Preventing data leaks

Visual representation of preventing data leaks with DLP sensor

In this recipe, you will keep files containing sensitive information from leaving your network. To do this, criteria for retaining files are created and applied in a Data Leak Prevention (DLP) security profile. This example applies DLP to retain Windows executable (.exe) files and files matching a specific file name pattern. Note:  DLP can only be configured for FortiGate units in proxy-based inspection.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling DLP and Multiple Security Profiles

Go to System > Feature Select and confirm that DLP and Multiple Security Profiles are enabled. System > Feature Select. Enable DLP and MSP

2. Creating a DLP profile

Go to Security Profiles > Data Leak Prevention. In the Filter list, select Create New. Create new DLP profile

Set the filter to look for Files. Select Specify File Types and set File Types to Executable (exe).

Set Examine the Following Services to all the services required by your network.

Set Action to Block.

Det up DLP to retain executable files

Create a second filter.

Set the filter to look for Files. Select Specify File Types. In the File Name Patterns field, enter the pattern you wish to match. If desired, use a wildcard character in the pattern.

Set Action to Block.

Set DLP to block file name pattern
Both filters now appear in the Filter list. New DLP results - two filters


3. Adding the profile to a security policy

Go to Policy & Objects > IPv4 Policy and edit your Internet-access policy.

Under Security Profiles, enable DLP Sensor and set it to use the new profile.

SSL Inspection is automatically enabled. Set it to use the deep-inspection profile to ensure that DLP is applied to encrypted traffic.

Under Logging Options, enable Log Allowed Traffic and select Security Events.

Edit IPv4 policy to turn on DLP

4. Results

Attempt to send either an .exe file or a file that fits the file naming pattern blocked in step 2. Use a protocol that the DLP filter is set to examine. For example, send a file called securityleak.pdf via email or WeTransfer. Depending on which protocol is used, the attempt will either be blocked by the FortiGate or it will timeout.

Go to FortiView > All Sessions and select the 24 hours view for information about the blocked session. Note that the Security Event identified is DLP. Fortiview results showing DLP in action

For further reading, check out Data leak prevention in the FortiOS 5.4 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2015. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney
Using the deep-inspection profile may cause certificate errors. See Preventing certificate warnings for more information.