Create or edit a DLP filter rule
Each DLP sensor must have one or more DLP filter rules configured within it. Filters can examine traffic for the following:
-
Known files using DLP fingerprints
-
Files of a particular name or type
-
Files larger than a specified size
-
Data matching a specified regular expression
-
Traffic matching an advanced or compound rule
File filters allow you to block files based on their file names and types. When a file filter list is applied to a DLP sensor filter, the network traffic is examined against the list entries, and, if the sensor filter is triggered, the predefined action is taken by the DLP sensor filter.
The general steps for configuring filters are as follows:
-
Create a DLP sensor.
-
Add DLP filter rules to filter either messages or specific file types.
-
Select the DLP sensor in a security policy.
To create a DLP filter rule in the GUI:
Select Create New to open the Create New Dlp Filter Rule window.
To open the Edit Dlp Filter Rule window, select a filter and then click Edit.
Configure the following settings in the Create New Dlp Filter Rule window or the Edit Dlp Filter Rule window and then click OK.
Name |
Enter a name for the DLP filter rule. |
Severity |
Select a severity for the DLP filter rule: Information, Low, Medium, High, or Critical. |
Type |
Select File or message to filter based on file attributes or to filter for specific messages. |
Filter By |
Select the filter from the drop-down list. |
Regular Expression |
Enter the pattern that network traffic is examined for. See Regular expressions. |
File Pattern |
Select or create a DLP file pattern. See File types. |
File Size |
Enter the maximum file size in kilobytes. See File size. |
Company Identifier |
Enter the company identifier. The company identifier is to make sure that you are only blocking watermarks that your company has placed on the files, not watermarks with the same name by other companies. See Watermarking . |
Protocols |
Select one or more protocols that the filter will examine. This allows resources to be optimized by only examining relevant traffic. The available protocols are HTTP-POST, IMAP, MAPI, NNTP, POP3, and SMTP. |
Action |
Select an action to take if the filter is triggered. Available actions are Allow, Log Only, Block, and Quarantine IP Address. |
Allow |
No action is taken when the filter is triggered. |
Log Only |
When the filter is triggered, the match is logged, but no other action is taken. |
Block |
Traffic matching the filter is blocked and replaced with a replacement message. See Replacement Messages. |
Quarantine IP Address |
Block access for any IP address that sends traffic matching the filter. The IP address is added to the banned user list, and an appropriate replacement message is sent for all connection attempts until the quarantine time expires. Enter the amount of time that the IP address will be quarantined for (>= 1 minute). |
Basic DLP filter types
You can configure four basic filter types:
File type and name
A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list.
To configure file type and name filtering using the CLI:
-
Create a file pattern to filter files based on the file name patter or file type:
config dlp filepattern
edit <filepattern_entry_integer>
set name <string>
config entries
edit <file pattern>
set filter-type <type | pattern>
set file-type <file type>
next
end
next
end
For example, to filter for GIFs and PDFs:
config dlp filepattern
edit 11
set name “sample_config”
config entries
edit "*.gif"
set filter-type pattern
next
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
-
Attach the file pattern to a DLP sensor, and specify the protocols and actions:
config dlp sensor
edit <string>
config filter
edit <integer>
set name <string>
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}
set filter-by file-type
set file-type 1 <-- Previously configured file pattern
set action {allow | log-only| block | quarantine-ip}
next
end
next
end
To configure file type and name filtering using the GUI:
-
Go to Security Profiles > Data Leak Prevention.
-
Click Create New. The New DLP Sensor window opens.
-
Click Create New in the Rules table. The Create New Dlp Filter Rule window opens.
-
Set Type to File and select Match a DLP File Pattern.
-
Select or create a file pattern. See Create or edit a DLP file pattern.
-
Click + and select one or more protocols from the side pane.
-
Select the action.
-
Click OK to save the new filter.
File size
A file size filter checks for files that exceed the specific size, and performs the DLP sensor's configured action on them.
To configure file size filtering using the CLI:
config dlp sensor
edit <string>
config filter
edit <integer>
set name <string>
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}
set filter-by file-size <-- Match any file over with a size over the threshold
set file-type 1 <-- Previously configured file pattern
set action {allow | log-only| block | quarantine-ip}
next
end
next
end
To configure file size filtering using the GUI:
-
Go to Security Profiles > Data Leak Prevention.
-
Click Create New. The New DLP Sensor window opens.
-
Click Create New in the Rules table. The Create New Dlp Filter Rule window opens.
-
Set Type to File and select Match Any File Over Size.
-
Enter the maximum file size, in kilobytes, in the File Size field.
-
Click + and select one or more protocols from the side pane.
-
Select the action.
-
Select one of and then click OK.
Regular expression
A regular expression filter is used to filter files or messages based on the configured regular expression pattern.
To configure regular expression filtering using the CLI:
config dlp sensor
edit <string>
config filter
edit <integer>
set name <string>
set type {file | message} <-- Check contents of a file or of messages, web pages, and so on
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}
set filter-by regexp <-- Use a regular expression to match content
set regexp <regexp> <-- Input a regular expression pattern
set action {allow | log-only| block | quarantine-ip}
next
end
next
end
To configure regular expression filtering using the GUI:
-
Go to Security Profiles > Data Leak Prevention.
-
Click Create New. The New DLP Sensor page opens.
-
Click Create New in the Rules table. The Create New Dlp Filter Rule window opens.
-
For filtering regular expressions in files, set Type to File. For filtering in messages, set Type to message.
-
Select Match a Regular Expression.
-
Enter the regular expression string in the Regular Expression field.
-
Click + and select one or more protocols from the side pane.
-
Select the action.
-
Click OK.
Credit card and SSN
The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It can be used to filter files or messages.
The SSN sensor can be used to filter files or messages for Social Security Numbers.
To configure credit card or SSN filtering using the CLI:
config dlp sensor
edit <string>
config filter
edit <integer>
set name <string>
set type {file | message} <-- Check contents of a file, or of messages, web pages, etc.
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}
set filter-by < credit-card | ssn > <-- Match credit cards or social security numbers
set action {allow | log-only| block | quarantine-ip}
next
end
next
end
To configure credit card or SSN filtering using the GUI:
-
Go to Security Profiles > Data Leak Prevention.
-
Click Create New. The New DLP Sensor page opens.
-
Click Create New in the Rules table. The Create New Dlp Filter Rule window opens.
-
For filtering in files, set Type to File. For filtering in messages, set Type to message.
-
Select Match Credit Card Numbers or Match Social Security Numbers.
-
Click + and select one or more protocols from the side pane.
-
Select the action.
-
Click OK.
Regular expressions
Network traffic is examined for the pattern described by the regular expression specified in the DLP sensor filters. Fortinet uses a variation of the Perl Compatible Regular Expressions (PCRE) library. For some examples of Perl expressions, see Perl regular expressions. For more information about using Perl regular expressions, go to http://perldoc.perl.org/perlretut.html.
By adding multiple filters containing regular expressions to a sensor, a dictionary can be developed within the sensor. The filters can include expressions that accommodate complex variations of words or target phrases. Within the sensors, each expression can be assigned a different action, allowing for a very granular implementation.
File types
Archive (7z) Archive (arj) Archive (bzip) Archive (bzip2) Archive (cab) Archive (gzip) Archive (lzh) Archive (rar) Archive (tar) Archive (xz) Archive (zip) Audio (avi) Audio (mp3) Audio (wav) Audio (wma) Batch File (bat) BMP Image (bmp) Common Console Document (msc) Encoded Data (base64) |
Encoded Data (binhex) Encoded Data (mime) Encoded Data (uue) Executable (elf) Executable (exe) GIF Image (gif) HTML Application (hta) HTML File (html) Ignored File Type (ignored) Java Application Descriptor (jad) Java Class File (class) Java Compiled Bytecode (cod) JavaScript File (javascript) JPEG Image (jpeg) Microsoft Active Mime Object (activemime) Microsoft Office (msoffice) Microsoft Office (msofficex) |
Packer (aspack) Packer (fsg) Packer (petite) Packer (upx) PalmOS Application (prc) PDF (pdf) PNG Image (png) Real Media Streaming (rm) Symbian Installer System File (sis) TIFF Image (tiff) Torrent (torrent) Unknown File Type (unknown) Video (mov) Video (mpeg) Windows Help File (hlp) Windows Installer Package (msi) |
Watermarking
Watermarking is essentially marking files with a digital pattern to mark the file as being proprietary to a specific company. Fortinet provides a Linux-based utility that applies a digital watermark to files. The utility adds a small (approximately 100 bytes) pattern to the file that is recognized by the DLP watermark filter. The pattern is invisible to the end user.
When watermarking a file, verify that the pattern matches a category found on the FortiProxy firewall. For example, if you are going to watermark a file with the sensitivity level of “Secret” you should verify that “Secret” is a sensitivity level that has been assigned in the FortiProxy unit.
Company identifier and sensitivity
The company identifier is to make sure that you are only blocking watermarks that your company has placed on the files, not watermarks with the same name by other companies.
If you are using watermarking on your files, you can use the watermark sensitivity filter to check for watermarks that correspond to sensitivity categories that you have set up.
Software versions
Before planning on using watermarking software it is always best to verify that the software will work with your OS. Currently, the only utility available to watermark files is a Linux-based command line tool. It is available for download from the Fortinet Customer Service & Support website, with a valid support contract and access to the site. To access the file:
-
Sign into the Fortinet Customer Service & Support website.
-
Go to https://support.fortinet.com/Download/FirmwareImages.aspx.
-
Navigate to the image file path for WATERMARK.
-
Download the
fortinet-watermark-linux.out
file.
File types
The watermark utility does not work with every file type. The following file types are supported by the watermark tool: .txt; .pdf; .doc; .xls; .ppt; .docx; pptx; and, .xlsx.
Syntax of the watermark utility
The tool is executed in a Linux environment by passing in files or directories of files to insert a watermark.
Usage:
watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level>
watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>
Options:
-h print help
-I inplace watermarking (do not copy file)
-o output file (or directory in directory mode)
-e encode <to non-readable>
-i add watermark identifier
-l add watermark sensitivity level
-D delete watermark identifier
-L delete watermark sensitivity level