DLP
FortiSASE data loss prevention (DLP) prevents sensitive data from leaving or entering your network by defining various sensitive data patterns, scanning for the patterns while inspecting traffic, and allowing, blocking, or logging only when traffic matches the patterns.
DLP rules specify how to handle traffic when a sensor or a file type is triggered. Sensors detect specific content types defined in dictionaries.
DLP is configured based on the following components:
Component |
Description |
---|---|
Data type |
Define the type of pattern within data or content that DLP tries to match. Currently, DLP supports predefined types such as keyword, regular expressions, hex, credit card, and US social security number. |
Data source type |
Define the type of data source that DLP tries to match. Currently, DLP supports predefined types such as sensors, MPIP label, or none. With none, DLP matches using only file or message type and protocol as criteria. |
Dictionary |
Data type entry collections. When selecting a data type such as keyword, regular expressions, or hex, define the pattern that you are looking for. |
Sensor |
Define which dictionaries to check. You can match any dictionary or all dictionaries., or a special logical combination of the dictionaries. It can also count the number of dictionary matches to trigger the sensor. |
File pattern |
Define file pattern groups based on predefined file types or define your own pattern to match the file name. |
Rule |
Define rules for matching a sensor based on a file type or a message, and the protocol type being used. It also allows you to choose the action to allow, block, or log only. |
DLP requires deep inspection to decrypt and inspect content in encrypted traffic. See Certificate and deep inspection modes. |
To create a DLP rule:
- Go to Configuration > Security.
- For Profile Group, select an existing profile group to edit or create a new profile group using + in the Profile Group dropdown list.
- Disable all enabled security features (AntiVirus, Web Filter with Inline-CASB, Intrusion Prevention, DNS Filter) using these steps for each security feature:
- Click the toggle button next to the security feature widget to disable the feature.
- Click OK to confirm disabling the security feature.
- In the SSL Inspection widget, ensure deep inspection is enabled:
- For SSL inspection, click Customize.
- Select Deep Inspection.
- Click OK.
- Create a DLP rule:
- In the Data Loss Prevention (DLP) widget, click the toggle button to enable this feature, and then click Customize.
- In the DLP slide-in, click Create to create a new DLP rule.
- In the New Rule slide-in, configure these settings:
Field
Description
Name
Rule name.
Data Source Type
Select the type of data source that DLP tries to match. When you select Sensors or MPIP Label, you must select or create a new DLP sensor or sensitivity label, respectively.
Sensor
If you select Sensors for Data Source Type, select DLP sensors. You must create a new DLP sensor and then select it.
Sensitivity Label
If you select MPIP Label for Data Source Type, then select a sensitivity label. You must create a new sensitivity label and then select it.
Severity
Select the severity or threat level that matches this filter.
Action
Action to take with content that this DLP profile matches.
Type
Select whether to check the content of messages (an email message) or files (downloaded files or email attachments).
File type
Select the number of a DLP file pattern table to match. You can either select a predefined file pattern table or create a new one by clicking + in the dropdown list.
Protocol
Check messages or files over one or more of these protocols.
- Do one of the following:
- If you selected Sensors for Data Source Type, do the following:
- Create a new sensor by clicking + next to Sensor. In the Select Entries slide-in, click + Create to the right to create a new sensor. In the New Sensor slide-in, configure these settings:
Field
Description
Name
Sensor name.
Entry matches needed to trigger sensor
Logic used to apply to sensor entry matches to trigger sensor:
- All: logical AND condition on matching entries
- Any: logical OR condition on matching entries
Table of entries
Create one or more entries.
- Create a sensor entry by clicking +Create. In the New Entry slide-in, configure these settings:
Field
Description
ID
Numerical ID for the sensor entry
Dictionary
Select the dictionary for this sensor entry. You must create a new dictionary and then select it.
Dictionary matches needed to consider traffic DLP risk
Number of dictionary matches to trigger sensor entry.
Status
Select whether the sensor entry is Enabled or Disabled.
- Create a dictionary by clicking the Dictionary field and click +Create to create a new DLP dictionary. In the New DLP Dictionary slide-in, configure these settings:
Field
Description
Name
Dictionary name.
Entry matches needed to trigger sensor
Logic used to apply to dictionary entry matches to trigger sensor:
- All: logical AND condition on matching entries
- Any: logical OR condition on matching entries
Table of Dictionary Entries
Create one or more dictionary entries.
- Create a new dictionary entry by clicking +Create. In the New Entry slide-in, configure these settings:
Field
Description
Type
Select a predefined DLP Data Type from the dropdown list.
Repeat
Enable or disable repeat matching of the selected DLP Data Type.
Status
Select whether the dictionary entry is Enabled or Disabled.
- Click OK to create the new dictionary entry.
- Click OK to create the DLP dictionary. You will be prompted to select the newly created dictionary.
- Click OK to create the new sensor entry.
- Click OK to create the new sensor. You will be prompted to select the newly created sensor.
- Click OK to create the new DLP rule.
- Create a new sensor by clicking + next to Sensor. In the Select Entries slide-in, click + Create to the right to create a new sensor. In the New Sensor slide-in, configure these settings:
- If you selected MPIP Label for Data Source Type, do the following:
- Create a sensitivity label by clicking + next to Sensitivity Label.
- In the Create MPIP sensitivity label slide-in, configure these settings:
Field
Description
Name
Sensitivity label name.
Sensitivity level GUID
Enter the globally unique identifier (GUID) for your sensitivity label.
- Click OK.
- Click OK to create the sensitivity label. FortiSASE prompts you to select the newly created sensitivity label.
- Click OK to create the new DLP rule.
- If you selected Sensors for Data Source Type, do the following:
- Click and drag the DLP rules in the desired order.
Repeat any aforementioned step to create multiple entries for these settings:
- Dictionary entries
- DLP dictionaries
- Sensor entries
- Sensors
- DLP rules
- Configure the updated profile group in a policy:
- Go to Configuration > Policies.
- Select an existing policy to apply the profile group to and click Edit. Alternatively, create a new policy to apply the profile group to.
- In the Profile Group field, select Specify. From the dropdown list, select the desired profile group. The Profile Group field is only available for policies where Action is configured as Accept.
- Click OK.