In this recipe, you will keep files containing sensitive information from leaving your network. To do this, criteria for retaining files are created and applied in a Data Leak Prevention (DLP) security profile. This example applies DLP to retain executable files and files matching a specific file name pattern.
1. Enabling DLP and Multiple Security Profiles
|
| Go to System > Feature Select and confirm that DLP and Multiple Security Profiles are enabled. |
![Enable DLP sensor and multiple security profiles]( "1a-enable-dlp-msp") |
2. Creating a DLP profile
|
| Go to Security Profiles > Data Leak Prevention. In the Filter list, select Create New. |
![Create new DLP profile]( "2a-dlp-new-profile-zoomin") |
|
Set the filter to look for Files. Select Specify File Types and set File Types to Executable (exe).
Set Examine the Following Services to all the services required by your network.
Set Action to Block.
|
![Det up DLP to retain executable files]( "2b-dlp-exe-files") |
|
Create a second filter.
Set the filter to look for Files. Select Specify File Types. In the File Name Patterns field, enter the pattern you wish to match. If desired, use a wildcard character in the pattern.
Set Action to Block.
|
![Set DLP to block file name pattern]( "2c-dlp-file-name-pattern") |
| Both filters now appear in the Filter list. |
![New DLP results - two filters]( "2d-create-dlp-results-zoomin")
|
3. Adding the profile to a security policy
|
|
Go to Policy & Objects > IPv4 Policy and edit your Internet-access policy.
Under Security Profiles, enable DLP Sensor and set it to use the new profile.
SSL Inspection is automatically enabled. Set it to use the deep-inspection profile to ensure that DLP is applied to encrypted traffic.
Under Logging Options, enable Log Allowed Traffic and select Security Events.
|
![Edit IPv4 policy to turn on DLP]( "3a-edit-ipv4-policy") |
4. Results
|
| Attempt to send either an .exe file or a file that fits the file naming pattern blocked in step 2. Use a protocol that the DLP filter is set to examine. Depending on which protocol is used, the attempt will either be blocked by the FortiGate or it will timeout. |
| Go to FortiView > All Sessions and select the 24 hours view for information about the blocked session. |
![Fortiview results showing DLP in action]( "4a-fortiview-dlp-results") |
For further reading, check out Data leak prevention in the FortiOS 5.4 Handbook.
The post Preventing data leaks appeared first on Fortinet Cookbook.
