Local domain filter

In addition to FortiGuard’s category-based domain filter, you can also can define your own local static domain filter to allow or block specific domains.

To configure DNS local domain filter on GUI:

1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
2. In the Static Domain Filter section, enable Domain Filter.
3. Click Create New to create your local domain filter entries.

To configure DNS local domain filter on CLI:

config dnsfilter domain-filter edit 1 set name “demo” set comment ” config entries edit 1 set domain “www.fortinet.com”

set type simple set action allow set status enable

next edit 2 set domain “*.example.com” set type wildcard set action block set status enable

next edit 3 set domain “google” set type regex set action monitor set status enable

next

end

next

end

To check the DNS local domain filter log in the GUI:

1. Go to Log & Report > DNS Query to view the DNS query log.

Since the local domain list “google” action is Monitor, it’s blocked by FortiGuard category-based domain filter.

To check the DNS local domain filter log in the CLI:

7: date=2019-04-05 time=15:37:06 logid=”1501054803″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554503826 policyid=1 sessionid=69132 srcipp=10.1.100.18 srcport=49832 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=4612 qname=”www.google.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”208.91.112.55″ msg=”Domain belongs to a denied category in policy” action=”redirect” cat=41 catdesc=”Search Engines and Portals”

8: date=2019-04-05 time=15:37:06 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503826 policyid=1 sessionid=69132 srcipp=10.1.100.18 srcport=49832 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=4612 qname=”www.google.com” qtype=”A” qtypeval=1 qclass=”IN”

9: date=2019-04-05 time=15:36:59 logid=”1501054400″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554503818 policyid=1 sessionid=69121 srcipp=10.1.100.18 srcport=40659 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24730 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked because it is in the domain-filter list” action=”redirect” domainfilteridx=1 domainfilterlist=”demo”

10: date=2019-04-05 time=15:36:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503818 policyid=1 sessionid=69121 srcipp=10.1.100.18 srcport=40659 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24730 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

11: date=2019-04-05 time=15:36:51 logid=”1501054401″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”information” vd=”vdom1″ eventtime=1554503810 policyid=1 sessionid=69118 srcipp=10.1.100.18 srcport=33461 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=53801 qname=”www.fortinet.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”13.56.55.78, 54.183.57.55″ msg=”Domain was allowed because it is in the domain-filter list” action=”pass” domainfilteridx=1 domainfilterlist=”demo”

12: date=2019-04-05 time=15:36:51 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503810 policyid=1 sessionid=69118 srcipp=10.1.100.18 srcport=33461 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=53801 qname=”www.fortinet.com” qtype=”A” qtypeval=1 qclass=”IN”

Sequence and priority

In DNS Filter, local domain filter has a higher priority than FortiGuard category-based domain filter.

A DNS query is scanned and matched with local domain filter first. If an entry matches and the local filter entry’s action is block, then that DNS query is blocked or redirected.

If local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain name rating belongs to the block category, this query is blocked or redirected. If the FortiGuard category-based filter has no match, then the original resolved IP address is returned to the client DNS resolver.

The local domain filter action can be Block, Allow, or Monitor. If the local domain filter action is Allow and an entry matches, it will skip the FortiGuard category-based domain filter and directly return to client DNS resolver. If the local domain filter action is Monitor and an entry matches, it will go to FortiGuard category-based domain filter scanning and matching.

DNS translation

Using this feature, you can translate a DNS resolved IP address to another IP address you specify.

For example, website A has a public address 1.2.3.4. However, when your internal network users visit this website, you want them to connect to an internal host, say, 192.168.3.4. In this case, you can use DNS translation to translate the DNS resolved address 1.2.3.4 to 192.168.3.4. Reverse use of DNS translation is also applicable, for example, if you want public DNS query of your internal server to get a public IP address, then you can translate a DNS resolved private IP to a public IP address.

Sample configuration

This example configuration forces the DNS Filter profile to translate 93.184.216.34 (www.example.com) to 192.168.3.4. So when internal network users do DNS query for www.example.com, they do not get the original www.example.com IP of 93.184.216.34. It will be replaced with 192.168.3.4.

To configure DNS translation on GUI:

1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter profile.
2. Enable DNS Translation and click Create New.
3. Enter the Original Destination (the domain’s original IP address), the Translated Destination IP address, and the Network Mask (in most cases, it’s 255.255.255.255).

