Sensitivity labels
In order to safeguard your organization's data, labels can be employed as markers for sensitive information. Microsoft provides sensitivity labels, which act as identifiers emphasizing the importance of the data they're associated with, thereby enhancing the security measures in place. See Protect your sensitive data with Microsoft Purview (formerly MIP) for more information.
Any data traffic that includes a sensitivity label can be effectively managed using FortiProxy. This is made possible through the utilization of a pre-defined data type, mip-label, specifically designed for MIP in the Data Loss Prevention (DLP) dictionary. See Microsoft Purview sensitivity labels for more information.
Example
This configuration will block HTTPS upload traffic that matches the DLP profile.
When utilizing commonly-used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Create or edit an SSL/SSH inspection profile for more information. Additionally, the client machine must have the corresponding deep inspection Certificate Authority (CA) certificate installed. |
Sample topology
In this example, a Microsoft Office document that is marked with a sensitivity label is being attached to an email in the Chrome browser using Office Desktop. See Learn about sensitivity labels for more information. The FortiProxy intercepts this traffic using deep inspection and blocks the attachment of the file because it matches the DLP profile that has been set up on this FortiProxy.
When a sensitivity label is included in HTTPS upload traffic, the file is blocked and a DLP log is generated. See Sample log for a log sample.
Prerequisites
Before configuring FortiProxy, complete the following steps:
-
Create and configure sensitivity labels and their policies. See Create sensitivity labels for more information.
-
Apply a sensitivity label to content. See Apply sensitivity labels to your files and email for more information.
Once the sensitivity label is applied on a file, you'll see it displayed on the sensitivity bar.
-
Obtain Globally Unique Identifier (GUID) for your sensitivity labels. See Search for documents by sensitivity label for more information.
Sample GUID:
FortiProxy uses the GUID for label matching. The Pattern for mip-label is configured to correspond to the label’s GUID. |
To block HTTPS upload traffic that includes MIP labels in the GUI:
-
Configure the DLP dictionary:
-
Go to Security Profiles > Data Loss Prevention, select the Dictionaries tab, and click Create New.
-
Set Name to dic-case5.
-
In the Dictionary Entries table click Create New:
-
Set Type to mip-label.
-
Set Pattern to ca51e4ff-0733-4744-bebb-d3e1eb6383f4.
The pattern set here corresponds to the GUID of a specific sensitivity label. Please use your own GUID in this step. See step 3 of Prerequisites for how to obtain your label GUID.
-
Click OK.
-
-
Click OK.
-
-
DLP profiles that filter by MIP can only be configured in the CLI. See Configure the DLP profile.
-
Add the DLP profile to a firewall policy:
-
Go to Policy & Objects > Policy and click Create New.
-
In the Security Profiles section, enable DLP Profile and select profile-case5.
-
Set SSL Inspection to deep-inspection.
-
Configure the other settings as needed.
-
Click OK.
-
To block HTTPS upload traffic that includes MIP labels in the CLI:
-
Configure the DLP dictionary:
config dlp dictionary edit "dic-case5" config entries edit 1 set type "mip-label" set pattern "ca51e4ff-0733-4744-bebb-d3e1eb6383f4" next end next end
The
set pattern
is set to the GUID of a specific sensitivity label. Please use your own GUID in this step. See step 3 of Prerequisites for how to obtain your label GUID. -
config dlp profile edit "profile-case5" set feature-set proxy config rule edit 1 set name "mip-label" set severity critical set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs set filter-by mip set file-type 1 set label "dic-case5" set action block next end next end
-
Add the DLP profile to a policy:
config firewall policy edit 1 set type explicit-web set name "ExplicitPROXY" set uuid c0a2e814-7ff8-51ee-1815-054bdf34bd03 set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set explicit-web-proxy "web-proxy" set utm-status enable set logtraffic all set log-http-transaction all set ssl-ssh-profile "deep-inspection" set dlp-profile "profile-case5" next end
Sample log
An attempt was made to send an email from a Windows device using Gmail's webmail service. The email was intended to include an attachment with a MIP label, but the attachment failed to upload, resulting in the generation of a sample log.
date=2024-03-11 time=15:53:35 eventtime=1710197614776880630 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="1" filtertype="mip" filtercat="file" severity="critical" policyid=1 poluuid="c0a2e814-7ff8-51ee-1815-054bdf34bd03" policytype="policy" sessionid=150411423 epoch=1589476180 eventid=0 srcip=10.40.1.226 srcport=39830 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" srcuuid="7f1725e0-7ff8-51ee-fbe1-b5ff0424dfda" dstip=142.251.211.229 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="msoffice" direction="outgoing" action="block" hostname="mail.google.com" url=" https://mail.google.com/_/upload?authuser=0&dcp=asu-n&upload_id=ABPtcPoZPYAkCzE-FaGZS_QUNjml-0vPOGdjf7nk02kKLLnoTmg-wqsAbeWfuzerDACV0b8dZ6v0bkUZnB57Is1QdvjFBE2r90bT&upload_protocol=resumable" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" httpmethod="POST" referralurl=" https://mail.google.com/mail/u/0/" filename="doc.doc" filesize=53248 profile="profile-case5"