FortiGate Security

Data Leak Prevention (DLP)

FortiOS 6.0.0

© Copyright Fortinet Inc. All rights reserved. Last Modified: Sunday, October 04, 2020
Lesson Overview

DLP Overview

DLP Filters

DLP Fingerprinting

DLP Archiving

Best Practices

2
DLP Overview
Objectives
• Define the purpose and function of DLP
DLP Role in Network Security
• Most UTM scans are used to block traffic from entering the network:
o Web filtering, antivirus, email filtering, and more
• DLP blocks it from leaving the network:
o Sensitive documents
o Account numbers
o Personal data
• Compromise of crucial data can be financially more damaging than a virus outbreak
or spam.

4
How DLP Works
• DLP uses pattern recognition.
• The DLP engine delegates scanning duties to appropriate processes (IPS, proxy).
The engine doesn’t directly scan any traffic.
• Filters define the pattern(s) to scan for in the packet or file.
• The sensor contains filters–a list of match criteria. DLP Sensor Match?
• FortiGate applies the first matching filter.
1. Filter 1

2. Filter 2

3. Filter 3

Action

5
Knowledge Check
1. Which of the following statements about DLP is correct?
A. DLP can traffic shape the user who is trying to leak sensitive data.
B. DLP prevents specific data from leaving a network.

6
Lesson Progress

DLP Overview

DLP Filters

DLP Fingerprinting

DLP Archiving

Best Practices

7
DLP Filters
Objectives
• Differentiate filter types for files from filter types for messages
• Configure DLP filters for files and for messages
Choosing Which Protocols to Scan
• Secure protocols (such as HTTPS) Security Profiles > Data Leak Prevention
aren’t listed as options.
• If SSL/SSH inspection is enabled,
FortiGate will scan both secure and
non-secure versions of each chosen
protocol, for example, both HTTPS
and HTTP.

9
Choosing the DLP Action
Security Profiles > Data Leak Prevention
• Allow — Do not act on DLP; continue
to the next scan (if any).
• Log Only — Record a log message or
alert email, or both, but do not drop or
quarantine.
• Block — Drop the packet, replace it
with a DLP blocked replacement
message, and log it.
• Quarantine IP Address — Block
access for any IP address that sends
traffic matching to a sensor.
o Add the IP address to the banned user list.
o Must configure expiry time: how long this
IP will be blocked.

10
Configuring Filters for Messages or Files
• Credit cards can include:
Visa, MasterCard, American Express, Discovery, JCB, Diner’s Club
• Need to match custom text or numbers? Use regular expressions with PCRE
syntax—not Perl regex, Ruby, or others.
Security Profiles > Data Leak Prevention

11
Example: Credit Card Message Filter
• Preconfigured filters available
• Block action generates a log
• Click Details and Security for more information

Log & Report > Forward Traffic

12
File Name Patterns
• Patterns specified by:
o Full or partial file name
o Full or partial file extension
o A combination of name and extension File name match?

mona.jpg
painting.jpg
nicepainting.png
nicepainting.jpg
*.jpg
nicepainting.jpg
nice*.jpg

13
File Types

File type match?

JPEG image

BMP image

• File type matching is based on binary CAB archive

contents. The file name or extension
are not involved. ZIP archive
• File type matching functions even if Executable
the user tries to circumvent DLP by
changing the file name or extension.
• Supported file types are hard-coded
into FortiOS firmware.
14
File Filters
• To match specific files, or file types Security Profiles > Data Leak Prevention
use Specify File Types and/or the
File Name Patterns subfilters. Predefined
Predefined list
list

• File Name Patterns list is

customizable
o List is empty until you add specific custom
patterns
o Type pattern in Search field
o Click green plus sign to add pattern to list

Configured
Configured
manually
manually

15
Knowledge Check
1. Which actions can you configure in a DLP filter?
A. Monitor
B. Log only

2. Which filter types can be configured for DLP?

A. Folders type filter
B. Messages type filter

16
Lesson Progress

DLP Overview

DLP Filters

DLP Fingerprinting

DLP Archiving

Best Practices

17
DLP Fingerprinting
Objectives
• Configure DLP fingerprinting
How Fingerprinting Works
• FortiGate scans the share, looking for file names matching the pattern
• Makes fingerprints for matching files
o FortiGate makes one checksum for each chunk of the file
o Stores checksums of chunks, not the file—works with large files
o If at least one chunk matches, DLP positively identifies the file
o Can function even if the file is changed a little
• Default chunk size is 2800 bytes
# config dlp settings
# set chunk-size [100-100000]
# end

o Changing chunk size flushes entire database

• When checking traffic for DLP match, if sensitivity matches, action is applied

19
Configuring Fingerprint Sensitivity
• DLP sensor actions apply to all fingerprints with the corresponding sensitivity level.
• Default sensitivity levels are:
o Critical
o Private
o Warning
• You can configure custom fingerprint sensitivity levels on the CLI.
config dlp fp-sensitivity
edit <sensitivity - level_name>
end