To configure DNS translation on CLI:

config dnsfilter profile edit “demo” set comment ” … config dns-translation  <<<==== edit 1 set src 93.184.216.34 set dst 192.168.3.4

set netmask 255.255.255.255

next

end set redirect-portal 0.0.0.0 set redirect-portal6 ::

set youtube-restrict strict

next

end

To check DNS translation using a command line tool before DNS translation:

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27030

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; Received 97 B

;; Time 2019-04-08 10:47:26 PDT

;; From 172.16.95.16@53(UDP) in 0.5 ms

To check DNS translation using a command line tool after DNS translation:

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62060

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; Received 97 B

;; Time 2019-04-08 11:11:41 PDT

;; From 172.16.95.16@53(UDP) in 0.5 ms

How DNS translation network mask work

The following is an example of DNS translation and result.

config dns-translation edit 1

set src 93.184.216.34

set dst 1.2.3.4

set netmask 255.255.224.0 next

end

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 6736

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; Received 97 B

;; Time 2019-04-08 12:04:30 PDT

;; From 172.16.95.16@53(UDP) in 2.0 ms

• AND src(Orginal IP) with negative netmask (93.184.216.34 & ~255.255.224.0)

01011101.10111000.11011000.00100010 93.184.216.34 <– ip

00000000.00000000.00011111.11111111 ~255.255.224.0 <– ~netmask

——————————————————– &

00000000.00000000.00011000.00100010 0.0.24.34 <- right bits

• AND dst(Translated IP) with netmask

00000001.00000010.00000011.00000100 1.2.3.4 <- dst

11111111.11111111.11100000.00000000 255.255.224.0 <- netmask

——————————————————– & 00000001.00000010.00000000.00000000 1.2.0.0 <- left bits

• Final step 2 bitwise-OR 3:

00000000.00000000.00011000.00100010 0.0.24.34

00000001.00000010.00000000.00000000 1.2.0.0

——————————————————– | 00000001.00000010.00011000.00100010 1.2.24.34

So this is how you setup a FortiGate to manage a FortiSwitch.

Use FortiGate as a DNS server

You can configure and use FortiGate as a DNS server in your network. When you enable DNS Service on a specific interface, FortiGate will listen for DNS Service on that interface.

Depending on the configuration, DNS Service on FortiGate can work in three modes: Recursive, Non-Recursive, or Forward to System DNS (server). For details on how to configure DNS Service on FortiGate, see the FortiGate System Configuration Guide.

You can apply a DNS Filter profile to Recursive Mode and Forward to System DNS Mode. This is the same as FortiGate working as a transparent DNS Proxy for DNS relay traffic.

To configure DNS Service on FortiGate using GUI:

1. Go to Network > DNS Servers.
2. In the DNS Service on Interface, click Create New and select an Interface.

The Recursive and Non-Recursive Mode is available only after you configure the DNS database.

To configure DNS Service on FortiGate using CLI:

config system dns-server edit “port10”  <<<==== Enable DNS Serive on Interface set mode forward-only

set dnsfilter-profile “demo”  <<<==== apply DNS Filter Profile for the service

next

end

Sample configuration

In this example, FortiGate port 10 is enabled as a DNS Service with the DNS Filter profile “demo”. Suppose port 10 has an IP address 10.1.100.5 and DNS Filter profile “demo” is set to block category 52 (Information Technology), then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query. For example:

# dig @10.1.100.5 www.fortinet.com <<<====Specify FortiGate interface address as DNS Server

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52809 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; www.fortinet.com.           IN     A

;; ANSWER SECTION:

www.fortinet.com.      60     IN    A     208.91.112.55  <<<==== DNS Filter profile will filter the relay DNS traffic based on profile configuration. It blocked with redirect portal IP

;; Received 50 B

;; Time 2019-04-08 14:36:34 PDT

;; From 10.1.100.5@53(UDP) in 13.6 ms

Email filtering

The FortiGate Email Filter can be configured to do AntiSpam and file-type based filtering. To enable email filtering, create a profile using either the CLI or GUI, then use this profile in the firewall policy.

