Preventing data leaks

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will block files that contain sensitive information from leaving your network. To do this, a Data Leak Prevention (DLP) profile will be used to block files that have a DLP watermark applied to them, as well as any .exe files.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling DLP and multiple security profiles

Go to System > Config > Features and ensure that DLP is turned ON.
Select Show More and ensure that Multiple Security Profiles is also turned ON. If necessary, Apply your changes.

2. Applying a DLP watermark to a file

The DLP watermarking client is available as part of FortiExplorer. This feature is currently only available using FortiExplorer for Microsoft Windows. 

If you do not already have FortiExplorer on your computer, you can download it here.

 

Open FortiExplorer. Under Tools, select DLP Watermark.Select Apply Watermark to Select File. Select the file and set the Sensitivity Level, Identifier, and Output Directory. Select Apply Watermark.
A dialogue box will show the file being processed. Ensure that the process was successful.

3. Creating a DLP profile

Go to Security Profiles > Data Leak Prevention and create a new profile.
In the Filter list, select Create New.

Set the filter to look for Files. Select Watermark Sensitivity and set it to match the watermark applied to the file. Do the same for Corporate Identifier.

Set Examine the Following Services to all the services required by your network.

Set Action to Block.

Create a second filter.

Set the filter to look for Files. Select Specify File Types and set File Types to Executable (exe).

Set Examine the Following Services to all the services required by your network.

Set Action to Block.

Both filters now appear in the Filters list.

4. Adding the profile to a security policy

Go to Policy & Objects > Policy > IPv4 and edit your Internet-access policy. 

Under Security Profiles, enable DLP Sensor and set it to use the new profile.

SSL Inspection is automatically enabled. Set it to use the deep-inspection profile to ensure that DLP is applied to encrypted traffic.

Under Logging Options, enable Log Allowed Traffic and select Security Events.

5. Results

Attempt to send either the watermarked file or an .exe file using a protocol that the DLP filter is examining. Depending on which protocol is used, the attempt will either be blocked by the FortiGate or it will timeout. 
Go to System > FortiView > All Sessions and select the 5 minutes view for information about the blocked session.

For further reading, check out Data leak prevention in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No
Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings.
  • Amit

    Hi Victoria

    Can you please help me to open TCP port in Fortigate 5.4
    Actually CCTV installed in my office & i want access the same through my laptop from different network CCTV has already static IP DVR is online Port no is 25001

  • Victoria Martin

    Hi Amit,

    I’m glad you got the DLP working. For your authentication issues, I would suggest contacting Fortinet Support: http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

  • Amit

    Hi,Victoria
    Thanks for your replay i don’t want block any file type i want monitor what user send on mail, so once i active the same, form where i can get the log file

    • Victoria Martin

      Hi Amit,

      To monitor files rather than block them, you just need to make one change to this recipe: in the first part of step 3, set Action to Monitor, rather than to Block.

      I haven’t tested this but the logs should be in the same place as shown in the recipe, since the DLP profile will be triggered when a file you’re monitoring for is discovered.

  • Amit

    Fortigate i am using

  • Amit

    hi,
    Victoria
    I want configure DLP at my firewall can you please help to resolve this ?

    • Victoria Martin

      Hi Amit,

      If you follow the steps listed in this recipe, you will be able to configure DLP.

  • pawan kumar

    hi,
    Victoria
    how we configure dlp configuration in fortigate 5.6.2 in flow based

  • Nobita Le

    Hi Victoria Martin,

    How about Firmware 5.4 ?

    Br,
    Le

  • Zlimmen

    Could this
    be used to block .src files?

    I am looking for a way to block the CTB ransomware.

    Does anyone have any tips on how I should do this? If it is even possible to do
    on fortigate.