Fortinet black logo

Administration Guide

Home FortiPAM 1.1.1 Administration Guide
1.1.1
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

Data loss prevention (DLP) protection for secrets

Data loss prevention (DLP) protection for secrets

DLP is available for secret launching only when you have a valid Advanced Malware Protection ( AVDB & DLP) license.

DLP, or Data Loss Prevention, is a cybersecurity solution that detects and prevents data breaches. Since it blocks the extraction of sensitive data, users can use it for internal security and regulatory compliance.

The filters in a DLP sensor can examine traffic for the following:

  • Known files using DLP fingerprinting

  • Known files using DLP watermarking

  • Particular file types

  • Particular file names

  • Files larger than a specified size

  • Data matching a specified regular expression

DLP is primarily used to stop sensitive data from leaving your network. DLP can also prevent unwanted data from entering your network and archive some or all of the content that passes through the FortiPAM. DLP archiving is configured per filter, which allows a single sensor to archive only the required data. You can configure the DLP archiving protocol on the GUI and via the CLI.

The following basic filter types can be configured on the GUI and via the CLI:

  • File type and name: A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list. See Supported file types.

  • File size: A file size filter checks for files that exceed the specific size and performs the DLP sensor's configured action on them.

  • Regular expression: A regular expression filter filters files or messages based on the configured regular expression pattern.

Data Leak Prevention in Secret Settings displays a list of configured DLP sensors.

For each DLP sensor; name, comments, and reference are shown.

FortiPAM offers the following preconfigured DLP sensors:

  • All_Executables: Includes a DLP filter rule that filters all the available protocols by their file types.

  • Content_Archive

  • Content_Summary

  • Large_Files: Includes a DLP filter rule that filters all the available protocols by their file sizes.

You cannot delete the default DLP sensors.

The Data Leak Prevention tab contains the following options:

Create New

Select to create a new DLP sensor. See Creating a DLP sensor.

Edit

Select to edit the selected DLP sensor.

Clone

Select to clone the selected DLP sensor.

Delete

Select to delete the selected DLP sensors.

Search

Search the DLP sensors list.

Creating a DLP sensor

To create a DLP sensor:
  1. Go to Secret Settings > Data Leak Prevention.
  2. From the DLP sensors list, select Create New.

    The New DLP Sensor window opens.

  3. Enter the following information:

    Name

    Name of the DLP sensor.

    Comments

    Optionally, enter a description for the DLP sensor.

    DLP Log

    Enable to generate a log entry when data matches the configured patterns.

    The option is enabled by default.

    Rules

    Create or edit DLP filter rules. See Creating DLP filter rules.

  4. Click OK.

Creating DLP filter rules

Use the search bar to look up a DLP filter rule.
To create a DLP filet rule:
  1. In step 2 when Creating a DLP sensor, select Create New in Rules.

    The Create New Dlp Filter Rule window opens.

  2. Enter the following information:

    Name

    Name of the DLP filter rule.

    Severity

    Select a severity for the DLP filter rule: Information, Low, Medium, High, or Critical.

    Filter By

    Select the filter from the dropdown list:

    • Match a Regular Expression

    • Match a DLP File Pattern

    • Match Any File Over Size

    • Look for Defined File Watermarks

    • Match DLP File Pattern and File Size Over

    • Match against fingerprint sensitivity

    Regular Expression

    Enter the pattern that network traffic is examined for.

    Note: The option is only available when Match a Regular Expression is set as the filter.

    File Size

    Enter the maximum file size in kilobytes (default = 10, 0 - 4294967295).

    Note: The option is only available when Match Any File Over Size or Match DLP File Pattern and File Size Over is set as the filter.

    Company Identifier

    Enter the company identifier. The company identifier is to make sure that you are only blocking watermarks that your company has placed on the files, not watermarks with the same name by other companies.

    Note: The option is only available when Look for Defined File Watermarks is set as the filter.

    File Pattern

    Select or create a DLP file pattern.

    Use the pen icon next to the file pattern to edit it.

    Note: The option is only available when Match a DLP File Pattern or Match DLP File Pattern and File Size Over is set as the filter.