To configure the email filter profile in the CLI:

These options can be reorganized according to the source of the decision:

• Local options: The FortiGate qualifies the email based on local conditions like BWL, bannedwords, or DNS checks (with the use of FortiGuard service).

• FortiGuard-based options: The FortiGate qualifies the email based on score or verdict returned from the FortiGuard service.

• Third-party options: The FortiGate qualifies the email based on information from a third-party source (like ORB list). spamrbl Email DNSBL & ORBL check.

Local and FortiGuard black/white lists can be enabled and combined in a single profile. When combined, the Local black/white list has a higher priority than the FortiGuard’s black list during a decision making process.

For example: If a client’s IP address is black listed in FortiGuard servers, but the admin wants to override this decision and allow the IP to pass through the filter, they can define the IP address or subnet in a BWL with the clear action. Because the information coming from the Local BWL has a higher priority than the FortiGuard service, the email will be considered clean.

Filtering types

Local-based:

• BWL, black orwhite list: These lists can be made from emails or IP subnets to forbid OR allow them to sending/receiving emails.

When referring to the IP address or email listed under a black or white list, email refers to the “From:” address, and IP refers to the IP address of the source of the email. In an SMTP case, the IP refers to the client’s IP address, while in a POP3 and IMAP case, it refers to the server’s IP address.

• Bannedwords: The admin can define a list of banned words. Emails that contain any of these banned words are considered as spam.
• DNS check: With spamhelodns and spamraddrdns, the FortiGate performs a standard DNS check on the machine name used in the helo SMTP message, and/or the return-to field to determine if these names belong to a registered domain. The FortiGate does not check the FortiGuard service during these operations. FortiGuard-based:
• FortiGuard based options: FortiGate consults FortiGuard servers to help identify the spammers IP address or emails, known phishing URLs, known spam URLs, known spam email checksums, etc. Protocol tuning:
• Protocol tuning: In a profile, there are sections for SMTP, POP3, and IMAP. In each section, you can set an action to either discard, tag, or pass the log for that protocol. Webmail:
• Webmail detector: The email filter can also be configured to detect and log emails sent via Gmail and MSNHotmail. Although these two interfaces do not use the standard email protocols (SMTP, POP3, or IMAP) and instead use HTTPS, the email filter can still be configured to detect the emails sent and passed through the

FortiGate. File-type:

• File-type based filtering: This can include emails which are undesired due to a file-type attachment that the network admin qualifies as non-compatible with their business environment. The admin can define the undesired file-types within the email filter profile and can associate an action to be taken for each file-type (for example: block or log).

Local-based filters

To configure the local-based AntiSpam filter in the CLI: config emailfilter bwl

FGT-300D-SPAM (bwl) # edit 1 new entry ‘1’ added

FGT-300D-SPAM (1) # set name myBWL

FGT-300D-SPAM (1) # config entries config entries

edit 1

set status enable set type ip set action spam set addr-type ipv4 set ip4-subnet 10.1.100.0 255.255.255.0

next

end

config emailfilter profile edit “myLocalEmailFilter” set spam-filtering enable set options spambwl spamhelodns spamraddrdns config smtp

set action tag

end set spam-bwl-table 1

next

end config firewall policy

edit 1 …..

set inspection-mode proxy set emailfilter-profile “myLocalEmailFilter”

next end

To configure the local-based AntiSpam filter in the GUI:

1. Go to Security Profiles > Email Filter.
2. Click Create or select an existing profile and click Edit.
3. In the Firewall policy, create or edit a rule.
4. Set the inspection-mode to Proxy-based.
5. Enable the Email Filter option and select the profile previously created.
6. Set SSL Inspection to a profile that has deep SSL inspection enabled.
   • Deep inspection is required if you intend to filter SMTP, POP3, IMAP, or any SSL/TLS encapsulated protocol.
   • Below is an example of a profile with deep SSL inspection enabled.

To configure bannedwords in the CLI:

config emailfilter bword edit 1 set name “banned” config entries

edit 1 set pattern “undesired_word”

next

end

next

end

config emailfilter profile edit “myBannedWordsProfile” config file-filter set status disable

end set spam-filtering enable set options bannedword set spam-bword-table 1

next

end

FortiGuard-based filters

FortiGate consults FortiGuard servers to help identify the spammers IP address or emails, known phishing URLs, known spam URLs, known spam email checksums, etc. FortiGuard servers have maintained databases that contain black lists which are fed from Fortinet sensors and labs distributed all over the world.

