Sensitivity labels
In order to safeguard your organization's data, labels can be employed as markers for sensitive information. Microsoft provides sensitivity labels, which act as identifiers emphasizing the importance of the data they're associated with, thereby enhancing the security measures in place. See Protect your sensitive data with Microsoft Purview (formerly MIP) for more information.
Any data traffic that includes a sensitivity label can be effectively managed using FortiGate. This is made possible through the utilization of a pre-defined data type, mip-label, specifically designed for MIP in the Data Loss Prevention (DLP) dictionary. See Microsoft Purview sensitivity labels for more information.
Example
This configuration will block HTTPS upload traffic that matches the DLP profile.
When utilizing commonly-used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information. Additionally, the client machine must have the corresponding deep inspection Certificate Authority (CA) certificate installed. |
Sample topology
In this example, a Microsoft Office document that is marked with a sensitivity label is being attached to an email in the Chrome browser using Office Desktop. See Learn about sensitivity labels for more information. The FortiGate intercepts this traffic using deep inspection and blocks the attachment of the file because it matches the DLP profile that has been set up on this FortiGate.
When a sensitivity label is included in HTTPS upload traffic, the file is blocked and a DLP log is generated. See Sample log for a log sample.
Prerequisites
Before configuring FortiGate, complete the following steps:
-
Create and configure sensitivity labels and their policies. See Create sensitivity labels for more information.
-
Apply a sensitivity label to content. See Apply sensitivity labels to your files and email for more information.
Once the sensitivity label is applied on a file, you'll see it displayed on the sensitivity bar.
-
Obtain Globally Unique Identifier (GUID) for your sensitivity labels. See Search for documents by sensitivity label for more information.
Sample GUID:
FortiGate uses the GUID for label matching. The Pattern for mip-label is configured to correspond to the label’s GUID. |
To block HTTPS upload traffic that includes MIP labels in the GUI:
-
Configure the DLP dictionary:
-
Go to Security Profiles > Data Loss Prevention, select the Dictionaries tab, and click Create New.
-
Set Name to dic-case5.
-
In the Dictionary Entries table click Create New:
-
Set Type to mip-label.
-
Set Pattern to ca51e4ff-0733-4744-bebb-d3e1eb6383f4.
The pattern set here corresponds to the GUID of a specific sensitivity label. Please use your own GUID in this step. See step 3 of Prerequisites for how to obtain your label GUID.
-
Click OK.
-
-
Click OK.
-
-
Configure the DLP profile:
-
Go to Security Profiles > Data Loss Prevention, and select the Profiles tab, then click Create New.
-
Enter a name, such as profile-case5.
-
In the Rules section, click Create New.
-
Configure the following settings:
Name
mip-label
DATA source type
MIP label
MIP
dic-case5
Severity
Critical
Action
Block
Match type
File
File type
builtin-patterns
Protocol
SMTP, POP3, IMAP, HTTP-GET HTTP-POST, FTP, NNTP, MAPI, SSH, CIFS
-
Click OK.
-
Click OK to save the profile.
-
-
Add the DLP profile to a firewall policy:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Set the Inspection Mode to Proxy-based.
-
In the Security Profiles section, enable DLP Profile and select profile-case5.
-
Set SSL Inspection to deep-inspection.
-
Configure the other settings as needed.
-
Click OK.
-
To block HTTPS upload traffic that includes MIP labels in the CLI:
-
Configure the DLP dictionary:
config dlp dictionary edit "dic-case5" config entries edit 1 set type "mip-label" set pattern "ca51e4ff-0733-4744-bebb-d3e1eb6383f4" next end next end
The
set pattern
is set to the GUID of a specific sensitivity label. Please use your own GUID in this step. See step 3 of Prerequisites for how to obtain your label GUID. -
config dlp profile edit "profile-case5" set feature-set proxy config rule edit 1 set name "mip-label" set severity critical set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs set filter-by mip set file-type 1 set label "dic-case5" set action block next end next end
-
Add the DLP profile to a firewall policy:
config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection" set dlp-profile "profile-case5" set nat enable next end
Sample log
An attempt was made to send an email from a Windows device using Gmail's webmail service. The email was intended to include an attachment with a MIP label, but the attachment failed to upload, resulting in the generation of a sample log.
1: date=2023-11-02 time=06:31:07 eventtime=1698863466313615946 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="1" dlpextra="dic-case5" filtertype="mip" filtercat="file" severity="critical" policyid=1 poluuid="8bd1908e-7839-51ee-e86b-e411056688ec" policytype="policy" sessionid=2988 epoch=1712884745 eventid=0 srcip=10.10.10.1 srcport=49985 srccountry="Reserved" srcintf="port2" srcintfrole="lan" srcuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" dstip=142.251.211.229 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="lan" dstuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" proto=6 service="HTTPS" filetype="msoffice" direction="outgoing" action="block" hostname="mail.google.com" url="https://mail.google.com/_/upload?authuser=0&dcp=asu-n&upload_id=ABPtcPoZPYAkCzE-FaGZS_QUNjml-0vPOGdjf7nk02kKLLnoTmg-wqsAbeWfuzerDACV0b8dZ6v0bkUZnB57Is1QdvjFBE2r90bT&upload_protocol=resumable" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://mail.google.com/mail/u/0/" filename="doc.doc" filesize=53248 profile="profile-case5"