    Protocols

    Select one or more protocols that the filter will examine. This allows resources to be optimized by only examining relevant traffic. The available protocols are HTTP-GET, HTTP-POST, and SSH.

    Filtering MAPI and SSH protocols only works in the proxy mode.

    Use the search bar to look up a protocol.

    Sensitivity

    Select a sensitivity for the DLP filter rule: Critical, Private, and Warning.

    Note: The option is only available when Look for Defined File Watermarks or Match against fingerprint sensitivity is selected as the filter.

    Action

    Select an action to take if the filter is triggered. Available actions are Allow, Log Only, and Block.

  3. Click OK.

    From the list, select a rule and then select Edit to edit the rule.

    From the list, select rules and then select Delete to delete the rules.

DLP via the CLI Example

To configure a file type and name filter:
  1. In the CLI console, enter the following commands to create a file pattern to filter files based on the file name pattern or file type. In this example, we intend to filter for GIFs and PDFs:

    config dlp filepattern

    edit 11

    set name "sample_config"

    config entries

    edit "*.gif"

    set filter-type pattern

    next

    edit "pdf"

    set filter-type type

    set file-type pdf

    next

    end

    next

    end

  2. Create the DLP sensor (Note: http-get and http-post protocols apply to Web SFTP and Web SMB launchers):

    config dlp sensor

    edit <name>

    config filter

    edit <id>

    set name <string>

    set proto {http-get http-post ssh}

    set filter-by file-type

    set file-type 11

    set action {allow | log-only | block | quarantine-ip}

    next

    end

    next

    end

To configure a file size filtering:
  1. In the CLI console, use the following commands:

    config dlp sensor

    edit <name>

    config filter

    edit <id>

    set name <string>

    set proto {http-get http-post ssh}

    set filter-by file-size

    set file-type 11

    set action {allow | log-only | block | quarantine-ip}

    next

    end

    next

    end

To configure regular expression filtering:
  1. In the CLI console, use the following commands:

    config dlp sensor

    edit <name>

    config filter

    edit <id>

    set name <string>

    set type {file | message}

    set proto {http-get http-post ssh}

    set filter-by regexp

    set regexp <string>

    set action {allow | log-only | block | quarantine-ip}

    next

    end

    next

    end

Previous
Next

Data loss prevention (DLP) protection for secrets

DLP is available for secret launching only when you have a valid Advanced Malware Protection ( AVDB & DLP) license.

DLP, or Data Loss Prevention, is a cybersecurity solution that detects and prevents data breaches. Since it blocks the extraction of sensitive data, users can use it for internal security and regulatory compliance.

The filters in a DLP sensor can examine traffic for the following:

  • Known files using DLP fingerprinting

  • Known files using DLP watermarking

  • Particular file types

  • Particular file names

  • Files larger than a specified size

  • Data matching a specified regular expression

DLP is primarily used to stop sensitive data from leaving your network. DLP can also prevent unwanted data from entering your network and archive some or all of the content that passes through the FortiPAM. DLP archiving is configured per filter, which allows a single sensor to archive only the required data. You can configure the DLP archiving protocol on the GUI and via the CLI.

The following basic filter types can be configured on the GUI and via the CLI:

  • File type and name: A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list. See Supported file types.

  • File size: A file size filter checks for files that exceed the specific size and performs the DLP sensor's configured action on them.

  • Regular expression: A regular expression filter filters files or messages based on the configured regular expression pattern.

Data Leak Prevention in Secret Settings displays a list of configured DLP sensors.

For each DLP sensor; name, comments, and reference are shown.

FortiPAM offers the following preconfigured DLP sensors:

  • All_Executables: Includes a DLP filter rule that filters all the available protocols by their file types.

  • Content_Archive

  • Content_Summary

  • Large_Files: Includes a DLP filter rule that filters all the available protocols by their file sizes.

You cannot delete the default DLP sensors.

The Data Leak Prevention tab contains the following options:

Create New

Select to create a new DLP sensor. See Creating a DLP sensor.

Edit

Select to edit the selected DLP sensor.

Clone

Select to clone the selected DLP sensor.

Delete

Select to delete the selected DLP sensors.

Search

Search the DLP sensors list.

Creating a DLP sensor

To create a DLP sensor:
  1. Go to Secret Settings > Data Leak Prevention.
  2. From the DLP sensors list, select Create New.