To configure the FortiGuard filters in the CLI:

config emailfilter profile edit “myEmailFilterProfile” set spam-filtering enable

set options spamfsip spamfssubmit spamfschksum spamfsurl spamrbl spamhdrcheck spamfsphish next

end

To configure the FortiGuard filters in the GUI:

1. Go to Security Profiles > Email Filter.
2. In the FortiGuard Spam Filtering Spam Filtering section, you can enable or disable the following filters:
   • IP Address Check l URL Check
   • Detect Phising URLs in Email l Email Checksum Check
   • Spam Submission

File-type based filters

File-type based email filters can be used to filter out emails which are undesired due to a file-type attachment that the network admin qualifies as non-compatible with their business environment. The admin can define the undesired filetypes within the email filter profile and can associate an action to be taken for each file-type (for example: block or log).

To configure file-type email filtering in the CLI:

config emailfilter profile edit “myEmailFileFilter” config file-filter config entries edit “compressedFiles” set action block set file-type “7z” “rar” “zip”

next

end

end

set spam-filtering enable

next end

To configure file-type email filtering in the GUI:

1. Go to Security Profiles > Email Filter.
2. Enable File Filter.
3. Customize which files are scanned (Log/Scan Archived Contents) or click Create New to add a new entry.

Protocols and actions

In an email filtering profile, there are sections for SMTP, POP3, and IMAP protocols. In each section, you can set an action to either discard, tag, or pass the log for that protocol.

CLI Example:

config smtp set log enable set action tag

end

Actions available for each protocol:

MAPI email filtering

MAPI is a proprietary protocol from Microsoft. It uses HTTPS to encapsulate email requests and responses between Microsoft Outlook clients and Microsoft Exchange servers. The configuration of MAPI email filters are only possible through the CLI.

To configure the MAPI email filter in the CLI:

config emailfilter profile edit “myMapiFilter” set spam-filtering enable

set options spamfsip spamfssubmit spamfsurl spamfsphish config mapi set log enable set action “discard or pass”

end

next

end

Webmail

The FortiGate email filter is intended to filter standard email protocols including SMTP, POP3, IMAP, and MAPI, however, it can also be configured to detect and log emails sent through some webmail interfaces. The supported webmail interfaces include Gmail and MSN-Hotmail.

To configure webmail filtering through the CLI:

config emailfilter profile edit “myWebMailDetector” set spam-filtering enable config msn-hotmail set log enable

end config gmail set log enable

end

next

end

Checking the log

To check the email filter log in the CLI:

execute log filter category 5 execute log display

1 logs found.

1 logs returned.

1: date=2019-04-09 time=03:41:18 logid=”0510020491″ type=”utm” subtype=”emailfilter” eventtype=”imap” level=”notice” vd=”vdom1″ eventtime=1554806478647415130 policyid=1 sessionid=439 srcip=10.1.100.22 srcport=39937 srcintf=”port21″ srcintfrole=”undefined” dstip=172.16.200.45 dstport=143 dstintf=”port17″ dstintfrole=”undefined” proto=6 service=”IMAPS” profile=”822881″ action=”blocked” from=”testpc3@qa.fortinet.com” to=”testpc3@qa.fortinet.com” recipient=”testpc3″ direction=”incoming” msg=”from ip is in ip blacklist.(path black ip 172.16.200.9)” subject=”testcase822881″ size=”525″ attachment=”no”

To check the email filter log in the GUI:

Go to Log & Report > Anti-Spam.

File Filter for email filter

Introduction

File Filter is a new feature introduced in FortiOS 6.2, and provides the Email filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.

In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. In this article we will discuss Email filter File Filtering.

Currently, File Filtering in Email filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.

GUI configuration have yet to be implemented. In addition, Email filter File Filtering will only work on proxy mode policies.

File Types Supported

File Filter in Email filter profile supports the following file types:

Configure File Filter from CLI

Using CLI, configuration for File Filtering is nested inside Email filter profile’s configuration.

In File filtering configuration, file filtering functionality and logging is independent of the Email filter profile.

To block or log a file type, we must configure file filter entries. Within each entry we can specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and if we should match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.

