Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

DLP

DLP

FortiSASE data loss prevention (DLP) prevents sensitive data from leaving or entering your network by defining various sensitive data patterns, scanning for the patterns while inspecting traffic, and allowing, blocking, or logging only when traffic matches the patterns.

DLP rules specify how to handle traffic when a sensor or a file type is triggered. Sensors detect specific content types defined in dictionaries.

DLP is configured based on the following components:

Component

Description

Data type

Define the type of pattern within data or content that DLP tries to match. Currently, DLP supports predefined types such as keyword, regular expressions, hex, credit card, and US social security number.

Data source type

Define the type of data source that DLP tries to match. Currently, DLP supports predefined types such as sensors, MPIP label, or none. With none, DLP matches using only file or message type and protocol as criteria.

Dictionary

Data type entry collections. When selecting a data type such as keyword, regular expressions, or hex, define the pattern that you are looking for.

Sensor

Define which dictionaries to check. You can match any dictionary or all dictionaries., or a special logical combination of the dictionaries. It can also count the number of dictionary matches to trigger the sensor.

File pattern

Define file pattern groups based on predefined file types or define your own pattern to match the file name.

Rule

Define rules for matching a sensor based on a file type or a message, and the protocol type being used. It also allows you to choose the action to allow, block, or log only.
Note

DLP requires deep inspection to decrypt and inspect content in encrypted traffic. See Certificate and deep inspection modes.
To create a DLP rule:
  1. Go to Configuration > Security.
  2. For Profile Group, select an existing profile group to edit or create a new profile group using + in the Profile Group dropdown list.
  3. Disable all enabled security features (AntiVirus, Web Filter with Inline-CASB, Intrusion Prevention, DNS Filter) using these steps for each security feature:
    1. Click the toggle button next to the security feature widget to disable the feature.
    2. Click OK to confirm disabling the security feature.
  4. In the SSL Inspection widget, ensure deep inspection is enabled:
    1. For SSL inspection, click Customize.
    2. Select Deep Inspection.
    3. Click OK.
  5. Create a DLP rule:
    1. In the Data Loss Prevention (DLP) widget, click the toggle button to enable this feature, and then click Customize.
    2. In the DLP slide-in, click Create to create a new DLP rule.
    3. In the New Rule slide-in, configure these settings:

      Field

      Description

      Name

      Rule name.

      Data Source Type

      Select the type of data source that DLP tries to match. When you select Sensors or MPIP Label, you must select or create a new DLP sensor or sensitivity label, respectively.

      Sensor

      If you select Sensors for Data Source Type, select DLP sensors. You must create a new DLP sensor and then select it.

      Sensitivity Label

      If you select MPIP Label for Data Source Type, then select a sensitivity label. You must create a new sensitivity label and then select it.

      Severity

      Select the severity or threat level that matches this filter.

      Action

      Action to take with content that this DLP profile matches.

      Type

      Select whether to check the content of messages (an email message) or files (downloaded files or email attachments).

      File type

      Select the number of a DLP file pattern table to match. You can either select a predefined file pattern table or create a new one by clicking + in the dropdown list.

      Protocol

      Check messages or files over one or more of these protocols.

  6. Do one of the following:
    1. If you selected Sensors for Data Source Type, do the following:
      1. Create a new sensor by clicking + next to Sensor. In the Select Entries slide-in, click + Create to the right to create a new sensor. In the New Sensor slide-in, configure these settings:

        Field

        Description

        Name

        Sensor name.

        Entry matches needed to trigger sensor

        Logic used to apply to sensor entry matches to trigger sensor:

        • All: logical AND condition on matching entries
        • Any: logical OR condition on matching entries

        Table of entries

        Create one or more entries.

      2. Create a sensor entry by clicking +Create. In the New Entry slide-in, configure these settings:

        Field

        Description

        ID

        Numerical ID for the sensor entry

        Dictionary

        Select the dictionary for this sensor entry. You must create a new dictionary and then select it.

        Dictionary matches needed to consider traffic DLP risk

        Number of dictionary matches to trigger sensor entry.

        Status

        Select whether the sensor entry is Enabled or Disabled.

      3. Create a dictionary by clicking the Dictionary field and click +Create to create a new DLP dictionary. In the New DLP Dictionary slide-in, configure these settings:

        Field

        Description

        Name

        Dictionary name.

