FortiGate II

Data Leak Prevention (DLP)

FortiGate 5.4.1
© Copyright Fortinet Inc. All rights reserved. Last Modified: Wednesday, April 29, 2020
1
Objectives
• Purpose and function of FortiGate DLP
• Differentiate filter types for files vs. messages
• Configure DLP filters
o Messages

o Files

• Configure DLP Fingerprinting

• Archive to store copies of files and messages

2
DLP Role in Network Security
• Most UTM scans are used to block traffic from entering
o Web filtering, antivirus, email filtering, and more
• Data leak prevention (DLP) blocks it from leaving
o Sensitive documents
o Account numbers
o Personal data
• Compromise of crucial data can be financially more damaging than a
virus outbreak or spam

3
How DLP Works
• Pattern recognition
• DLP engine delegates scan to appropriate processes (IPS, proxy)
o Engine doesn’t directly scan any traffic
• Filters define pattern(s) to DLP Sensor Match?
scan for in packet/file
1. Filter 1
• Sensor contains filters –
list of match criteria 2. Filter 2
• FortiGate applies first 3. Filter 3
matching filter
Action

4
Choosing Which Protocols to Scan
o Show DLP in GUI menu:
• System > Feature Select
• Security Profiles > Data Leak Prevention
• Secure protocols (such as HTTPS)
aren’t listed as options
o IfSSL/SSH inspection is enabled,
FortiGate will scan both secure and
non-secure versions of each chosen protocol - e.g. both HTTPS and HTTP

5
Choosing the DLP Action
• Allow — Do not act on DLP; continue
to the next scan (if any).
• Log Only — Record a log message
and/or alert email, but do not drop or
quarantine.
• Block — Drop the packet and replace
with DLP blocked replacement
message and log it.
• Quarantine IP Address — Block
access for any IP address that sends
traffic matching a sensor.
o Add IP address to Banned User list
o Must configure expiry time: how long
this IP will be blocked

6
Configuring Filters for Messages or Files
• Credit cards can be:
Visa, MasterCard, American Express, Discovery, JCB, Diner’s Club
• Need to match custom text/numbers? Use regular
expressions with PCRE syntax – not Perl regex, Ruby, or
others

7
Example: Credit Card Message Filter
• Preconfigured filters available
• Block action generates a log
o Log & Report > Forward Traffic
• Click Details and Security for more information

8
File Name Patterns
Patterns specified by:
• Full or partial file name
• Full or partial file extension File Name Match?
• A combination of name and extension
mona.jpg
painting.jpg
nicepainting.png
nicepainting.jpg
*.jpg
nicepainting.jpg
nice*.jpg

9
File Types

File Type Match?

JPEG image
BMP image
CAB archive
• Based on binary contents,
regardless of file name / extension ZIP archive
o Functions even if user tries to
circumvent DLP by changing file Executable
name / extension
• Supported file types hard-coded into
FortiOS firmware

10
File Filters
• Microsoft Office files: use both File Types and File Name Patterns
• Office 2007 and earlier had binary files (best scan is File Type)
• Office 2010+ has zipped XML files (best scan is File Name Pattern)
o http://en.wikipedia.org/wiki/Office_Open_XML

Predefined
Predefined
dropdown
dropdown list
list

Configured
Configured
manually
manually

11
How Fingerprinting Works
• FortiGate scans share, looking for file names matching the pattern
• Makes fingerprints for matching files
o FortiGate makes one checksum for each chunk of the file
o Stores checksums of chunks, not the file– works with large files
o If at least one chunk matches, DLP positively identifies the file
o Can function even if the file is changed a little
• Default chunk size is 2800 bytes
# config dlp settings
# set chunk-size [100-100000]
# end
o Changing chunk size flushes entire database
• When checking traffic for DLP match, if sensitivity matches, action is applied

12
Configuring Fingerprint Sensitivity
• DLP sensor actions apply to all fingerprints with its sensitivity level
• Default levels:
o Critical

o Private

o Warning

• Can configure custom fingerprint sensitivity level from CLI

config dlp fp-sensitivity

edit <sensitivity - level_name>
end

13
Configuring Network Share for Fingerprinting
• Network share documents are remote file shares, periodically scanned
to update fingerprints
• Configured from CLI:
config dlp fp-doc-source
edit <name_str>
set server-type {samba}
set server <IPv4 or IPv6>
set username <login username>
set password <login password>
set file-path <path file on the server>
set file-pattern <string>
set sensitivity <DLP fingerprint sensitivity>
set period {none | daily | weekly | monthly}
end

14
Configuring DLP Sensor for Fingerprinting
• Fingerprint feature is enabled from CLI (only) for each filter in DLP sensor
o If configured in CLI becomes visible in GUI
• DLP sensor actions apply to all fingerprints with its sensitivity level

config dlp sensor

edit <name>
config filter
edit <filter ID>
set proto http-get
set filter-by fingerprint
set fp-sensitivity "Critical"
next
end

Enabled
Enabled in
in CLI
CLI for
for Visible
Visible in
in GUI
GUI after
after enabling
enabling inin CLI
CLI
DLP
DLP filter
filter for
for configured
configured DLP
DLP filter
filter

15
DLP Sensor
• DLP applies only the first (topmost) filter that matches, if any
• Skips subsequent DLP filters
o Most strict filters should be at the top of the list in the DLP sensor
o Catch-all filters should be at the bottom

16
Summary Archiving
• Logs matching traffic (URL, email header To/From, and so on)
• Supported protocols:
o SMTP

o POP3

o IMAP

o MAPI

o HTTP (GET and POST methods only)

o FTP

o NNTP

• Enabled in CLI
config dlp sensor
edit <profile_name>
set summary-proto <protocol_list>
end

17
Full Archiving
• Log and archive email messages, attachments, webpages
• Can be useful for short term forensics
o Resource intensive
o Should be saved to a FortiAnalyzer, but can be local hard disk
(varies by model)
• Enabled in CLI
config dlp sensor
edit <profile_name>
set full-archive-proto <protocol_list>
end

18
Review
 Why use DLP?
 Messages filter and file filters
 Sensors and filters
 Document fingerprinting
 Summary vs. full content archiving

19