In the example CLI below we want to file filter the following using Email filter profile:

1. Block EXE files from received or sent out (filter1).
2. Log the sending of document files (filter2).

config emailfilter profile edit “emailfilter-file-filter” config file-filter

set status enable                      <— Allow user to disable/enable file fil-

tering

set log enable       <— Allow user to disable/enable logging for file filtering set scan-archive-contents enable <— Allow scanning of files inside archives

such as ZIP, RAR config entries edit “filter1”

set comment “Block executable files”

set protocol smtp imap pop3  <— Inspect all email traffic set action block  <— Block file once file type is matched set encryption any       <— Inspect both encrypted and un-encrypted

files

set file-type “exe”   <— Choosing the file type to match next edit “filter2”

set comment “Log document files”

set protocol smtp                 <— Inspect only SMTP traffic

set action log  <— Log file once file type is matched set encryption any

set file-type “pdf” “msoffice” “msofficex” <— Multiple file types can be con-

figured in a single entry next

end

end

end

After configuring File Filter in Email filter profile, we must apply it to a firewall policy.

config firewall policy edit 1 set name “client-to-internet”

set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set emailfilter profile “email-file-filter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next

end

CLI Example:

File Filter action as “Block”:

1: date=2019-01-25 time=15:20:16 logid=”0554020511″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”warning” vd=”vdom1″ eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=143 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”IMAP” action=”blocked” from=”emailuser1@qa.fortinet.com” to=”emailuser2@qa.fortinet.com” recipient=”emailuser2″ direction=”incoming” subject=”EXE file block” size=”622346″ attachment=”yes” filename=”putty.exe” filtername=”filter1″ filetype=”exe” File Filter action as “Log”:

1: date=2019-01-25 time=15:23:16 logid=”0554020510″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”notice” vd=”vdom1″ eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=25 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”SMTP” pro-

file=”emailfilter-file-filter” action=”detected” from=”emailuser1@qa.fortinet.com” to=”-

“emailuser2@qa.fortinet.com” sender=”emailuser1@qa.fortinet.com” recipient=”emailuser2@qa.fortinet.com” direction=”outgoing” subject=”PDF file log” sizee=”390804″ attachment=”yes” filename=”fortiauto.pdf” filtername=”filter2″ filetype=”pdf”

Data leak prevention

The FortiGate Data Leak Prevention (DLP) system prevents sensitive data from leaving your network. Data matching defined sensitive data patterns are blocked, logged, or allowed when passing through the FortiGate unit.

The DLP system is configured by creating individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule in a DLP sensor, and assigning the sensor to a security policy.

A DLP sensor is made of filters that are configured within it. The filters examine traffic for:

• Known files used DLP Fingerprints l Known files using DLP Watermark l Files of a particular type l Files with a particular name l Files larger than a specified size l Data matching a specified regular expression l Credit card and SSN numbers

When a match to a filter is detected, the possible actions include:

• Allow: No action is taken, even if the pattern specified in the filter is matched. l Log: The filter match is logged. l Block: Traffic matching the filter is blocked. l Quarantine IP address: Traffic matching the filter is blocked, and the client initiating the traffic is soure IP banned.

The primary use of the DLP feature is to stop sensitive data from the leaving the network. It can also be used to prevent unwanted data from entering the network, and to archive some or all of the content that is passing through the FortiGate device. DLP archiving is configured per filter, allowing for a single sensor that archives only the required data.

There are two forms of DLP archiving: l Summary Only

A summary of all the activity that the sensor detected is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the web, every URL that they visit is recorded. l Full

Detailed records of all the activity that the sensor detects is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses the web, every page that they visit is archived.

Basic DLP filter types

File type and name

A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list.

