a message, and the type of protocol being used. It also allows you to choose the action to allow, log, block, or quarantine the address.

A DLP profile selects one or more sensors, and applies the sensor’s pattern matching against the file type or message that is passing through selected protocols. The profile can be applied to a firewall policy where the traffic will be inspected.

In the backend, DLP uses Hyperscan to perform a one-parse algorithm for scanning multiple patterns. This allows DLP to scale up without any performance downgrade.

The FortiGuard Data Loss Prevention service enables the identification, monitoring, and protection of an organization's data through data breaches, insider threats, and data exfiltration. It uses a customizable database of more than 500 predefined data patterns and policies to simplify and expedite DLP deployment and integration into existing environments (see FortiGuard DLP service for more information).

Protocol comparison between DLP inspection modes

The following table indicates which protocols can be inspected by DLP based on the specified inspection modes.

HTTP

FTP

IMAP

POP3

SMTP

NNTP

MAPI

CIFS

SFTP/SCP

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Flow

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

DLP can be configured in both the CLI and the GUI irrespective or firewall policy inspection mode.

Note

To use DLP profiles in a flow-based firewall policy, set feature-set flow must be set from the CLI. See Configuring DLP from the CLI for more information.

DLP profiles can only be added to a flow-based firewall policy from the CLI.

Archiving

DLP can archive some or all of the content that passes through the DLP system. There are two forms of DLP archiving.

  • Summary only: a summary of all the activity detected by the profile is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses a web browser, every URL that they visit is recorded.

  • Full: detailed records of all the activity detected by the profile is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses a web browser, every page that they visit is archived.

You can configure the type of archiving per protocol.

Logging and blocking files by file name

Sometimes, file names are not accurately recorded in DLP logs, even though the files are blocked correctly based on the DLP profile. This is particularly apparent on cloud-based services, such as Google Drive or SharePoint.

For HTTP file uploads, some cloud services use proprietary encodings and APIs to transfer files and exchange metadata, instead of standard HTTP mechanisms, requiring custom handling of the proprietary API. If a cloud service changes the API without notice, the custom handling becomes outdated and file names might not be logged properly. Due to this, special consideration must be taken when using DLP to block files by file pattern. To block a specific file type, it is better to block by file type, and not by file name pattern.

The following topics provide information about DLP: