Fortinet white logo
Fortinet white logo

Administration Guide

Create or edit a DLP sensor

Create or edit a DLP sensor

To configure a DLP sensor, go to Security Profiles > Data Loss Prevention and click Create New.

Configure the following settings and select OK to save your changes:

Name

Enter he name of the DLP sensor.

Comments

An optional description of the DLP sensor.

DLP Log

Enable if you want a log entry when data matches the configured patterns.

Rules

Create or edit DLP filter rules. See Create or edit a DLP filter rule.

To create a DLP sensor:
  1. Go to Security Profiles > Data Loss Prevention and click Create New. The New DLP Sensor window opens.

  2. Enter a name for the new sensor in the Name field and, optionally, enter a description of the sensor in the Comments field.

  3. Enable DLP Log if you want a log entry when data matches the configured patterns.

  4. Add DLP filter rules to the sensor. See Create or edit a DLP filter rule.

  5. Click OK to create the new sensor.

To edit a DLP sensor:
  1. Go to Security Profiles > Data Loss Prevention.

  2. Select a DLP sensor and then click Edit. The Edit DLP Sensor window opens.

  3. Edit the DLP sensor name and comments as required.

  4. Enable or disable DLP Log.

  5. Edit, create, or delete DLP filter rules as required. See Create or edit a DLP filter rule.

  6. Click OK to save your changes.

DLP archiving

DLP is typically used to prevent sensitive information from getting out of your company network, but it can also be used to record network use. This is called DLP archiving. The DLP engine examines email, FTP, NNTP, and web traffic. Enabling archiving for rules when you add them to sensors directs the FortiProxy unit to record all occurrences of these traffic types when they are detected by the sensor.

Because the archive setting is configured for each rule in a sensor, you can have a single sensor that archives only the things you want.

You can archive Email, FTP, HTTP, and session control content:

  • Email content includes IMAP, POP3, and SMTP sessions. Email content can also include email messages tagged as spam by Email filtering. If your unit supports SSL content scanning and inspection, email content can also include IMAPS, POP3S, and SMTPS sessions.

  • HTTP content includes HTTP sessions. If your unit supports SSL content scanning and inspection HTTP content can also include HTTPS sessions.

DLP archives are saved to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service (subscription required).

You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the Fortinet configuration. The FortiGuard Analysis server becomes available when you subscribe to the FortiGuard Analysis and Management Service.

Two sample DLP sensors are provided with DLP archiving capabilities enabled. If you select the Content_Summary sensor in a security policy, it will save a summary DLP archive of all traffic the security policy handles. Similarly, the Content_Archive sensor will save a full DLP archive of all traffic handled the security policy you apply it to. These two sensors are configured to detect all traffic of the supported types and archive them.

NOTE: You can see these sensors in the GUI but the configuration is only visible through the CLI; DLP archiving is set in the CLI only.

To enable the DLP archiving:

config dlp sensor

edit <name of sensor>

set summary-proto smtp pop3 imap http-get http-post ftp nntp mapi cifs

next

end

Create or edit a DLP sensor

Create or edit a DLP sensor

To configure a DLP sensor, go to Security Profiles > Data Loss Prevention and click Create New.

Configure the following settings and select OK to save your changes:

Name

Enter he name of the DLP sensor.

Comments

An optional description of the DLP sensor.

DLP Log

Enable if you want a log entry when data matches the configured patterns.

Rules

Create or edit DLP filter rules. See Create or edit a DLP filter rule.

To create a DLP sensor:
  1. Go to Security Profiles > Data Loss Prevention and click Create New. The New DLP Sensor window opens.

  2. Enter a name for the new sensor in the Name field and, optionally, enter a description of the sensor in the Comments field.

  3. Enable DLP Log if you want a log entry when data matches the configured patterns.

  4. Add DLP filter rules to the sensor. See Create or edit a DLP filter rule.

  5. Click OK to create the new sensor.

To edit a DLP sensor:
  1. Go to Security Profiles > Data Loss Prevention.

  2. Select a DLP sensor and then click Edit. The Edit DLP Sensor window opens.

  3. Edit the DLP sensor name and comments as required.

  4. Enable or disable DLP Log.

  5. Edit, create, or delete DLP filter rules as required. See Create or edit a DLP filter rule.

  6. Click OK to save your changes.

DLP archiving

DLP is typically used to prevent sensitive information from getting out of your company network, but it can also be used to record network use. This is called DLP archiving. The DLP engine examines email, FTP, NNTP, and web traffic. Enabling archiving for rules when you add them to sensors directs the FortiProxy unit to record all occurrences of these traffic types when they are detected by the sensor.

Because the archive setting is configured for each rule in a sensor, you can have a single sensor that archives only the things you want.

You can archive Email, FTP, HTTP, and session control content:

  • Email content includes IMAP, POP3, and SMTP sessions. Email content can also include email messages tagged as spam by Email filtering. If your unit supports SSL content scanning and inspection, email content can also include IMAPS, POP3S, and SMTPS sessions.

  • HTTP content includes HTTP sessions. If your unit supports SSL content scanning and inspection HTTP content can also include HTTPS sessions.

DLP archives are saved to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service (subscription required).

You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the Fortinet configuration. The FortiGuard Analysis server becomes available when you subscribe to the FortiGuard Analysis and Management Service.

Two sample DLP sensors are provided with DLP archiving capabilities enabled. If you select the Content_Summary sensor in a security policy, it will save a summary DLP archive of all traffic the security policy handles. Similarly, the Content_Archive sensor will save a full DLP archive of all traffic handled the security policy you apply it to. These two sensors are configured to detect all traffic of the supported types and archive them.

NOTE: You can see these sensors in the GUI but the configuration is only visible through the CLI; DLP archiving is set in the CLI only.

To enable the DLP archiving:

config dlp sensor

edit <name of sensor>

set summary-proto smtp pop3 imap http-get http-post ftp nntp mapi cifs

next

end