To configure file type and name filtering using the CLI:

1. Create a file pattern to filter files based on the file name patter or file type:

config dlp filepattern edit <filepatern_entry_integer> set name <string> config entries edit <file pattern> set filter-type <type | pattern> set file-type <file type>

next

end

next

end

For example, to filter for GIFs and PDFs:

config dlp filepattern edit 11 set name “sample_config” config entries edit “*.gif” set filter-type pattern

next edit “pdf” set filter-type type set file-type pdf

next

end

next

end

2. Attach the file pattern to a DLP sensor, and specify the protocols and actions:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by file-type

set file-type 11   <– Previously configured filepattern set action <allow | log-only| block | quarantine-ip>

next

end

next end

To configure file type and name filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.
2. Click Create New. The New DLP Sensor page opens.
3. Click Add Filter in the filter table. The New Filter pane opens.
4. Set Type to Files and select Specify File Types.
5. Add file types by clicking in the File Types field and select file types from the side pane.
6. Add file name patterns by clicking in the File Name Patterns field:
   1. In the side pane that opens, enter the pattern in the search bar.
   2. Click Create.
   3. Select the newly created pattern.

File size

A file size filter checks for files that exceed the specific size, and performs the DLP sensor’s configured action on them.

To configure file size filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string> set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by file-size <– Match any file over with a size over the threshold

set file-type 11  <– Previously configured filepattern set action <allow | log-only| block | quarantine-ip>

next

end

next

end

To configure file size filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.
2. Click Create New. The New DLP Sensor page opens.
3. Click Add Filter in the filter table. The New Filter pane opens.
4. Set Type to Files and select File size over.
5. Enter the maximum file size, in kilobytes, in the File size over field, then click OK.

Regular expression

A regular expression filter is used to filter files or messages based on the configured regular expression pattern.

To configure regular expression filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set type <file | message>  <– Check contents of a file or of messages, web

pages, etc. set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by regexp  <– Use a regular expression to match content set regexp <regexp>  <– Input a regular expression pattern set action <allow | log-only| block | quarantine-ip>

next

end

next

end

To configure regular expression filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.
2. Click Create New. The New DLP Sensor page opens.
3. Click Add Filter in the filter table. The New Filter pane opens.
4. For filtering regular expressions in files, set Type to Files. For filtering in messages, set Type to Messages.
5. Select RegularExpression.
6. Enter the regular expression string in the RegularExpression field, then click OK.

Credit card and SSN

The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It can be used to filter files or messages.

The SSN sensor can be used to filter files or messages for Social Security Numbers.

To configure credit card or SSN filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set type <file | message> <– Check contents of a file, or of messages, web

pages, etc. set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by < credit-card | ssn >  <– Match credit cards or social security

numbers

set action <allow | log-only| block | quarantine-ip>

next

end

next

end

To configure credit card or SSN filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.
2. Click Create New. The New DLP Sensor page opens.
3. Click Add Filter in the filter table. The New Filter pane opens.
4. For filtering in files, set Type to Files. For filtering in messages, set Type to Messages.
5. Select Containing.
6. Select Credit Card # or SSN from the Containing drop-down list, then click OK.

DLP fingerprinting

DLP fingerprinting can be used to detect sensitive data. The file that the DLP sensor will filter for is uploaded and the

FortiGate generates and stores a checksum fingerprint. The FortiGate unit generates a fingerprint for all of the files that

are detected in network traffic, and compares all of the checksums stored in its database. If a match is found, the configured action is taken.

Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

To use fingerprinting:

• Select the files to be fingerprinted by targeting a document source. l Add fingerprinting filters to DLP sensors.
• Add the sensors to firewall policies that accept traffic that the fingerprinting will be applied on.

To configure a DLP fingerprint document:

config dlp fp-doc-source edit <name_str> set server-type smb set server <string>

set period {none | daily | weekly | monthly} set vdom {mgmt | current} set scan-subdirectories {enable | disable} set remove-deleted {enable | disable} set keep-modified {enable | disable} set username <string> set password <password> set file-path <string> set file-pattern <string>

set sensitivity <Critical | Private | Warning> set tod-hour <integer> set tod-min <integer>

set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set date <integer>

next end

To configure a DLP fingerprint sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter> set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} set filter-by fingerprint

set sensitivity {Critical | Private | Warning}

set match-percentage <integer>

set action {allow | log-only | block | ban | quarantine-ip}

next

end

next end

View the DLP fingerprint database on the FortiGate

The CLI debug command diagnose test application dlpfingerprint can be used to display the fingerprint information that is on the FortiGate.