        Entry matches needed to trigger sensor

        Logic used to apply to dictionary entry matches to trigger sensor:

        • All: logical AND condition on matching entries
        • Any: logical OR condition on matching entries

        Table of Dictionary Entries

        Create one or more dictionary entries.

      4. Create a new dictionary entry by clicking +Create. In the New Entry slide-in, configure these settings:

        Field

        Description

        Type

        Select a predefined DLP Data Type from the dropdown list.

        Repeat

        Enable or disable repeat matching of the selected DLP Data Type.

        Status

        Select whether the dictionary entry is Enabled or Disabled.

      5. Click OK to create the new dictionary entry.
      6. Click OK to create the DLP dictionary. You will be prompted to select the newly created dictionary.
      7. Click OK to create the new sensor entry.
      8. Click OK to create the new sensor. You will be prompted to select the newly created sensor.
      9. Click OK to create the new DLP rule.
    2. If you selected MPIP Label for Data Source Type, do the following:
      1. Create a sensitivity label by clicking + next to Sensitivity Label.
      2. In the Create MPIP sensitivity label slide-in, configure these settings:

        Field

        Description

        Name

        Sensitivity label name.

        Sensitivity level GUID

        Enter the globally unique identifier (GUID) for your sensitivity label.

        See Learn about sensitivity labels.

      3. Click OK.
      4. Click OK to create the sensitivity label. FortiSASE prompts you to select the newly created sensitivity label.
      5. Click OK to create the new DLP rule.
  7. Click and drag the DLP rules in the desired order.
    Note

    Repeat any aforementioned step to create multiple entries for these settings:

    • Dictionary entries
    • DLP dictionaries
    • Sensor entries
    • Sensors
    • DLP rules
  8. Configure the updated profile group in a policy:
    1. Go to Configuration > Policies.
    2. Select an existing policy to apply the profile group to and click Edit. Alternatively, create a new policy to apply the profile group to.
    3. In the Profile Group field, select Specify. From the dropdown list, select the desired profile group. The Profile Group field is only available for policies where Action is configured as Accept.
    4. Click OK.
Previous
Next

DLP

FortiSASE data loss prevention (DLP) prevents sensitive data from leaving or entering your network by defining various sensitive data patterns, scanning for the patterns while inspecting traffic, and allowing, blocking, or logging only when traffic matches the patterns.

DLP rules specify how to handle traffic when a sensor or a file type is triggered. Sensors detect specific content types defined in dictionaries.

DLP is configured based on the following components:

Component

Description

Data type

Define the type of pattern within data or content that DLP tries to match. Currently, DLP supports predefined types such as keyword, regular expressions, hex, credit card, and US social security number.

Data source type

Define the type of data source that DLP tries to match. Currently, DLP supports predefined types such as sensors, MPIP label, or none. With none, DLP matches using only file or message type and protocol as criteria.

Dictionary

Data type entry collections. When selecting a data type such as keyword, regular expressions, or hex, define the pattern that you are looking for.

Sensor

Define which dictionaries to check. You can match any dictionary or all dictionaries., or a special logical combination of the dictionaries. It can also count the number of dictionary matches to trigger the sensor.

File pattern

Define file pattern groups based on predefined file types or define your own pattern to match the file name.

Rule

Define rules for matching a sensor based on a file type or a message, and the protocol type being used. It also allows you to choose the action to allow, block, or log only.
Note

DLP requires deep inspection to decrypt and inspect content in encrypted traffic. See Certificate and deep inspection modes.
To create a DLP rule:
  1. Go to Configuration > Security.
  2. For Profile Group, select an existing profile group to edit or create a new profile group using + in the Profile Group dropdown list.
  3. Disable all enabled security features (AntiVirus, Web Filter with Inline-CASB, Intrusion Prevention, DNS Filter) using these steps for each security feature:
    1. Click the toggle button next to the security feature widget to disable the feature.
    2. Click OK to confirm disabling the security feature.
  4. In the SSL Inspection widget, ensure deep inspection is enabled:
    1. For SSL inspection, click Customize.
    2. Select Deep Inspection.
    3. Click OK.
  5. Create a DLP rule:
    1. In the Data Loss Prevention (DLP) widget, click the toggle button to enable this feature, and then click Customize.
    2. In the DLP slide-in, click Create to create a new DLP rule.
    3. In the New Rule slide-in, configure these settings:

      Field

      Description

      Name

      Rule name.

