Fortinet black logo

Administration Guide

FortiGuard DLP service

FortiGuard DLP service

The FortiGuard DLP service offers a database of predefined DLP patterns such as data types, dictionaries, and sensors. Example include:

  • Drivers licenses for various countries, various states in the USA, and various provinces in Canada

  • Tax numbers for various countries

  • Credit card numbers

  • Bank statements

When enabled, the DLP database (DLDB) is downloaded to the FortiGate and its predefined patterns can be configured in DLP profiles.

To configure DLP database updates:
config system fortiguard
    set update-dldb {enable | disable}
end
To verify the database signature status:
# diagnose autoupdate versions
...
DLP Signature
---------
Version: 1.00010 signed
Contract Expiry Date: n/a
Last Updated using manual update on Fri Jan 27 15:25:00 2023
Last Update Attempt: Mon Jan 30 15:18:39 2023
Result: No Updates

Example

In this example, the administrator wants to look for data leakage of Canadian social insurance number (SIN) information and block this traffic. A DLP profile is created that uses the predefined dictionary, fg-can-natl_id-sin-dict, to check for Canadian Social Insurance Numbers (SINs).

To verify that the Canadian SIN data type is added to the list of predefined data types:
show dlp data-type
config dlp data-type
    ...
    edit "fg-can-natl_id-proximity"                            
        set pattern "fortiguard dlp signature"
    next
end
To configure the DLP profile in the GUI:
  1. Configure the DLP sensor using the predefined dictionary from FortiGuard:

    1. Go to Security Profiles > Data Loss Prevention, select the Sensors tab, and click Create New.

    2. Enter a name (sin).

    3. In the Sensor Entries section, click Create New.

    4. Set the Dictionary to fg-can-natl_id-sin-dict and click OK.

    5. Click OK to save the sensor.

  2. Configure the DLP profile:

    1. Go to Security Profiles > Data Loss Prevention, select the Profiles tab, and click Create New.

    2. Enter a name (test).

    3. In the Rules section, click Create New.

    4. Configure the following settings:

      Name

      test

      Sensors

      sin

      Severity

      Medium

      Action

      Block

      Type

      File

      File type

      all_executables

      Protocol

      SMTP, POP3, IMAP, HTTP-GET, HTTP-POST, FTP

    5. Click OK.

    6. Click OK to save the profile.

To configure the DLP profile in the CLI:
  1. Configure the DLP sensor using the predefined dictionary from FortiGuard:

    config dlp sensor
        edit "sin"
            config entries
                edit 1
                    set dictionary "fg-can-natl_id-sin-dict"
                next
            end
        next
    end
  2. Configure the DLP profile:

    config dlp profile
        edit "test"
            set feature-set proxy
            config rule
                edit 1
                    set name "test"
                    set proto smtp pop3 imap http-get http-post ftp
                    set filter-by sensor
                    set file-type 2
                    set sensor "sin"
                    set action block
                next
            end
        next
    end

FortiGuard DLP service

The FortiGuard DLP service offers a database of predefined DLP patterns such as data types, dictionaries, and sensors. Example include:

  • Drivers licenses for various countries, various states in the USA, and various provinces in Canada

  • Tax numbers for various countries

  • Credit card numbers

  • Bank statements

When enabled, the DLP database (DLDB) is downloaded to the FortiGate and its predefined patterns can be configured in DLP profiles.

To configure DLP database updates:
config system fortiguard
    set update-dldb {enable | disable}
end
To verify the database signature status:
# diagnose autoupdate versions
...
DLP Signature
---------
Version: 1.00010 signed
Contract Expiry Date: n/a
Last Updated using manual update on Fri Jan 27 15:25:00 2023
Last Update Attempt: Mon Jan 30 15:18:39 2023
Result: No Updates

Example

In this example, the administrator wants to look for data leakage of Canadian social insurance number (SIN) information and block this traffic. A DLP profile is created that uses the predefined dictionary, fg-can-natl_id-sin-dict, to check for Canadian Social Insurance Numbers (SINs).

To verify that the Canadian SIN data type is added to the list of predefined data types:
show dlp data-type
config dlp data-type
    ...
    edit "fg-can-natl_id-proximity"                            
        set pattern "fortiguard dlp signature"
    next
end
To configure the DLP profile in the GUI:
  1. Configure the DLP sensor using the predefined dictionary from FortiGuard:

    1. Go to Security Profiles > Data Loss Prevention, select the Sensors tab, and click Create New.

    2. Enter a name (sin).

    3. In the Sensor Entries section, click Create New.

    4. Set the Dictionary to fg-can-natl_id-sin-dict and click OK.

    5. Click OK to save the sensor.

  2. Configure the DLP profile:

    1. Go to Security Profiles > Data Loss Prevention, select the Profiles tab, and click Create New.

    2. Enter a name (test).

    3. In the Rules section, click Create New.

    4. Configure the following settings:

      Name

      test

      Sensors

      sin

      Severity

      Medium

      Action

      Block

      Type

      File

      File type

      all_executables

      Protocol

      SMTP, POP3, IMAP, HTTP-GET, HTTP-POST, FTP

    5. Click OK.

    6. Click OK to save the profile.

To configure the DLP profile in the CLI:
  1. Configure the DLP sensor using the predefined dictionary from FortiGuard:

    config dlp sensor
        edit "sin"
            config entries
                edit 1
                    set dictionary "fg-can-natl_id-sin-dict"
                next
            end
        next
    end
  2. Configure the DLP profile:

    config dlp profile
        edit "test"
            set feature-set proxy
            config rule
                edit 1
                    set name "test"
                    set proto smtp pop3 imap http-get http-post ftp
                    set filter-by sensor
                    set file-type 2
                    set sensor "sin"
                    set action block
                next
            end
        next
    end