Fingerprint Daemon Test Usage;

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1 : This menu

• : Dump database
• : Dump all files
• : Dump all chunk
• : Refresh all doc sources in all VDOMs
• : Show the db file size and the limit
• : Display stats
• : Clear stats

99 : Restart this daemon

For example, option 3 will dump all fingerprinted files:

DLP watermarking

Watermarking marks files with a digital pattern to designate them as proprietary to a specific company. A small pattern is added to the file that is recognized by the DLP watermark filter, but is invisible to the end user (except for text files).

FortiExplorer client, or a Linux-based command line tool, can be used to add a watermark to the following file types: l .txt

• .doc and .docx
• .pdf
• .ppt and .pptx
• .xls and .xlsx

The following information is covered in this section:

• Watermarking a file with FortiExplorer. l Watermarking a file with the Linux tool. l Configuring a DLP sensor to detect watermarked files.

FortiExplorer

In this example, a watermark will be added to small text file. The content of the file is:

This is to show how DLP watermarking is done using FortiExplorer.

FortiExplorer can also be used to watermark an entire directory.

To watermark the text file with FortiExplorer:

1. Open the FortiExplorer client.
2. Select DLP Watermark from the left side bar.
3. Set Apply Watermark To to Select File.
4. Browse for the file, copy the file’s path into the Select File
5. Set the Sensitivity Level. The available options are: Critical, Private, and Warning.
6. Enter a company identifier in the Identifier
7. Select the Output Directory where the watermarked file will be saved.
8. Click Apply Watermark. The file is watermarked.
9. The watermarked file content is changed to:

This is to show how DLP watermarking is done using FortiExplorer.=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=identifier=FortiDemo sensitivity=Critical=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=

Linux-based command line tool

A Linux-based command line tool can be used to watermark files. The tool can be executed is a Linux environment by passing in files or directories of files.

To download the tool:

1. Log in to Fortinet Service and Support. A valid support contract is required.
2. Go to Download > Firmware Images.
3. Select the Download tab, and go to FortiGate/v5.00/5.0/5.0.0/WATERMARK.
4. Download the fortinet-watermark-linux.out

To run the tool:

Enter the following to run the tool on a file:

watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level> Enter the following to run the tool on a directory:

watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>

The following options are available:

DLP watermark sensor

A DLP watermark sensor must be configured to detect watermarked files.

To configure a DLP watermark sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter>

set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} <– Pro-

tocol to inspect set filter-by watermark

set sensitivity {Critical | Private | Warning}

set company-identifier <string>

set action {allow | log-only | block | ban | quarantine-ip}

next

end

next end

I had someone ask me how to tag a VOIP phone to the VOICE VLAN of a FortiSwitch that is managed by a FortiGate. The following Video shows you how!

Flow mode inspection (default mode)

When a firewall policy’s inspection mode is set to flow, traffic flowing through the policy will not be buffered by the FortiGate. Unlike proxy mode, the content payload passing through the policy will be inspected on a packet by packet basis with the very last packet held by the FortiGate until the scan returns a verdict. If a violation is detected in the traffic, a reset packet is issued to the receiver, which terminates the connection, and prevents the payload from being sent successfully.

Because of this method, flow mode inspection cannot be as thorough as proxy mode inspection and will have some feature limitations. For example, flow mode inspection determines a file’s size by identifying the file size information in the protocol exchange. If a file’s size is not present in the protocol exchange, the file’s size cannot be identified. The flow-based policy will automatically block or pass the file (based on the configuration) despite the file meeting the file size requirements.

The objective of flow-based policy is to optimize performance and increase throughput. Although it is not as thorough as a proxy-based policy, flow mode inspection is still very reliable.

Proxy mode inspection

When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be buffered by the

FortiGate for inspection. This means that the packets for a file, email message, or web page will be held by the FortiGate until the entire payload is inspected for violations (virus, spam, or malicious web links). After FortiOS has finished the inspection, the payload is either released to the destination (if traffic is clean) or dropped and replaced with a replacement message (if traffic contains violations).

To optimize inspection, the policy can be configured to block or ignore files or messages that exceed a certain size. To prevent the receiving end user from timing out, client comforting can be applied, which allows small portions of the payload to be sent while it is undergoing inspection.

Proxy mode provides the most thorough inspection of the traffic; however, its thoroughness sacrifices performance, making its throughput slower than that of a flow-mode policy. Under normal traffic circumstances, the throughput difference between a proxy-based and flow-based policy is not significant.