Preventing data leaks

In this example, you will block files that contain sensitive information from leaving your network. To do this, a Data Leak Prevention (DLP) profile will be used to block files that have a DLP watermark applied to them, as well as any .exe files.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling DLP and multiple security profiles

Go to System > Config > Features and ensure that DLP is turned ON.
Select Show More and ensure that Multiple Security Profiles is also turned ON. If necessary, Apply your changes.

2. Applying a DLP watermark to a file

The DLP watermarking client is available as part of FortiExplorer. This feature is currently only available using FortiExplorer for Microsoft Windows. 

If you do not already have FortiExplorer on your computer, you can download it here.


Open FortiExplorer. Under Tools, select DLP Watermark.Select Apply Watermark to Select File. Select the file and set the Sensitivity Level, Identifier, and Output Directory. Select Apply Watermark.
A dialogue box will show the file being processed. Ensure that the process was successful.

3. Creating a DLP profile

Go to Security Profiles > Data Leak Prevention and create a new profile.
In the Filter list, select Create New.

Set the filter to look for Files. Select Watermark Sensitivity and set it to match the watermark applied to the file. Do the same for Corporate Identifier.

Set Examine the Following Services to all the services required by your network.

Set Action to Block.

Create a second filter.

Set the filter to look for Files. Select Specify File Types and set File Types to Executable (exe).

Set Examine the Following Services to all the services required by your network.

Set Action to Block.

Both filters now appear in the Filters list.

4. Adding the profile to a security policy

Go to Policy & Objects > Policy > IPv4 and edit your Internet-access policy. 

Under Security Profiles, enable DLP Sensor and set it to use the new profile.

SSL Inspection is automatically enabled. Set it to use the deep-inspection profile to ensure that DLP is applied to encrypted traffic.

Under Logging Options, enable Log Allowed Traffic and select Security Events.

5. Results

Attempt to send either the watermarked file or an .exe file using a protocol that the DLP filter is examining. Depending on which protocol is used, the attempt will either be blocked by the FortiGate or it will timeout. 
Go to System > FortiView > All Sessions and select the 5 minutes view for information about the blocked session.

For further reading, check out Data leak prevention in the FortiOS 5.2 Handbook.

Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings.