Data loss prevention (DLP) protection for secrets
DLP is available for secret launching only when you have a valid Advanced Malware Protection ( |
DLP, or Data Loss Prevention, is a cybersecurity solution that detects and prevents data breaches. Since it blocks the extraction of sensitive data, users can use it for internal security and regulatory compliance.
The filters in a DLP sensor can examine traffic for the following:
-
Known files using DLP fingerprinting
-
Known files using DLP watermarking
-
Particular file types
-
Particular file names
-
Files larger than a specified size
-
Data matching a specified regular expression
DLP is primarily used to stop sensitive data from leaving your network. DLP can also prevent unwanted data from entering your network and archive some or all of the content that passes through the FortiPAM. DLP archiving is configured per filter, which allows a single sensor to archive only the required data. You can configure the DLP archiving protocol on the GUI and via the CLI.
The following basic filter types can be configured on the GUI and via the CLI:
-
File type and name: A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list. See Supported file types.
-
File size: A file size filter checks for files that exceed the specific size and performs the DLP sensor's configured action on them.
-
Regular expression: A regular expression filter filters files or messages based on the configured regular expression pattern.
Data Leak Prevention in Secret Settings displays a list of configured DLP sensors.
For each DLP sensor; name, comments, and reference are shown.
FortiPAM offers the following preconfigured DLP sensors:
|
You cannot delete the default DLP sensors. |
The Data Leak Prevention tab contains the following options:
Create New |
Select to create a new DLP sensor. See Creating a DLP sensor. |
Edit |
Select to edit the selected DLP sensor. |
Clone |
Select to clone the selected DLP sensor. |
Delete |
Select to delete the selected DLP sensors. |
Search |
Search the DLP sensors list. |
Creating a DLP sensor
To create a DLP sensor:
- Go to Secret Settings > Data Leak Prevention.
- From the DLP sensors list, select Create New.
The New DLP Sensor window opens.
- Enter the following information:
Name
Name of the DLP sensor.
Comments
Optionally, enter a description for the DLP sensor.
DLP Log
Enable to generate a log entry when data matches the configured patterns.
The option is enabled by default.
Rules
Create or edit DLP filter rules. See Creating DLP filter rules.
- Click OK.
Creating DLP filter rules
Use the search bar to look up a DLP filter rule. |
To create a DLP filet rule:
- In step 2 when Creating a DLP sensor, select Create New in Rules.
The Create New Dlp Filter Rule window opens.
- Enter the following information:
Name
Name of the DLP filter rule.
Severity
Select a severity for the DLP filter rule: Information, Low, Medium, High, or Critical.
Filter By
Select the filter from the dropdown list:
Match a Regular Expression
Match a DLP File Pattern
Match Any File Over Size
Look for Defined File Watermarks
Match DLP File Pattern and File Size Over
Match against fingerprint sensitivity
Regular Expression
Enter the pattern that network traffic is examined for.
Note: The option is only available when Match a Regular Expression is set as the filter.
File Size
Enter the maximum file size in kilobytes (default = 10, 0 - 4294967295).
Note: The option is only available when Match Any File Over Size or Match DLP File Pattern and File Size Over is set as the filter.
Company Identifier
Enter the company identifier. The company identifier is to make sure that you are only blocking watermarks that your company has placed on the files, not watermarks with the same name by other companies.
Note: The option is only available when Look for Defined File Watermarks is set as the filter.
File Pattern
Select or create a DLP file pattern.
Use the pen icon next to the file pattern to edit it.
Note: The option is only available when Match a DLP File Pattern or Match DLP File Pattern and File Size Over is set as the filter.
Protocols
Select one or more protocols that the filter will examine. This allows resources to be optimized by only examining relevant traffic. The available protocols are HTTP-GET, HTTP-POST, and SSH.
Filtering MAPI and SSH protocols only works in the proxy mode.
Use the search bar to look up a protocol.
Sensitivity
Select a sensitivity for the DLP filter rule: Critical, Private, and Warning.
Note: The option is only available when Look for Defined File Watermarks or Match against fingerprint sensitivity is selected as the filter.
Action
Select an action to take if the filter is triggered. Available actions are Allow, Log Only, and Block.
- Click OK.
From the list, select a rule and then select Edit to edit the rule.
From the list, select rules and then select Delete to delete the rules.
DLP via the CLI Example
To configure a file type and name filter:
-
In the CLI console, enter the following commands to create a file pattern to filter files based on the file name pattern or file type. In this example, we intend to filter for GIFs and PDFs:
config dlp filepattern
edit 11
set name "sample_config"
config entries
edit "*.gif"
set filter-type pattern
next
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
-
Create the DLP sensor (Note:
http-get
andhttp-post
protocols apply to Web SFTP and Web SMB launchers):config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set proto {http-get http-post ssh}
set filter-by file-type
set file-type 11
set action {allow | log-only | block | quarantine-ip}
next
end
next
end
To configure a file size filtering:
- In the CLI console, use the following commands:
config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set proto {http-get http-post ssh}
set filter-by file-size
set file-type 11
set action {allow | log-only | block | quarantine-ip}
next
end
next
end
To configure regular expression filtering:
- In the CLI console, use the following commands:
config dlp sensor
edit <name>
config filter
edit <id>
set name <string>
set type {file | message}
set proto {http-get http-post ssh}
set filter-by regexp
set regexp <string>
set action {allow | log-only | block | quarantine-ip}
next
end
next
end