      Data Source Type

      Select the type of data source that DLP tries to match. When you select Sensors or MPIP Label, you must select or create a new DLP sensor or sensitivity label, respectively.

      Sensor

      If you select Sensors for Data Source Type, select DLP sensors. You must create a new DLP sensor and then select it.

      Sensitivity Label

      If you select MPIP Label for Data Source Type, then select a sensitivity label. You must create a new sensitivity label and then select it.

      Severity

      Select the severity or threat level that matches this filter.

      Action

      Action to take with content that this DLP profile matches.

      Type

      Select whether to check the content of messages (an email message) or files (downloaded files or email attachments).

      File type

      Select the number of a DLP file pattern table to match. You can either select a predefined file pattern table or create a new one by clicking + in the dropdown list.

      Protocol

      Check messages or files over one or more of these protocols.

  6. Do one of the following:
    1. If you selected Sensors for Data Source Type, do the following:
      1. Create a new sensor by clicking + next to Sensor. In the Select Entries slide-in, click + Create to the right to create a new sensor. In the New Sensor slide-in, configure these settings:

        Field

        Description

        Name

        Sensor name.

        Entry matches needed to trigger sensor

        Logic used to apply to sensor entry matches to trigger sensor:

        • All: logical AND condition on matching entries
        • Any: logical OR condition on matching entries

        Table of entries

        Create one or more entries.

      2. Create a sensor entry by clicking +Create. In the New Entry slide-in, configure these settings:

        Field

        Description

        ID

        Numerical ID for the sensor entry

        Dictionary

        Select the dictionary for this sensor entry. You must create a new dictionary and then select it.

        Dictionary matches needed to consider traffic DLP risk

        Number of dictionary matches to trigger sensor entry.

        Status

        Select whether the sensor entry is Enabled or Disabled.

      3. Create a dictionary by clicking the Dictionary field and click +Create to create a new DLP dictionary. In the New DLP Dictionary slide-in, configure these settings:

        Field

        Description

        Name

        Dictionary name.

        Entry matches needed to trigger sensor

        Logic used to apply to dictionary entry matches to trigger sensor:

        • All: logical AND condition on matching entries
        • Any: logical OR condition on matching entries

        Table of Dictionary Entries

        Create one or more dictionary entries.

      4. Create a new dictionary entry by clicking +Create. In the New Entry slide-in, configure these settings:

        Field

        Description

        Type

        Select a predefined DLP Data Type from the dropdown list.

        Repeat

        Enable or disable repeat matching of the selected DLP Data Type.

        Status

        Select whether the dictionary entry is Enabled or Disabled.

      5. Click OK to create the new dictionary entry.
      6. Click OK to create the DLP dictionary. You will be prompted to select the newly created dictionary.
      7. Click OK to create the new sensor entry.
      8. Click OK to create the new sensor. You will be prompted to select the newly created sensor.
      9. Click OK to create the new DLP rule.
    2. If you selected MPIP Label for Data Source Type, do the following:
      1. Create a sensitivity label by clicking + next to Sensitivity Label.
      2. In the Create MPIP sensitivity label slide-in, configure these settings:

        Field

        Description

        Name

        Sensitivity label name.

        Sensitivity level GUID

        Enter the globally unique identifier (GUID) for your sensitivity label.

        See Learn about sensitivity labels.

      3. Click OK.
      4. Click OK to create the sensitivity label. FortiSASE prompts you to select the newly created sensitivity label.
      5. Click OK to create the new DLP rule.
  7. Click and drag the DLP rules in the desired order.
    Note

    Repeat any aforementioned step to create multiple entries for these settings:

    • Dictionary entries
    • DLP dictionaries
    • Sensor entries
    • Sensors
    • DLP rules
  8. Configure the updated profile group in a policy:
    1. Go to Configuration > Policies.
    2. Select an existing policy to apply the profile group to and click Edit. Alternatively, create a new policy to apply the profile group to.
    3. In the Profile Group field, select Specify. From the dropdown list, select the desired profile group. The Profile Group field is only available for policies where Action is configured as Accept.
    4. Click OK.
Previous
Next