    The New DLP Sensor window opens.

  3. Enter the following information:

    Name

    Name of the DLP sensor.

    Comments

    Optionally, enter a description for the DLP sensor.

    DLP Log

    Enable to generate a log entry when data matches the configured patterns.

    The option is enabled by default.

    Rules

    Create or edit DLP filter rules. See Creating DLP filter rules.

  4. Click OK.

Creating DLP filter rules

Use the search bar to look up a DLP filter rule.
To create a DLP filet rule:
  1. In step 2 when Creating a DLP sensor, select Create New in Rules.

    The Create New Dlp Filter Rule window opens.

  2. Enter the following information:

    Name

    Name of the DLP filter rule.

    Severity

    Select a severity for the DLP filter rule: Information, Low, Medium, High, or Critical.

    Filter By

    Select the filter from the dropdown list:

    • Match a Regular Expression

    • Match a DLP File Pattern

    • Match Any File Over Size

    • Look for Defined File Watermarks

    • Match DLP File Pattern and File Size Over

    • Match against fingerprint sensitivity

    Regular Expression

    Enter the pattern that network traffic is examined for.

    Note: The option is only available when Match a Regular Expression is set as the filter.

    File Size

    Enter the maximum file size in kilobytes (default = 10, 0 - 4294967295).

    Note: The option is only available when Match Any File Over Size or Match DLP File Pattern and File Size Over is set as the filter.

    Company Identifier

    Enter the company identifier. The company identifier is to make sure that you are only blocking watermarks that your company has placed on the files, not watermarks with the same name by other companies.

    Note: The option is only available when Look for Defined File Watermarks is set as the filter.

    File Pattern

    Select or create a DLP file pattern.

    Use the pen icon next to the file pattern to edit it.

    Note: The option is only available when Match a DLP File Pattern or Match DLP File Pattern and File Size Over is set as the filter.

    Protocols

    Select one or more protocols that the filter will examine. This allows resources to be optimized by only examining relevant traffic. The available protocols are HTTP-GET, HTTP-POST, and SSH.

    Filtering MAPI and SSH protocols only works in the proxy mode.

    Use the search bar to look up a protocol.

    Sensitivity

    Select a sensitivity for the DLP filter rule: Critical, Private, and Warning.

    Note: The option is only available when Look for Defined File Watermarks or Match against fingerprint sensitivity is selected as the filter.

    Action

    Select an action to take if the filter is triggered. Available actions are Allow, Log Only, and Block.

  3. Click OK.

    From the list, select a rule and then select Edit to edit the rule.

    From the list, select rules and then select Delete to delete the rules.

DLP via the CLI Example

To configure a file type and name filter:
  1. In the CLI console, enter the following commands to create a file pattern to filter files based on the file name pattern or file type. In this example, we intend to filter for GIFs and PDFs:

    config dlp filepattern

    edit 11

    set name "sample_config"

    config entries

    edit "*.gif"

    set filter-type pattern

    next

    edit "pdf"

    set filter-type type

    set file-type pdf

    next

    end

    next

    end

  2. Create the DLP sensor (Note: http-get and http-post protocols apply to Web SFTP and Web SMB launchers):

    config dlp sensor

    edit <name>

    config filter

    edit <id>

    set name <string>

    set proto {http-get http-post ssh}

    set filter-by file-type

    set file-type 11

    set action {allow | log-only | block | quarantine-ip}

    next

    end

    next

    end

To configure a file size filtering:
  1. In the CLI console, use the following commands:

    config dlp sensor

    edit <name>

    config filter

    edit <id>

    set name <string>

    set proto {http-get http-post ssh}

    set filter-by file-size

    set file-type 11

    set action {allow | log-only | block | quarantine-ip}

    next

    end

    next

    end

To configure regular expression filtering:
  1. In the CLI console, use the following commands:

    config dlp sensor

    edit <name>

    config filter

    edit <id>

    set name <string>

    set type {file | message}

    set proto {http-get http-post ssh}

    set filter-by regexp

    set regexp <string>

    set action {allow | log-only | block | quarantine-ip}

    next

    end

    next

    end

Previous
Next