20
Configuring Network Share for Fingerprinting
• Network share documents are remote file shares, periodically scanned to update
fingerprints.
• They are configured on the CLI:
config dlp fp-doc-source
edit <name_str>
set server-type <samba>
set server <IPv4 or IPv6>
set username <login username>
set password <login password>
set file-path <path file on the server>
set file-pattern <string>
set sensitivity <DLP fingerprint sensitivity>
set period [none | daily | weekly | monthly]
end

21
Configuring DLP Sensor for Fingerprinting
• The fingerprint feature is enabled only on the CLI for each filter in the DLP sensor.
o If configured on the CLI, it becomes visible on the GUI.
• DLP sensor actions apply to all fingerprints with its sensitivity level.

Security Profiles > Data Leak Prevention

config dlp sensor
edit <name>
config filter
edit <filter ID>
set proto http-get
set filter-by fingerprint
set fp-sensitivity "Critical"
next
end

Enabled
Enabled onon CLI
CLI Visible
Visible on
on GUI
GUI after
after enabling
enabling onon
for
for DLP
DLP filter
filter CLI
CLI for
for configured
configured DLP
DLP filter
filter

22
DLP Sensor
• DLP applies only to the first (top) filter that matches, and skips subsequent DLP
filters.
• Order of filters in the DLP sensor:
o Strict filters should be at the top of the list.
o Catch-all filters should be at the bottom of the list.

Security Profiles > Data Leak Prevention

23
Knowledge Check
1. Which statement about the document fingerprinting feature in DLP is true?
A. You can manually upload files to FortiGate for document fingerprinting.
B. Changing the chunk size will flush the entire database of document fingerprinting.

2. Which statement about fingerprinting sensitivity in DLP is true?

A. Custom fingerprint sensitivity level can be configured on the CLI only.
B. FortiGate appends a fingerprint sensitivity tag to all emails sent by users.

24
Lesson Progress

DLP Overview

DLP Filters

DLP Fingerprinting

DLP Archiving

Best Practices

25
DLP Archiving
Objectives
• Enable DLP archiving
• Implement summary archiving
• Implement full archiving
Summary Archiving
• Logs matching traffic (URL, email header To/From, and so on)
• Supported protocols:
o SMTP
o POP3
o IMAP
o MAPI
o HTTP (GET and POST methods only)
o FTP
o NNTP
• Enabled on CLI:
config dlp sensor
edit <profile_name>
set summary-proto <protocol_list>
end

27
Full Archiving
• Logs and archives email messages, attachments, webpages
• Can be useful for short term forensics
o Is resource intensive
o Should be saved to FortiAnalyzer, but can be a local hard disk
(varies by model)
• Enabled on the CLI:
config dlp sensor
edit <profile_name>
set full-archive-proto <protocol_list>
end

28
Knowledge Check
1. Which of the following items can be archived by a DLP sensor that is configured
for summary archiving?
A. Sender email address (in the case of SMTP traffic)
B. Attached file (in the case of SMTP traffic)

29
Lesson Progress

DLP Overview

DLP Prevention Filters

DLP Fingerprinting

DLP Archiving

Best Practices

30
Best Practices and Troubleshooting
Objectives
• Define best practices for implementing DLP
• Use best practices to avoid implementation issues, common problems, and network
issues
Best Practices
• Verify the order of any filters you have created or applied.
• Ensure file name filters are correct for your needs.
• Archiving and logging is highly recommended.
• Create filters for each department or subnet to ensure traffic is handled correctly.
• Use multiple filters based on protocols.
• Ensure that DLP filters are properly replicated to redundant firewall policies for
proper business continuity.
• Use a learning profile.

32
Knowledge Check
1. When a file matches more than one rule in a DLP sensor, what action does
FortiGate take?
A. The action specified by the rule that most specifically matches the file.
B. The action specified in the first rule from top to bottom.

33
Lesson Progress

DLP Overview

DLP Filters

DLP Fingerprinting

DLP Archiving

Best Practices

34
Review

 Define the purpose and function of DLP

 Differentiate filter types for files from filter types for messages
 Configure DLP filters for files and for messages
 Configure DLP fingerprinting
 Enable DLP archiving
 Define best practices for implementing DLP
 Use best practices to avoid implementation issues, common problems, and
network impacts