Data Leak Prevention – Fortinet FortiGate

DLP examples

Blocking content with credit card numbers

When the objective is to block credit card numbers one of the important things to remember is that 2 filters will need to be used in the sensor.

In the default Credit-Card sensor, you will notice a few things.

  • The Action is set to Log Only
  • In the Files filter not all of the services are being examined.

If you wish to block as much content as possible with credit card numbers in it instead of just logging most the traffic that has it, the existing sensor will have to be edited.

Security Profile > Data Leak Prevention > Sensor.

Use the drop down menu to select Credit-Card.

  1. Edit the first filter.
    1. Change the Action to Block
    2. Make sure all of the services are being examined.
    3. Select OK
  2. Repeat for the second filter
  3. Select Apply
  4. Edit the appropriate policies so that under Security Profiles, DLP is turned on and the Credit-Card sensor is selected.

Blocking emails larger than 15 MB and logging emails from 5 MB to 15 MB

Because the designated size is over 10 MB the proxy options cannot be used to block the file size. Multiple filters will have to be used in this case and the order that they are used is important. Because there is no mechanism to move the filters within the sensor the order that they are added to the sensor is important.

Security Profile > Data Leak Prevention > Sensor.

Create a new sensor

Use the following values

Name large_emails
Comment <optional>

Once the Sensor has been created a new filter will need to be added.

Create New

Use the following values

Filter:

  • Choice between Meassages and Files: choose
  • Choose radio button to the left of File Size
  • In the field for the file size type 15360

1MB = 1024kB, 15 MB = 15 x 1024kB = 15360kB

Examine the following Services

SMTP enabled
POP3 enabled
IMAP enabled
HTTP not enabled
FTP not enabled
AIM not enabled
ICQ not enabled
MSN not enabled
Yahoo! not enabled
NNTP not enabled
MAPI not enabled

Action

  • From the drop down menu choose Block

Select OK

A second filter will need to be added.

Create New

Use the following values

Filter:

  • Choice between Meassages and Files: choose Files
  • Choose radio button to the left of File Size
  • In the field for the file size type 1024

Examine the following Services

SMTP enabled
POP3 enabled
IMAP enabled
HTTP not enabled
FTP not enabled
AIM not enabled
ICQ not enabled
MSN not enabled
Yahoo! not enabled
NNTP not enabled
MAPI not enabled

Action

  • From the drop down menu choose Log Only.

Select OK

Select Apply

Add the sensor to the appropriate policy.

The reason that the block filter is placed first is because the filters are applied in sequence and once the traffic triggers a filter the action is applied and then the traffic is passed on to the next test. If the Log Only filter which checks for anything over 1MB is triggered this would include traffic over 15MB, so a 16 MB file would only be logged. In the described order, the 16 MB file will be blocked and the 3 MB file will be logged.

Selective blocking based on a finger print

The following is a fairly complex example but shows what can be done by combining various components in the correct configuration.

The company has a number of copyrighted documents that it does not want “escaping” to the Internet but it does want to be able to send those documents to the printers for turning into hardcopy.

The policies and procedures regarding this issue state that:

  • Only members of the group Senior_Editors can send copyrighted material to the printers.
  • Every member of the company by default is included in the group employees.
  • Even permitted transmission of copyrighted material should be recorded.
  • All of the printers IP addresses are in a group called approved_printers.
  • There is a file share called copyrighted where any file that is copyrighted is required to have a copy stored.
  • It doesn’t happen often but for legal reasons sometimes these files can be changed, but all versions of a file in this directory need to be secured.
  • All network connections to the Internet must have Antivirus enabled using at least the default profile.
  • The SSL/SSH Inspection profile used will be default.

It is assumed for the purposes of this example that:

  • Any addresses or address groups have been created.
  • User accounts and groups have been created.
  • The account used by the FortiGate is fgtaccess.
  • The Copyrighted sensitivity level needs to be created.
  • The copyrighted material is stored at \\192.168.27.50\books\copyrighted\

Sensitivity Level Addition

config dlp fp-sensitivity

edit copyrighted end

Finger print configuration

Security Profile > Data Leak Prevention > Document Fingerprinting.

In the Document Sources section select Create New

Use the following field values

Name copyrighted_material
Server Type Windows Share
Server Address 192.168.27.50
User Name fgtaccess
Password ******
Path books/copyrighted/
Filename Pattern *.pdf
Sensitivity copyrighted
Scan Periodically enabled
<Frequency> Daily, Hour: 2, Min: 0
Advanced  

 

Fingerprint files in subdirectories enabled
Remove fingerprints for deleted files not enabled
Keep previous fingerprints for modified files enabled

Create DLP Sensors

Security Profile > Data Leak Prevention > Sensor

Create a new sensor. This can be done one of two ways.

  • In the menu bar at the top on the right hand, use the Create New icon (circle with + symbol inside).
  • In the menu bar at the top on the right hand, use the View List icon to go to the list window and use the Create New icon on the top left of that page.

Two Sensors need to be created. One for blocking the transmission of copyrighted material and a second for allowing the passing of copyrighted material under specific circumstances.

Configuration for the first sensor that blocks transmission.

Use the following field values:

Name block_copyrighted
Comment <optional>

Once the Sensor has been created a new filter will need to be added.

Create New

Use the following values

Filter:

  • Choice between Meassages and Files: choose Files
  • Choose radio button to the left of File Finger Print
  • From the drop down for File Finger Print choose “copyrighted”

Examine the following Services

SMTP enabled
POP3 enabled
IMAP enabled
HTTP enabled
FTP enabled
AIM enabled
ICQ enabled
MSN enabled
Yahoo! enabled
NNTP enabled
MAPI enabled

Action

  • From the drop down menu choose Block

Configuration for the second sensor that allows transmission.

Use the following field values:

Name allow_copyrighted
Comment <optional>

Once the Sensor has been created a new filter will need to be added.

This will be identical to the filter in the block_copyrighted sensor except that the action will be Log Only.

Create policies and attach DLP sensors

Policy to allow transmission of copyrighted material

Policy > Policy > Policy

Create New

Use the following values in the Policy:

Policy Type Firewall
Policy Subtype User Identity
Incoming Interface LAN
Source Address all
Outgoing Interface wan1
Enable NAT enabled — Use Destination Interface Address
Enable Web cache <optional>
Enable WAN Optimization <optional>
Skip this policy for unauthenticated user do not enable
Disclaimer <optional>

Customize authentication <optional>

Messages

Page 141

Configure Authentication Rules:

Destination Address approved_printers
Group(s) Senior_Editors
User(s) <optional>
Schedule always
Service ALL
Action ACCEPT
Log Allowed Traffic <optional>
Security Profiles  
Antivirus <ON> default
Webfilter <optional>
Application Control <optional>
IPS <optional>
Email Filter <optional>
DLP Sensor <ON> Copyrighted
VoIP <optional>
ICAP <optional>
Proxy Options  
SSL/SSH Inspection <ON>
Traffic Shaping <optional>

This policy should be place as close to the beginning of the list of policies so the it is among the first tested against.

Policy to block transmission of copyrighted material

This will in effect be the default template for all following policies in that they will have to use the DLP profile that blocks the transmission of the copyrighted material.

Policy > Policy > Policy

Create New or Edit the existing policies.

The fields should include what ever values you need to accomplish your requirements are but each policy should include the DLP sensor block_copyrighted or if a different DLP configuration is required it should include a filter that blocks copyrighted fingerprinted file.

If you need to create a policy that is identity based make sure that there is an Authentication rule for the group employees that uses the DLP sensor that blocks copyrighted material.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.