Fortinet white logo
Fortinet white logo

Administration Guide

Data leak prevention

Data leak prevention

The FortiProxy data leak prevention (DLP) system prevents sensitive data from leaving or entering your network by scanning for various patterns while inspecting traffic passing through the FortiProxy. Data matching defined sensitive data patterns is blocked, logged, allowed, or quarantined, or archived when it passes through the FortiProxy.

The DLP system is configured based on the following components. You can configure DLP in both the CLI and the GUI.

Component

Description

Data type

Define the type of pattern that DLP is trying to match. For example, this can be a pre-defined type such as credit card, hex, keyword, mip-label, regex, and US social security number (SSN). You can also create custom data types.

Dictionary

A collection of data type entries. When selecting a data type such as keyword, regex or hex, define the pattern that you are looking for.

Sensor

Define which dictionaries to check. You can match any dictionary, all dictionaries, or a special logical combination of the dictionaries. It can also count the number of dictionary matches to trigger the sensor.

File pattern

Define groups of file patterns based on pre-defined file types, or define your own pattern to match the file name.

DLP profile

Define rules for matching a sensor based on a file type or a message, and the type of protocol being used. It also allows you to choose the action to allow, log, block, or quarantine the address.

A DLP profile selects one or more sensors, and applies the sensor’s pattern matching against the file type or message that is passing through selected protocols. The profile can be applied to a policy where the traffic will be inspected.

In the backend, DLP uses Hyperscan to perform a one-parse algorithm for scanning multiple patterns. This allows DLP to scale up without any performance downgrade.

Protocol support for DLP inspection

FortiProxy DLP inspection supports the following protocols:

  • HTTP

  • FTP

  • IMAP

  • POP3

  • SMTP

  • NNTP

  • MAPI

  • CIFS

  • SFTP/SCP

Archiving

DLP can archive some or all of the content that passes through the DLP system. There are two forms of DLP archiving.

  • Summary only: a summary of all the activity detected by the profile is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses a web browser, every URL that they visit is recorded.
  • Full: detailed records of all the activity detected by the profile is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses a web browser, every page that they visit is archived.

You can configure the type of archiving per protocol.

Logging and blocking files by file name

Sometimes, file names are not accurately recorded in DLP logs, even though the files are blocked correctly based on the DLP profile. This is particularly apparent on cloud-based services, such as Google Drive or SharePoint.

For HTTP file uploads, some cloud services use proprietary encodings and APIs to transfer files and exchange metadata, instead of standard HTTP mechanisms, requiring custom handling of the proprietary API. If a cloud service changes the API without notice, the custom handling becomes outdated and file names might not be logged properly. Due to this, special consideration must be taken when using DLP to block files by file pattern. To block a specific file type, it is better to block by file type, and not by file name pattern.

The following topics provide information about DLP:

Data leak prevention

Data leak prevention

The FortiProxy data leak prevention (DLP) system prevents sensitive data from leaving or entering your network by scanning for various patterns while inspecting traffic passing through the FortiProxy. Data matching defined sensitive data patterns is blocked, logged, allowed, or quarantined, or archived when it passes through the FortiProxy.

The DLP system is configured based on the following components. You can configure DLP in both the CLI and the GUI.

Component

Description

Data type

Define the type of pattern that DLP is trying to match. For example, this can be a pre-defined type such as credit card, hex, keyword, mip-label, regex, and US social security number (SSN). You can also create custom data types.

Dictionary

A collection of data type entries. When selecting a data type such as keyword, regex or hex, define the pattern that you are looking for.

Sensor

Define which dictionaries to check. You can match any dictionary, all dictionaries, or a special logical combination of the dictionaries. It can also count the number of dictionary matches to trigger the sensor.

File pattern

Define groups of file patterns based on pre-defined file types, or define your own pattern to match the file name.

DLP profile

Define rules for matching a sensor based on a file type or a message, and the type of protocol being used. It also allows you to choose the action to allow, log, block, or quarantine the address.

A DLP profile selects one or more sensors, and applies the sensor’s pattern matching against the file type or message that is passing through selected protocols. The profile can be applied to a policy where the traffic will be inspected.

In the backend, DLP uses Hyperscan to perform a one-parse algorithm for scanning multiple patterns. This allows DLP to scale up without any performance downgrade.

Protocol support for DLP inspection

FortiProxy DLP inspection supports the following protocols:

  • HTTP

  • FTP

  • IMAP

  • POP3

  • SMTP

  • NNTP

  • MAPI

  • CIFS

  • SFTP/SCP

Archiving

DLP can archive some or all of the content that passes through the DLP system. There are two forms of DLP archiving.

  • Summary only: a summary of all the activity detected by the profile is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses a web browser, every URL that they visit is recorded.
  • Full: detailed records of all the activity detected by the profile is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses a web browser, every page that they visit is archived.

You can configure the type of archiving per protocol.

Logging and blocking files by file name

Sometimes, file names are not accurately recorded in DLP logs, even though the files are blocked correctly based on the DLP profile. This is particularly apparent on cloud-based services, such as Google Drive or SharePoint.

For HTTP file uploads, some cloud services use proprietary encodings and APIs to transfer files and exchange metadata, instead of standard HTTP mechanisms, requiring custom handling of the proprietary API. If a cloud service changes the API without notice, the custom handling becomes outdated and file names might not be logged properly. Due to this, special consideration must be taken when using DLP to block files by file pattern. To block a specific file type, it is better to block by file type, and not by file name pattern.

The following topics provide information about DLP: